How to Obtain clientId, tenantId, and clientSecret for Azure OpenAI Authentication in Production

Question

I'm developing an application that uses Azure OpenAI, and I'm facing challenges with setting up authentication in a production environment. Locally, I'm able to authenticate successfully using DefaultAzureCredential after running az login, but I can't use this method in production.

I understand that in a production environment, it's better to use ClientSecretCredential from @azure/identity. However, I'm unsure how to obtain the necessary clientId, tenantId, and clientSecret required for this credential type.

Locally, this setup works fine with DefaultAzureCredential:

import { AzureOpenAI } from 'openai';
import { DefaultAzureCredential } from '@azure/identity';

const credential = new DefaultAzureCredential();
const deployment = 'gpt-4o';
const apiVersion = '2024-02-15-preview';

const openai = new AzureOpenAI({
  azureADTokenProvider: getBearerTokenProvider(
    credential,
    'https://cognitiveservices.azure.com/.default'
  ),
  deployment,
  apiVersion,
});

Questions:

1. Where can I obtain the clientId, tenantId, and clientSecret required for ClientSecretCredential?

2. Are there any best practices for securely storing and managing these credentials in a production environment?

   Environment:

   • Node.js v14.17.0

   • TypeScript v4.4.2

   • Azure OpenAI SDK (latest version)

   • @azure/identity (latest version)

What I Tried:

• I reviewed the Azure documentation but found it unclear where to get these credentials specifically for use with Azure OpenAI.

• I understand the concept of service principals but am unsure how to set one up correctly for this use case.

Any guidance or references would be greatly appreciated!

Answer 1

Go to Microsoft Entra ID, in App registration tab you create new app.

And click on the created app, in my case i created a app called openai. copy the client id and tenant id.

Next, under Certificates and secrets tab create new secret and copy it.

Use these values in your script.

Make sure you have Openai user or contributor role on you service principal. If not having the role using below steps.

Go to access control tab in your openai resource and add role assignment.

select any one of the role.

Now select your application and assign the role.

Code:

import { AzureOpenAI } from "openai";
import { DefaultAzureCredential,ClientSecretCredential, getBearerTokenProvider } from "@azure/identity";
      
export async function main() {
  const tenantId = "<tenantId>";
  const clientId="<clientId>";
  const clientSecret = "<clientSecret>"
  const scope = "https://cognitiveservices.azure.com/.default";
  const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
  const azureADTokenProvider = getBearerTokenProvider(firstCredential, scope);
  const deployment = "gpt35-soautomation";
  const apiVersion = "2024-04-01-preview";
  const endpoint = "https://openai-soautomation.openai.azure.com";
  const client = new AzureOpenAI({endpoint,azureADTokenProvider, deployment, apiVersion });
  const result = await client.chat.completions.create({
    messages:  [
      { role: "system", content: "You are a helpful assistant. You will talk like a pirate." },
      { role: "user", content: "Can you help me?" },
    ],
    model: 'gpt35-soautomation',
  });
      
  for (const choice of result.choices) {
    console.log(choice.message);
  }
}
      
main().catch((err) => {
  console.error("The sample encountered an error:", err);
});

Output:

{
  content: "Aye, aye matey! I'll gladly lend me assistance. What be the problem?",
  role: 'assistant'
}