Keyless auth

code/backend/batch/utilities/helpers/env_helper.py

@@ -165,7 +165,7 @@ def __load_config(self, **kwargs) -> None:
                 "Unsupported DATABASE_TYPE. Please set DATABASE_TYPE to 'CosmosDB' or 'PostgreSQL'."
             )
 
-        self.AZURE_AUTH_TYPE = os.getenv("AZURE_AUTH_TYPE", "keys")
+        self.AZURE_AUTH_TYPE = os.getenv("AZURE_AUTH_TYPE", "rbac")
         # Azure OpenAI
         self.AZURE_OPENAI_RESOURCE = os.getenv("AZURE_OPENAI_RESOURCE", "")
         # Fetch AZURE_OPENAI_MODEL_INFO from environment
@@ -233,6 +233,7 @@ def __load_config(self, **kwargs) -> None:
         self.AZURE_COMPUTER_VISION_VECTORIZE_IMAGE_MODEL_VERSION = os.getenv(
             "AZURE_COMPUTER_VISION_VECTORIZE_IMAGE_MODEL_VERSION", "2023-04-15"
         )
+        self.FUNCTION_KEY = os.getenv("FUNCTION_KEY", "")
 
         # Initialize Azure keys based on authentication type and environment settings.
         # When AZURE_AUTH_TYPE is "rbac", azure keys are None or an empty string.
@@ -241,6 +242,7 @@ def __load_config(self, **kwargs) -> None:
             self.AZURE_OPENAI_API_KEY = ""
             self.AZURE_SPEECH_KEY = None
             self.AZURE_COMPUTER_VISION_KEY = None
+            self.FUNCTION_KEY = self.secretHelper.get_secret("FUNCTION_KEY")
         else:
             self.AZURE_SEARCH_KEY = self.secretHelper.get_secret("AZURE_SEARCH_KEY")
             self.AZURE_OPENAI_API_KEY = self.secretHelper.get_secret(
@@ -268,7 +270,6 @@ def __load_config(self, **kwargs) -> None:
         os.environ["OPENAI_API_VERSION"] = self.OPENAI_API_VERSION
         # Azure Functions - Batch processing
         self.BACKEND_URL = os.getenv("BACKEND_URL", "http://localhost:7071")
-        self.FUNCTION_KEY = os.getenv("FUNCTION_KEY")
         self.AzureWebJobsStorage = os.getenv("AzureWebJobsStorage", "")
         self.DOCUMENT_PROCESSING_QUEUE_NAME = os.getenv(
             "DOCUMENT_PROCESSING_QUEUE_NAME", "doc-processing"

infra/app/adminweb.bicep

@@ -1,34 +1,17 @@
 param name string
 param location string = resourceGroup().location
 param tags object = {}
-param storageAccountName string = ''
-param formRecognizerName string = ''
-param contentSafetyName string = ''
 param allowedOrigins array = []
 param appServicePlanId string
 param appCommandLine string = 'python -m streamlit run Admin.py --server.port 8000 --server.address 0.0.0.0 --server.enableXsrfProtection false'
 param runtimeName string = 'python'
 param runtimeVersion string = ''
 param applicationInsightsName string = ''
 param keyVaultName string = ''
-param azureOpenAIName string = ''
-param azureAISearchName string = ''
-param speechServiceName string = ''
-param computerVisionName string = ''
 @secure()
 param appSettings object = {}
-param useKeyVault bool
-param openAIKeyName string = ''
-param storageAccountKeyName string = ''
-param formRecognizerKeyName string = ''
-param searchKeyName string = ''
-param computerVisionKeyName string = ''
-param contentSafetyKeyName string = ''
-param speechKeyName string = ''
-param authType string
 param dockerFullImageName string = ''
 param useDocker bool = dockerFullImageName != ''
-param databaseType string = 'CosmosDB' // 'CosmosDB' or 'PostgreSQL'
 
