feat: Implemented Identity based Authentication

Author: Prajwal-Microsoft

App/backend-api/Microsoft.GS.DPS.Host/DependencyConfiguration/ServiceDependencies.cs

@@ -12,6 +12,7 @@
 using Microsoft.GS.DPS.Storage.AISearch;
 using Microsoft.GS.DPSHost.AppConfiguration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.GS.DPSHost.Helpers;
 
 namespace Microsoft.GS.DPSHost.ServiceConfiguration
 {
@@ -31,7 +32,7 @@ public static void Inject(IHostApplicationBuilder builder)
                     return Kernel.CreateBuilder()
                                  .AddAzureOpenAIChatCompletion(deploymentName: builder.Configuration.GetSection("Application:AIServices:GPT-4o-mini")["ModelName"] ?? "",
                                                               endpoint: builder.Configuration.GetSection("Application:AIServices:GPT-4o-mini")["Endpoint"] ?? "",
-                                                              apiKey: builder.Configuration.GetSection("Application:AIServices:GPT-4o-mini")["Key"] ?? "")
+                                                              credentials: AzureCredentialHelper.GetAzureCredential())
 
                                  .Build();
                 })
@@ -66,7 +67,7 @@ public static void Inject(IHostApplicationBuilder builder)
                 .AddSingleton<TagUpdater>(x =>
                 {
                     var services = x.GetRequiredService<IOptions<Services>>().Value;
-                    return new TagUpdater(services.AzureAISearch.Endpoint, services.AzureAISearch.APIKey);
+                    return new TagUpdater(services.AzureAISearch.Endpoint, AzureCredentialHelper.GetAzureCredential());
 
                 })
 

App/backend-api/Microsoft.GS.DPS/Microsoft.GS.DPS.csproj

@@ -8,6 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="AutoMapper" Version="14.0.0" />
+    <PackageReference Include="Azure.Identity" Version="1.14.1" />
     <PackageReference Include="Azure.Search.Documents" Version="11.6.1" />
     <PackageReference Include="FluentValidation" Version="12.0.0" />
     <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.0.0" />

App/backend-api/Microsoft.GS.DPS/Storage/AISearch/TagUpdater.cs

@@ -3,6 +3,7 @@
 using System.Linq;
 using System.Threading.Tasks;
 using Azure;
+using Azure.Core;
 using Azure.Search.Documents;
 using Azure.Search.Documents.Models;
 
@@ -12,9 +13,9 @@ public class TagUpdater
     {
         private readonly SearchClient _searchClient;
 
-        public TagUpdater(string searchEndPoint, string searchAPIKey, string indexName = "default")
+        public TagUpdater(string searchEndPoint, TokenCredential tokenCredential, string indexName = "default")
         {
-            _searchClient = new SearchClient(new Uri(searchEndPoint), indexName, new AzureKeyCredential(searchAPIKey));
+            _searchClient = new SearchClient(new Uri(searchEndPoint), indexName, tokenCredential);
         }
 
         public async Task UpdateTags(string documentId, List<string> updatingTags)

App/kernel-memory/service/Core/DataFormats/Image/ImageContextDecoder.cs

@@ -12,6 +12,7 @@
 using Microsoft.SemanticKernel.ChatCompletion;
 using Azure.AI.OpenAI;
 using System.Collections.Generic;
+using Azure.Identity;
 
 namespace Microsoft.KernelMemory.DataFormats.Image
 {
@@ -32,7 +33,7 @@ public ImageContextDecoder(KernelMemoryConfig config, ILoggerFactory? loggerFact
             this._kernel = Kernel.CreateBuilder()
                 .AddAzureOpenAIChatCompletion(deploymentName: (string)this._config.Services["AzureOpenAIText"]["Deployment"],
                                                     endpoint: (string)this._config.Services["AzureOpenAIText"]["Endpoint"],
-                                                      apiKey: (string)this._config.Services["AzureOpenAIText"]["APIKey"])
+                                                      credentials: new DefaultAzureCredential())
                 .Build();
         }
 

