How to use DefaultAzureCredential with OpenAI
Quick answer
Use the
DefaultAzureCredential from azure.identity to authenticate your AzureOpenAI client without an API key. Pass the credential via the azure_ad_token_provider parameter when creating the AzureOpenAI client to enable managed identity or environment-based authentication.PREREQUISITES
Python 3.8+Azure OpenAI resource with managed identity or service principalpip install openai>=1.0 azure-identityAzure CLI or environment configured for authentication
Setup
Install the required Python packages and configure your Azure environment for authentication.
- Install
openaiSDK version 1.0 or higher. - Install
azure-identityforDefaultAzureCredential. - Ensure your Azure OpenAI resource has a managed identity or you have a service principal configured.
- Authenticate locally using
az loginor set environment variables for service principal credentials.
pip install openai azure-identityStep by step
This example shows how to create an AzureOpenAI client using DefaultAzureCredential for authentication and send a chat completion request.
import os
from azure.identity import DefaultAzureCredential
from openai import AzureOpenAI
# Initialize DefaultAzureCredential
credential = DefaultAzureCredential()
# Create AzureOpenAI client with managed identity authentication
client = AzureOpenAI(
azure_ad_token_provider=credential,
azure_endpoint=os.environ["AZURE_OPENAI_ENDPOINT"]
)
# Use your Azure OpenAI deployment name
deployment_name = os.environ["AZURE_OPENAI_DEPLOYMENT"]
response = client.chat.completions.create(
model=deployment_name,
messages=[{"role": "user", "content": "Hello from DefaultAzureCredential!"}]
)
print(response.choices[0].message.content) output
Hello from DefaultAzureCredential!
Common variations
You can use DefaultAzureCredential in async contexts or with different Azure OpenAI models and deployments.
- For async usage, use
asyncioandawaitwith theAzureOpenAIclient methods. - Change the
modelparameter to your specific deployment name. - Use environment variables to manage endpoint and deployment names securely.
import asyncio
from azure.identity.aio import DefaultAzureCredential
from openai import AzureOpenAI
async def main():
credential = DefaultAzureCredential()
client = AzureOpenAI(
azure_ad_token_provider=credential,
azure_endpoint=os.environ["AZURE_OPENAI_ENDPOINT"]
)
deployment_name = os.environ["AZURE_OPENAI_DEPLOYMENT"]
response = await client.chat.completions.acreate(
model=deployment_name,
messages=[{"role": "user", "content": "Async hello with DefaultAzureCredential"}]
)
print(response.choices[0].message.content)
asyncio.run(main()) output
Async hello with DefaultAzureCredential
Troubleshooting
If authentication fails, verify the following:
- Your Azure environment is properly authenticated (run
az loginor set service principal environment variables). - The
AZURE_OPENAI_ENDPOINTandAZURE_OPENAI_DEPLOYMENTenvironment variables are correctly set. - Your Azure OpenAI resource has the necessary permissions for the managed identity or service principal.
- Check for network or firewall restrictions blocking Azure SDK authentication.
Key Takeaways
- Use
DefaultAzureCredentialto authenticate Azure OpenAI without explicit API keys. - Pass the credential via
azure_ad_token_providerwhen creating theAzureOpenAIclient. - Ensure environment variables
AZURE_OPENAI_ENDPOINTandAZURE_OPENAI_DEPLOYMENTare set correctly. - For async calls, use
acreatemethods withDefaultAzureCredentialfromazure.identity.aio. - Verify Azure permissions and local authentication if you encounter credential errors.