 module adminweb '../core/host/appservice.bicep' = {
   name: '${name}-app-module'
@@ -45,95 +28,13 @@ module adminweb '../core/host/appservice.bicep' = {
     scmDoBuildDuringDeployment: useDocker ? false : true
     applicationInsightsName: applicationInsightsName
     appServicePlanId: appServicePlanId
-    managedIdentity: databaseType == 'PostgreSQL' || !empty(keyVaultName)
-    appSettings: union(appSettings, {
-      AZURE_AUTH_TYPE: authType
-      USE_KEY_VAULT: useKeyVault ? useKeyVault : ''
-      AZURE_OPENAI_API_KEY: useKeyVault
-        ? openAIKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              azureOpenAIName
-            ),
-            '2023-05-01'
-          ).key1
-      AZURE_SEARCH_KEY: useKeyVault
-        ? searchKeyName
-        : (azureAISearchName != ''
-            ? listAdminKeys(
-                resourceId(
-                  subscription().subscriptionId,
-                  resourceGroup().name,
-                  'Microsoft.Search/searchServices',
-                  azureAISearchName
-                ),
-                '2021-04-01-preview'
-              ).primaryKey
-            : '')
-      AZURE_BLOB_ACCOUNT_KEY: useKeyVault
-        ? storageAccountKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.Storage/storageAccounts',
-              storageAccountName
-            ),
-            '2021-09-01'
-          ).keys[0].value
-      AZURE_FORM_RECOGNIZER_KEY: useKeyVault
-        ? formRecognizerKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              formRecognizerName
-            ),
-            '2023-05-01'
-          ).key1
-      AZURE_CONTENT_SAFETY_KEY: useKeyVault
-        ? contentSafetyKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              contentSafetyName
-            ),
-            '2023-05-01'
-          ).key1
-      AZURE_SPEECH_SERVICE_KEY: useKeyVault
-        ? speechKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              speechServiceName
-            ),
-            '2023-05-01'
-          ).key1
-      AZURE_COMPUTER_VISION_KEY: (useKeyVault || computerVisionName == '')
-        ? computerVisionKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              computerVisionName
-            ),
-            '2023-05-01'
-          ).key1
-    })
+    managedIdentity: !empty(keyVaultName)
+    appSettings: appSettings
   }
 }
 
 // Storage Blob Data Contributor
-module storageRoleBackend '../core/security/role.bicep' = if (authType == 'rbac') {
+module storageRoleBackend '../core/security/role.bicep' = {
   name: 'storage-role-backend'
   params: {
     principalId: adminweb.outputs.identityPrincipalId
@@ -143,7 +44,7 @@ module storageRoleBackend '../core/security/role.bicep' = if (authType == 'rbac'
 }
 
 // Cognitive Services User
-module openAIRoleBackend '../core/security/role.bicep' = if (authType == 'rbac') {
+module openAIRoleBackend '../core/security/role.bicep' = {
   name: 'openai-role-backend'
   params: {
     principalId: adminweb.outputs.identityPrincipalId
@@ -155,7 +56,7 @@ module openAIRoleBackend '../core/security/role.bicep' = if (authType == 'rbac')
 // Contributor
 // This role is used to grant the service principal contributor access to the resource group
 // See if this is needed in the future.
-module openAIRoleBackendContributor '../core/security/role.bicep' = if (authType == 'rbac') {
+module openAIRoleBackendContributor '../core/security/role.bicep' = {
   name: 'openai-role-backend-contributor'
   params: {
     principalId: adminweb.outputs.identityPrincipalId
@@ -165,7 +66,7 @@ module openAIRoleBackendContributor '../core/security/role.bicep' = if (authType
 }
 
 // Search Index Data Contributor
-module searchRoleBackend '../core/security/role.bicep' = if (authType == 'rbac') {
+module searchRoleBackend '../core/security/role.bicep' = {
   name: 'search-role-backend'
   params: {
     principalId: adminweb.outputs.identityPrincipalId
@@ -174,7 +75,7 @@ module searchRoleBackend '../core/security/role.bicep' = if (authType == 'rbac')
   }
 }
 
-module adminwebaccess '../core/security/keyvault-access.bicep' = if (useKeyVault) {
+module adminwebaccess '../core/security/keyvault-access.bicep' = {
   name: 'adminweb-keyvault-access'
   params: {
     keyVaultName: keyVaultName

infra/app/function.bicep

@@ -11,23 +11,7 @@ param runtimeVersion string = ''
 @secure()
 param clientKey string
 param keyVaultName string = ''
-param azureOpenAIName string = ''
-param azureAISearchName string = ''
-param formRecognizerName string = ''
-param contentSafetyName string = ''
-param speechServiceName string = ''
-param computerVisionName string = ''
-param useKeyVault bool
-param openAIKeyName string = ''
-param storageAccountKeyName string = ''
-param formRecognizerKeyName string = ''
-param searchKeyName string = ''
-param computerVisionKeyName string = ''
-param contentSafetyKeyName string = ''
-param speechKeyName string = ''
-param authType string
 param dockerFullImageName string = ''
-param databaseType string
 