App/kernel-memory/service/Core/DataFormats/Pdf/PdfMarkdownDecoder.cs

@@ -15,13 +15,13 @@
 using Azure.Core;
 using Azure;
 using Microsoft.KernelMemory.Configuration;
+using Azure.Identity;
 
 namespace Microsoft.KernelMemory.DataFormats.Pdf;
 public sealed class PdfMarkdownDecoder(KernelMemoryConfig config, ILoggerFactory? loggerFactory = null) : IContentDecoder
 {
     private readonly ILogger<PdfDecoder> _log = (loggerFactory ?? DefaultLogger.Factory).CreateLogger<PdfDecoder>();
     private DocumentIntelligenceClient _client = null!; // Initialize _client as null
-    private string _apiKey = (string)config.Services["AzureAIDocIntel"]["APIKey"];
     private string _endpoint = (string)config.Services["AzureAIDocIntel"]["Endpoint"];
 
     /// <inheritdoc />
@@ -49,7 +49,7 @@ public async Task<FileContent> DecodeAsync(BinaryData data, CancellationToken ca
             Retry = { Delay = TimeSpan.FromSeconds(90), MaxDelay = TimeSpan.FromSeconds(180), MaxRetries = 3, Mode = RetryMode.Exponential },
         };
 
-        this._client = new DocumentIntelligenceClient(new Uri(this._endpoint), new AzureKeyCredential(this._apiKey), options);
+        this._client = new DocumentIntelligenceClient(new Uri(this._endpoint), new DefaultAzureCredential(), options);
 
         Operation<AnalyzeResult> operation = null;
         operation = await this._client.AnalyzeDocumentAsync(WaitUntil.Completed, analyzeDocumentOptions, cancellationToken).ConfigureAwait(false);

App/kernel-memory/service/Core/Handlers/KeywordExtractingHandler.cs

@@ -5,6 +5,7 @@
 using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
+using Azure.Identity;
 using Microsoft.Extensions.Logging;
 using Microsoft.KernelMemory.Diagnostics;
 using Microsoft.KernelMemory.Pipeline;
@@ -38,7 +39,7 @@ public KeywordExtractingHandler(
         this._kernel = Kernel.CreateBuilder()
             .AddAzureOpenAIChatCompletion(deploymentName: (string)this._config.Services["AzureOpenAIText"]["Deployment"],
                                                 endpoint: (string)this._config.Services["AzureOpenAIText"]["Endpoint"],
-                                                  apiKey: (string)this._config.Services["AzureOpenAIText"]["APIKey"])
+                                                  credentials: new DefaultAzureCredential())
             .Build();
     }
 

Deployment/resourcedeployment.ps1

@@ -686,6 +686,23 @@ try {
     Write-Host "Assign the role for aks system assigned managed identity to App Storage Queue Data Contributor role" -ForegroundColor Green
     az role assignment create --assignee $systemAssignedIdentity --role "Storage Queue Data Contributor" --scope "/subscriptions/$($deploymentResult.SubscriptionId)/resourceGroups/$($deploymentResult.ResourceGroupName)/providers/Microsoft.Storage/storageAccounts/$($deploymentResult.StorageAccountName)"
 
+    # Assign the role for aks system assigned managed identity to Azure Queue Data Contributor role with the scope of Storage Account
+    Write-Host "Assign the role for aks system assigned managed identity to App Cognitive Services OpenAI User role" -ForegroundColor Green
+    az role assignment create --assignee $systemAssignedIdentity --role "Cognitive Services OpenAI User" --scope "/subscriptions/$($deploymentResult.SubscriptionId)/resourceGroups/$($deploymentResult.ResourceGroupName)/providers/Microsoft.CognitiveServices/accounts/$($deploymentResult.AzOpenAiServiceName)"
+
+    # Assign the role for aks system assigned managed identity to Azure Queue Data Contributor role with the scope of Storage Account
+    Write-Host "Assign the role for aks system assigned managed identity to App Search Index Data Contributor role" -ForegroundColor Green
+    az role assignment create --assignee $systemAssignedIdentity --role "Search Index Data Contributor" --scope "/subscriptions/$($deploymentResult.SubscriptionId)/resourceGroups/$($deploymentResult.ResourceGroupName)/providers/Microsoft.Search/searchServices/$($deploymentResult.AzSearchServiceName)"
+
+    # Assign the role for aks system assigned managed identity to Azure Queue Data Contributor role with the scope of Storage Account
+    Write-Host "Assign the role for aks system assigned managed identity to App Search Service Contributor role" -ForegroundColor Green
+    az role assignment create --assignee $systemAssignedIdentity --role "Search Service Contributor" --scope "/subscriptions/$($deploymentResult.SubscriptionId)/resourceGroups/$($deploymentResult.ResourceGroupName)/providers/Microsoft.Search/searchServices/$($deploymentResult.AzSearchServiceName)"
+
+    # Assign the role for aks system assigned managed identity to Azure Queue Data Contributor role with the scope of Storage Account
+    Write-Host "Assign the role for aks system assigned managed identity to App Cognitive Services User role" -ForegroundColor Green
+    az role assignment create --assignee $systemAssignedIdentity --role "Cognitive Services User" --scope "/subscriptions/$($deploymentResult.SubscriptionId)/resourceGroups/$($deploymentResult.ResourceGroupName)/providers/Microsoft.CognitiveServices/accounts/$($deploymentResult.AzCognitiveServiceName)"
+
+
     # 8. Update aks nodepools to updated new role
     try {
         Write-Host "Upgrading node pools..." -ForegroundColor Cyan

