The purpose of this repository is to provision an Azure OpenAI account with an RBAC role permission for your user account to access, so that you can use the OpenAI API SDKs with keyless (Entra) authentication.
- Provisions an Azure OpenAI account with keyless authentication enabled
- Grants the "Cognitive Services OpenAI User" RBAC role to your user account
- Deploys a gpt-4o-mini model by default, but you can modify the Bicep template to deploy other models
- Example script uses the openai Python package to make a request to the Azure OpenAI API
You have a few options for getting started with this template. The quickest way to get started is GitHub Codespaces, since it will setup all the tools for you, but you can also set it up locally.
You can run this template virtually by using GitHub Codespaces. The button will open a web-based VS Code instance in your browser:
-
Open the template (this may take several minutes):
-
Open a terminal window
-
Continue with the deployment steps
A related option is VS Code Dev Containers, which will open the project in your local VS Code using the Dev Containers extension:
-
Start Docker Desktop (install it if not already installed)
-
Open the project:
-
In the VS Code window that opens, once the project files show up (this may take several minutes), open a terminal window.
-
Continue with the deployment steps
-
Make sure the following tools are installed:
-
Make a new directory called
azure-openai-keyless-pythonand clone this template into it using theazdCLI:azd init -t azure-openai-keyless-python
You can also use git to clone the repository if you prefer.
-
Continue with the deployment steps
-
Login to Azure:
azd auth login
For GitHub Codespaces users, if the previous command fails, try:
azd auth login --use-device-code
-
Provision the OpenAI account:
azd provision
It will prompt you to provide an
azdenvironment name (like "chat-app"), select a subscription from your Azure account, and select a location where the OpenAI model is available (like "canadaeast"). Then it will provision the resources in your account and deploy the latest code.⚠️ If you get an error or timeout with deployment, changing the location can help, as there may be availability constraints for the OpenAI resource. To change the location run:azd env set AZURE_LOCATION "yournewlocationname"
-
When
azdhas finished, you should have an OpenAI account you can use locally when logged into your Azure account. You can output the necessary environment variables into an.envfile by running a script:For Mac OS X / Linux:
./write_dot_env.sh
For Windows:
pwsh ./write_dot_env.ps1
-
Then you can proceed to run the Python example.
-
If you're not already running in a Codespace or Dev Container, create a Python virtual environment.
-
Install the requirements:
python -m pip install -r requirements.txt
-
Run the example:
python example.py
This will use the OpenAI API SDK to make a request to the OpenAI API and print the response.
This template creates only the Azure OpenAI resource, which is free to provision. However, you will be charged for the usage of the Azure OpenAI chat completions API. The pricing is based on the number of tokens used, with around 1-3 tokens used per word. You can find the pricing details for the OpenAI API on the Azure Cognitive Services pricing page.
This template uses keyless authentication for authenticating to the Azure OpenAI resource. This is a secure way to authenticate to Azure resources without needing to store credentials in your code. Your Azure user account is assigned the "Cognitive Services OpenAI User" role, which allows you to access the OpenAI resource. You can find more information about the permissions of this role in the Azure OpenAI documentation.
For further security, you could also deploy the Azure OpenAI inside a private virtual network (VNet) and use a private endpoint to access it. This would prevent the OpenAI resource from being accessed from the public internet.