Removing unneeded key for free search service (#1620)

* Removing unneeded key for free search service

* fix tests

app/backend/app.py

@@ -7,11 +7,8 @@
 from pathlib import Path
 from typing import Any, AsyncGenerator, Dict, Union, cast
 
-from azure.core.credentials import AzureKeyCredential
-from azure.core.credentials_async import AsyncTokenCredential
 from azure.core.exceptions import ResourceNotFoundError
 from azure.identity.aio import DefaultAzureCredential, get_bearer_token_provider
-from azure.keyvault.secrets.aio import SecretClient
 from azure.monitor.opentelemetry import configure_azure_monitor
 from azure.search.documents.aio import SearchClient
 from azure.search.documents.indexes.aio import SearchIndexClient
@@ -305,8 +302,6 @@ async def setup_clients():
     AZURE_USERSTORAGE_CONTAINER = os.environ.get("AZURE_USERSTORAGE_CONTAINER")
     AZURE_SEARCH_SERVICE = os.environ["AZURE_SEARCH_SERVICE"]
     AZURE_SEARCH_INDEX = os.environ["AZURE_SEARCH_INDEX"]
-    AZURE_SEARCH_SECRET_NAME = os.getenv("AZURE_SEARCH_SECRET_NAME")
-    AZURE_KEY_VAULT_NAME = os.getenv("AZURE_KEY_VAULT_NAME")
     # Shared by all OpenAI deployments
     OPENAI_HOST = os.getenv("OPENAI_HOST", "azure")
     OPENAI_CHATGPT_MODEL = os.environ["AZURE_OPENAI_CHATGPT_MODEL"]
@@ -351,24 +346,11 @@ async def setup_clients():
     # If you encounter a blocking error during a DefaultAzureCredential resolution, you can exclude the problematic credential by using a parameter (ex. exclude_shared_token_cache_credential=True)
     azure_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)
 
-    # Fetch any necessary secrets from Key Vault
-    search_key = None
-    if AZURE_KEY_VAULT_NAME:
-        async with SecretClient(
-            vault_url=f"https://{AZURE_KEY_VAULT_NAME}.vault.azure.net", credential=azure_credential
-        ) as key_vault_client:
-            search_key = (
-                AZURE_SEARCH_SECRET_NAME and (await key_vault_client.get_secret(AZURE_SEARCH_SECRET_NAME)).value  # type: ignore[attr-defined]
-            )
-
     # Set up clients for AI Search and Storage
-    search_credential: Union[AsyncTokenCredential, AzureKeyCredential] = (
-        AzureKeyCredential(search_key) if search_key else azure_credential
-    )
     search_client = SearchClient(
         endpoint=f"https://{AZURE_SEARCH_SERVICE}.search.windows.net",
         index_name=AZURE_SEARCH_INDEX,
-        credential=search_credential,
+        credential=azure_credential,
     )
 
     blob_container_client = ContainerClient(
@@ -380,7 +362,7 @@ async def setup_clients():
     if AZURE_USE_AUTHENTICATION:
         search_index_client = SearchIndexClient(
             endpoint=f"https://{AZURE_SEARCH_SERVICE}.search.windows.net",
-            credential=search_credential,
+            credential=azure_credential,
         )
         search_index = await search_index_client.get_index(AZURE_SEARCH_INDEX)
         await search_index_client.close()
@@ -418,10 +400,7 @@ async def setup_clients():
             search_images=USE_GPT4V,
         )
         search_info = await setup_search_info(
-            search_service=AZURE_SEARCH_SERVICE,
-            index_name=AZURE_SEARCH_INDEX,
-            azure_credential=azure_credential,
-            search_key=clean_key_if_exists(search_key),
+            search_service=AZURE_SEARCH_SERVICE, index_name=AZURE_SEARCH_INDEX, azure_credential=azure_credential
         )
         text_embeddings_service = setup_embeddings_service(
             azure_credential=azure_credential,

app/backend/prepdocs.py

@@ -6,7 +6,6 @@
 from azure.core.credentials import AzureKeyCredential
 from azure.core.credentials_async import AsyncTokenCredential
 from azure.identity.aio import AzureDeveloperCliCredential, get_bearer_token_provider
-from azure.keyvault.secrets.aio import SecretClient
 
 from prepdocslib.blobmanager import BlobManager
 from prepdocslib.embeddings import (
@@ -43,19 +42,8 @@ def clean_key_if_exists(key: Union[str, None]) -> Union[str, None]:
 
 
 async def setup_search_info(
-    search_service: str,
-    index_name: str,
-    azure_credential: AsyncTokenCredential,
-    search_key: Union[str, None] = None,
-    key_vault_name: Union[str, None] = None,
-    search_secret_name: Union[str, None] = None,
+    search_service: str, index_name: str, azure_credential: AsyncTokenCredential, search_key: Union[str, None] = None
 ) -> SearchInfo:
-    if key_vault_name and search_secret_name:
-        async with SecretClient(
-            vault_url=f"https://{key_vault_name}.vault.azure.net", credential=azure_credential
-        ) as key_vault_client:
-            search_key = (await key_vault_client.get_secret(search_secret_name)).value  # type: ignore[attr-defined]
-
     search_creds: Union[AsyncTokenCredential, AzureKeyCredential] = (
         azure_credential if search_key is None else AzureKeyCredential(search_key)
     )
@@ -291,11 +279,6 @@ async def main(strategy: Strategy, setup_index: bool = True):
         required=False,
         help="Optional. Use this Azure AI Search account key instead of the current user identity to login (use az login to set current user for Azure)",
     )
-    parser.add_argument(
-        "--searchsecretname",
-        required=False,
-        help="Required if searchkey is not provided and search service is free sku. Fetch the Azure AI Vision key from this keyvault instead of the instead of the current user identity to login (use az login to set current user for Azure)",
-    )
     parser.add_argument(
         "--searchanalyzername",
         required=False,
@@ -373,11 +356,6 @@ async def main(strategy: Strategy, setup_index: bool = True):
         required=False,
         help="Optional, required if --searchimages is specified. Endpoint of Azure AI Vision service to use when embedding images.",
     )
-    parser.add_argument(
-        "--keyvaultname",
-        required=False,
-        help="Required only if any keys must be fetched from the key vault.",
-    )
     parser.add_argument(
         "--useintvectorization",
         required=False,
@@ -417,8 +395,6 @@ async def main(strategy: Strategy, setup_index: bool = True):
             index_name=args.index,
             azure_credential=azd_credential,
             search_key=clean_key_if_exists(args.searchkey),
-            key_vault_name=args.keyvaultname,
-            search_secret_name=args.searchsecretname,
         )
     )
     blob_manager = setup_blob_manager(