infra/main.bicep

@@ -396,112 +396,96 @@ module avmAppConfig 'br/public:avm/res/app-configuration/configuration-store:0.6
       }
     ]
 
-    // keyValues: [
-    //   {
-    //     name: 'Application:AIServices:GPT-4o-mini:Endpoint'
-    //     value: avmOpenAi.outputs.endpoint
-    //   }
-    //   {
-    //     name: 'Application:AIServices:GPT-4o-mini:Key'
-    //     value: '' // Todo: avmOpenAi.outputs.
-    //   }
-    //   {
-    //     name: 'Application:AIServices:GPT-4o-mini:ModelName'
-    //     value: chatGpt.modelName
-    //   }
-    //   {
-    //     name: 'Application:Services:KernelMemory:Endpoint'
-    //     value: 'http://kernelmemory-service'
-    //   }
-    //   {
-    //     name: 'Application:Services:PersistentStorage:CosmosMongo:Collections:ChatHistory:Collection'
-    //     value: 'ChatHistory'
-    //   }
-    //   {
-    //     name: 'Application:Services:PersistentStorage:CosmosMongo:Collections:ChatHistory:Database'
-    //     value: 'DPS'
-    //   }
-    //   {
-    //     name: 'Application:Services:PersistentStorage:CosmosMongo:Collections:DocumentManager:Collection'
-    //     value: 'Documents'
-    //   }
-    //   {
-    //     name: 'Application:Services:PersistentStorage:CosmosMongo:Collections:DocumentManager:Database'
-    //     value: 'DPS'
-    //   }
-    //   {
-    //     name: 'Application:Services:PersistentStorage:CosmosMongo:ConnectionString'
-    //     value: avmCosmosDB.outputs.primaryReadWriteConnectionString
-    //   }
-    //   {
-    //     name: 'Application:Services:AzureAISearch:APIKey'
-    //     value: avmSearchSearchServices.outputs.exportedSecrets.primaryAdminKey
-    //   }
-    //   {
-    //     name: 'Application:Services:AzureAISearch:Endpoint'
-    //     value: 'https://${avmSearchSearchServices.outputs.name}.search.windows.net'
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureAIDocIntel:APIKey'
-    //     value: documentIntelligence.outputs.exportedSecrets.primaryAdminKey
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureAIDocIntel:Endpoint'
-    //     value: documentIntelligence.outputs.endpoint
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureAISearch:APIKey'
-    //     value: avmSearchSearchServices.outputs.exportedSecrets.primaryAdminKey
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureAISearch:Endpoint'
-    //     value: 'https://${avmSearchSearchServices.outputs.name}.search.windows.net'
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureBlobs:Account'
-    //     value: avmStorageAccount.outputs.name
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureBlobs:ConnectionString'
-    //     value: avmStorageAccount.outputs.primaryConnectionString
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureBlobs:Container'
-    //     value: 'smemory'
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureOpenAIEmbedding:APIKey'
-    //     value: '{azureopenaiembedding-apikey}'
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureOpenAIEmbedding:Deployment'
-    //     value: embedding.deploymentName
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureOpenAIEmbedding:Endpoint'
-    //     value: avmOpenAi.outputs.endpoint
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureOpenAIText:APIKey'
-    //     value: '{azureopenaitext-apikey}'
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureOpenAIText:Deployment'
-    //     value: chatGpt.deploymentName
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureOpenAIText:Endpoint'
-    //     value: avmOpenAi.outputs.endpoint
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureQueues:Account'
-    //     value: avmStorageAccount.outputs.name
-    //   }