 module function '../core/host/functions.bicep' = {
   name: '${name}-app-module'
@@ -42,92 +26,8 @@ module function '../core/host/functions.bicep' = {
     runtimeName: runtimeName
     runtimeVersion: runtimeVersion
     dockerFullImageName: dockerFullImageName
-    useKeyVault: useKeyVault
-    managedIdentity: databaseType == 'PostgreSQL' || !empty(keyVaultName)
-    appSettings: union(appSettings, {
-      WEBSITES_ENABLE_APP_SERVICE_STORAGE: 'false'
-      AZURE_AUTH_TYPE: authType
-      USE_KEY_VAULT: useKeyVault ? useKeyVault : ''
-      AZURE_OPENAI_API_KEY: useKeyVault
-        ? openAIKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              azureOpenAIName
-            ),
-            '2023-05-01'
-          ).key1
-      AZURE_SEARCH_KEY: useKeyVault
-        ? searchKeyName
-        : (azureAISearchName != ''
-            ? listAdminKeys(
-                resourceId(
-                  subscription().subscriptionId,
-                  resourceGroup().name,
-                  'Microsoft.Search/searchServices',
-                  azureAISearchName
-                ),
-                '2021-04-01-preview'
-              ).primaryKey
-            : '')
-      AZURE_BLOB_ACCOUNT_KEY: useKeyVault
-        ? storageAccountKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.Storage/storageAccounts',
-              storageAccountName
-            ),
-            '2021-09-01'
-          ).keys[0].value
-      AZURE_FORM_RECOGNIZER_KEY: useKeyVault
-        ? formRecognizerKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              formRecognizerName
-            ),
-            '2023-05-01'
-          ).key1
-      AZURE_CONTENT_SAFETY_KEY: useKeyVault
-        ? contentSafetyKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              contentSafetyName
-            ),
-            '2023-05-01'
-          ).key1
-      AZURE_SPEECH_SERVICE_KEY: useKeyVault
-        ? speechKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              speechServiceName
-            ),
-            '2023-05-01'
-          ).key1
-      AZURE_COMPUTER_VISION_KEY: (useKeyVault || computerVisionName == '')
-        ? computerVisionKeyName
-        : listKeys(
-            resourceId(
-              subscription().subscriptionId,
-              resourceGroup().name,
-              'Microsoft.CognitiveServices/accounts',
-              computerVisionName
-            ),
-            '2023-05-01'
-          ).key1
-    })
+    managedIdentity: !empty(keyVaultName)
+    appSettings: appSettings
   }
 }
 
@@ -159,7 +59,7 @@ resource waitFunctionDeploymentSection 'Microsoft.Resources/deploymentScripts@20
 }
 
 // Cognitive Services User
-module openAIRoleFunction '../core/security/role.bicep' = if (authType == 'rbac') {
+module openAIRoleFunction '../core/security/role.bicep' = {
   name: 'openai-role-function'
   params: {
     principalId: function.outputs.identityPrincipalId
@@ -171,7 +71,7 @@ module openAIRoleFunction '../core/security/role.bicep' = if (authType == 'rbac'
 // Contributor
 // This role is used to grant the service principal contributor access to the resource group
 // See if this is needed in the future.
-module openAIRoleFunctionContributor '../core/security/role.bicep' = if (authType == 'rbac') {
+module openAIRoleFunctionContributor '../core/security/role.bicep' = {
   name: 'openai-role-function-contributor'
   params: {
     principalId: function.outputs.identityPrincipalId
@@ -181,7 +81,7 @@ module openAIRoleFunctionContributor '../core/security/role.bicep' = if (authTyp
 }
 
 // Search Index Data Contributor
-module searchRoleFunction '../core/security/role.bicep' = if (authType == 'rbac') {
+module searchRoleFunction '../core/security/role.bicep' = {
   name: 'search-role-function'
   params: {
     principalId: function.outputs.identityPrincipalId
@@ -191,7 +91,7 @@ module searchRoleFunction '../core/security/role.bicep' = if (authType == 'rbac'
 }
 
 // Storage Blob Data Contributor
-module storageBlobRoleFunction '../core/security/role.bicep' = if (authType == 'rbac') {
+module storageBlobRoleFunction '../core/security/role.bicep' = {
   name: 'storage-blob-role-function'
   params: {
     principalId: function.outputs.identityPrincipalId
@@ -201,7 +101,7 @@ module storageBlobRoleFunction '../core/security/role.bicep' = if (authType == '
 }
 
 // Storage Queue Data Contributor
-module storageQueueRoleFunction '../core/security/role.bicep' = if (authType == 'rbac') {
+module storageQueueRoleFunction '../core/security/role.bicep' = {
   name: 'storage-queue-role-function'
   params: {
     principalId: function.outputs.identityPrincipalId
@@ -210,7 +110,7 @@ module storageQueueRoleFunction '../core/security/role.bicep' = if (authType ==
   }
 }
 
-module functionaccess '../core/security/keyvault-access.bicep' = if (useKeyVault) {
+module functionaccess '../core/security/keyvault-access.bicep' = {
   name: 'function-keyvault-access'
   params: {
     keyVaultName: keyVaultName

infra/app/machinelearning.bicep

@@ -1,7 +1,6 @@
 param location string
 param workspaceName string
 param storageAccountId string
-param keyVaultId string
 param applicationInsightsId string
 param azureAISearchName string
 param azureAISearchEndpoint string
@@ -16,7 +15,6 @@ resource machineLearningWorkspace 'Microsoft.MachineLearningServices/workspaces@
   }
   properties: {
     storageAccount: storageAccountId
-    keyVault: keyVaultId
     applicationInsights: applicationInsightsId
   }
 }