Federated credentials

Author: ryansingman

deploy/helm/tlm/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.35
+version: 0.1.36
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

deploy/helm/tlm/templates/chat/deployment.yaml

@@ -14,6 +14,9 @@ spec:
       labels:
         {{- include "tlm.selectorLabels" . | nindent 8 }}
         tlm.chat-backend: "true"
+        {{- if .Values.chat_backend.azure_service_principal.enabled }}
+        azure.workload.identity/use: "true"
+        {{- end }}
     spec:
       serviceAccountName: {{ .Release.Name }}-chat-backend
       containers:

deploy/helm/tlm/templates/chat/service_account.yaml

@@ -5,9 +5,6 @@ metadata:
   labels:
     {{- include "tlm.labels" . | nindent 4 }}
   annotations:
-    {{- if .Values.chat_backend.azure_service_principal.client_id }}
+    {{- if .Values.chat_backend.azure_service_principal.enabled }}
     azure.workload.identity/client-id: {{ .Values.chat_backend.azure_service_principal.client_id }}
     {{- end }}
-    {{- if .Values.chat_backend.azure_service_principal.tenant_id }}
-    azure.workload.identity/tenant-id: {{ .Values.chat_backend.azure_service_principal.tenant_id }}
-    {{- end }}

deploy/helm/tlm/values.yaml

@@ -12,8 +12,8 @@ imagePullSecret:
 chat_backend:
   secret_name: ""
   azure_service_principal:
+    enabled: false
     client_id: ""
-    tenant_id: ""
 
   image:
     repository: 043170249292.dkr.ecr.us-east-1.amazonaws.com/tlm/chat-backend

installation/aks.md

@@ -125,7 +125,6 @@ az identity create --name cleanlabtlm-openai-sp-identity --resource-group <resou
 openai_sp_identity_id=$(az identity show --name cleanlabtlm-openai-sp-identity --resource-group <resource_group_name> --query id -o tsv)
 openai_sp_identity_client_id=$(az identity show --name cleanlabtlm-openai-sp-identity --resource-group <resource_group_name> --query clientId -o tsv)
 openai_sp_identity_principal_id=$(az identity show --name cleanlabtlm-openai-sp-identity --resource-group <resource_group_name> --query principalId -o tsv)
-openai_sp_identity_tenant_id=$(az identity show --name cleanlabtlm-openai-sp-identity --resource-group <resource_group_name> --query tenantId -o tsv)
 ```
 
 2. Assign the `Cognitive Services OpenAI User` role to the identity
@@ -141,10 +140,21 @@ az role assignment create \
 az aks update -n <aks_cluster_name> -g <resource_group_name> --assign-identity $openai_sp_identity_id --enable-managed-identity
 ```
 
-4. Export the identity ID as an environment variable for later use
+4. Create a federated identity credential for the identity
+```bash
+federated_credential_issuer=$(az aks show --name <aks_cluster_name> --resource-group <resource_group_name> --query oidcIssuerProfile.issuerUrl -o tsv)
+az identity federated-credential create \
+    --name cleanlabtlm-openai-sp-identity-federated-credential \
+    --identity-name cleanlabtlm-openai-sp-identity \
+    --resource-group <resource_group_name> \
+    --issuer $federated_credential_issuer \
+    --subject system:serviceaccount:cleanlabtlm:tlm-chat-backend \
+    --audience api://AzureADTokenExchange
+```
+
+5. Export the identity ID as an environment variable for later use
 ```bash
 export OPENAI_SP_IDENTITY_CLIENT_ID=$openai_sp_identity_client_id
-export OPENAI_SP_IDENTITY_TENANT_ID=$openai_sp_identity_tenant_id
 ```
 
 ### 3d. Log in to the `cleanlabtlm` Helm registry
@@ -174,8 +184,8 @@ chat_backend:
     TLM_DEFAULT_EMBEDDING_MODEL: azure/text-embedding-3-small
 
   azure_service_principal:
+    enabled: true
     client_id: $OPENAI_SP_IDENTITY_CLIENT_ID
-    tenant_id: $OPENAI_SP_IDENTITY_TENANT_ID
 
 imagePullSecret:
   enabled: true