-    //   {
-    //     name: 'KernelMemory:Services:AzureQueues:ConnectionString'
-    //     value: avmStorageAccount.outputs.primaryConnectionString
-    //   }
-    // ]
+    keyValues: [
+      {
+        name: 'Application:AIServices:GPT-4o-mini:Endpoint'
+        value: avmOpenAi.outputs.endpoint
+      }
+      {
+        name: 'Application:AIServices:GPT-4o-mini:ModelName'
+        value: chatGpt.modelName
+      }
+      {
+        name: 'Application:Services:KernelMemory:Endpoint'
+        value: 'http://kernelmemory-service'
+      }
+      {
+        name: 'Application:Services:PersistentStorage:CosmosMongo:Collections:ChatHistory:Collection'
+        value: 'ChatHistory'
+      }
+      {
+        name: 'Application:Services:PersistentStorage:CosmosMongo:Collections:ChatHistory:Database'
+        value: 'DPS'
+      }
+      {
+        name: 'Application:Services:PersistentStorage:CosmosMongo:Collections:DocumentManager:Collection'
+        value: 'Documents'
+      }
+      {
+        name: 'Application:Services:PersistentStorage:CosmosMongo:Collections:DocumentManager:Database'
+        value: 'DPS'
+      }
+      {
+        name: 'Application:Services:PersistentStorage:CosmosMongo:ConnectionString'
+        value: avmCosmosDB.outputs.primaryReadWriteConnectionString
+      }
+      {
+        name: 'Application:Services:AzureAISearch:Endpoint'
+        value: 'https://${avmSearchSearchServices.outputs.name}.search.windows.net'
+      }
+      {
+        name: 'KernelMemory:Services:AzureAIDocIntel:Auth'
+        value: 'AzureIdentity'
+      }
+      {
+        name: 'KernelMemory:Services:AzureAIDocIntel:Endpoint'
+        value: documentIntelligence.outputs.endpoint
+      }
+      {
+        name: 'KernelMemory:Services:AzureAISearch:Auth'
+        value: 'AzureIdentity'
+      }
+      {
+        name: 'KernelMemory:Services:AzureAISearch:Endpoint'
+        value: 'https://${avmSearchSearchServices.outputs.name}.search.windows.net'
+      }
+      {
+        name: 'KernelMemory:Services:AzureBlobs:Account'
+        value: avmStorageAccount.outputs.name
+      }
+      {
+        name: 'KernelMemory:Services:AzureBlobs:Auth'
+        value: 'AzureIdentity'
+      }
+      {
+        name: 'KernelMemory:Services:AzureBlobs:Container'
+        value: 'smemory'
+      }
+      {
+        name: 'KernelMemory:Services:AzureOpenAIEmbedding:Deployment'
+        value: embedding.deploymentName
+      }
+      {
+        name: 'KernelMemory:Services:AzureOpenAIEmbedding:Endpoint'
+        value: avmOpenAi.outputs.endpoint
+      }
+      {
+        name: 'KernelMemory:Services:AzureOpenAIText:Deployment'
+        value: chatGpt.deploymentName
+      }
+      {
+        name: 'KernelMemory:Services:AzureOpenAIText:Endpoint'
+        value: avmOpenAi.outputs.endpoint
+      }
+      {
+        name: 'KernelMemory:Services:AzureQueues:Account'
+        value: avmStorageAccount.outputs.name
+      }
+      {
+        name: 'KernelMemory:Services:AzureQueues:Auth'
+        value: 'AzureIdentity'
+      }
+    ]
     // WAF aligned networking
     publicNetworkAccess: enablePrivateNetworking ? 'Disabled' : 'Enabled'
     privateEndpoints: enablePrivateNetworking
@@ -615,7 +599,11 @@ module avmSearchSearchServices 'br/public:avm/res/search/search-service:0.9.1' =
     managedIdentities: { userAssignedResourceIds: [userAssignedIdentity!.outputs.resourceId] }
     replicaCount: 1
     partitionCount: 1
-  
+    authOptions: {
+      aadOrApiKey: {
+        aadAuthFailureMode: 'http401WithBearerChallenge'
+      }
+    }
     roleAssignments: [
       {
         roleDefinitionIdOrName: 'Search Index Data Contributor' // Cognitive Search Contributor