Unable to configure AzureUSGovernmentCloud audience for AI Search

Question

Unable to configure AzureUSGovernmentCloud audience for AI Search

clarked-msft opened this issue 7 months ago · 1 comments

Context / Scenario

I'm using AI Search as the DataIngestion MemoryDb in AzureUSGovernmentCloud. I'd like to use AzureIdentity auth but I do not see a way to pass the correct token audience to the search client.

What happened?

A token is requested with scope appropriate for commerical, which does not work in gov cloud.

Importance

a fix would make my life easier

Platform, Language, Versions

dotnet

Relevant log output

No response

Answer 1 · 2024-06-05T02:02:51.000Z

can you wrap the token in a Azure.Core.TokenCredential object?

var config = new AzureAISearchConfig { Auth = AzureAISearchConfig.AuthTypes.ManualTokenCredential };

TokenCredential token = new ...;
config.SetCredential(token);

var memory = new KernelMemoryBuilder().WithAzureAISearchMemoryDb(config).Build();

or you could use Managed Identities:

var config = new AzureAISearchConfig { Auth = AzureAISearchConfig.AuthTypes.AzureIdentity };
var memory = new KernelMemoryBuilder().WithAzureAISearchMemoryDb(config).Build();

If you use a managed identity, you should be able to configure which identity in your deployment, without the need to configure the client/tenant ID/audience in KM:

create a managed identity in your preferred tenant/cloud
configure Azure AI Search to allow access from the managed identity
configure the .NET app container to use the managed identity when connecting to other services, e.g. when connecting to AI Search
configure KM to use AzureIdentity (second snippet above)