app/backend/requirements.in

@@ -17,7 +17,6 @@ opentelemetry-instrumentation-requests
 opentelemetry-instrumentation-aiohttp-client
 opentelemetry-instrumentation-openai
 msal
-azure-keyvault-secrets
 cryptography
 python-jose[cryptography]
 types-python-jose

app/backend/requirements.txt

@@ -31,7 +31,6 @@ azure-core==1.30.1
     #   azure-ai-documentintelligence
     #   azure-core-tracing-opentelemetry
     #   azure-identity
-    #   azure-keyvault-secrets
     #   azure-monitor-opentelemetry
     #   azure-monitor-opentelemetry-exporter
     #   azure-search-documents
@@ -45,8 +44,6 @@ azure-identity==1.15.0
     # via
     #   -r requirements.in
     #   msgraph-sdk
-azure-keyvault-secrets==4.8.0
-    # via -r requirements.in
 azure-monitor-opentelemetry==1.3.0
     # via -r requirements.in
 azure-monitor-opentelemetry-exporter==1.0.0b23
@@ -136,7 +133,6 @@ importlib-metadata==6.11.0
 isodate==0.6.1
     # via
     #   azure-ai-documentintelligence
-    #   azure-keyvault-secrets
     #   azure-search-documents
     #   azure-storage-blob
     #   azure-storage-file-datalake
@@ -410,7 +406,6 @@ typing-extensions==4.10.0
     # via
     #   azure-ai-documentintelligence
     #   azure-core
-    #   azure-keyvault-secrets
     #   azure-storage-blob
     #   azure-storage-file-datalake
     #   openai

docs/deploy_lowcost.md

@@ -2,7 +2,7 @@
 
 This AI RAG chat application is designed to be easily deployed using the Azure Developer CLI, which provisions the infrastructure according to the Bicep files in the `infra` folder. Those files describe each of the Azure resources needed, and configures their SKU (pricing tier) and other parameters. Many Azure services offer a free tier, but the infrastructure files in this project do *not* default to the free tier as there are often limitations in that tier.
 
-However, if your goal is to minimize costs while prototyping your application, follow the steps below _before_ running `azd up`. Once you've gone through these steps, return to the [deployment steps](../README.md#deploying).
+However, if your goal is to minimize costs while prototyping your application, follow the steps below *before* running `azd up`. Once you've gone through these steps, return to the [deployment steps](../README.md#deploying).
 
 [📺 Live stream: Deploying from a free account](https://www.youtube.com/watch?v=nlIyos0RXHw)
 
@@ -21,15 +21,15 @@ However, if your goal is to minimize costs while prototyping your application, f
     Enter a name that will be used for the resource group.
     This will create a new folder in the `.azure` folder, and set it as the active environment for any calls to `azd` going forward.
 
-2. Use the free tier of App Service:
+1. Use the free tier of App Service:
 
     ```shell
     azd env set AZURE_APP_SERVICE_SKU F1
     ```
 
     Limitation: You are only allowed a certain number of free App Service instances per region. If you have exceeded your limit in a region, you will get an error during the provisioning stage. If that happens, you can run `azd down`, then `azd env new` to create a new environment with a new region.
 
-3. Use the free tier of Azure AI Search:
+1. Use the free tier of Azure AI Search:
 
     ```shell
     azd env set AZURE_SEARCH_SERVICE_SKU free
@@ -41,11 +41,8 @@ However, if your goal is to minimize costs while prototyping your application, f
     reuse your [existing search service](../README.md#existing-azure-ai-search-resource).
     2. The free tier does not support semantic ranker, so the app UI will no longer display
     the option to use the semantic ranker. Note that will generally result in [decreased search relevance](https://techcommunity.microsoft.com/t5/ai-azure-ai-services-blog/azure-ai-search-outperforming-vector-search-with-hybrid/ba-p/3929167).
-    3. The free tier does not support Managed Identity (keyless API access),
-    so the Bicep will use Azure Key Vault to securely store the key instead.
-
-4. Use the free tier of Azure Document Intelligence (used in analyzing files):
 
+1. Use the free tier of Azure Document Intelligence (used in analyzing files):
 
     ```shell
     azd env set AZURE_DOCUMENTINTELLIGENCE_SKU F0
@@ -74,7 +71,7 @@ However, if your goal is to minimize costs while prototyping your application, f
       azd env set USE_LOCAL_HTML_PARSER true
       ```
 
-5. Turn off Azure Monitor (Application Insights):
+1. Turn off Azure Monitor (Application Insights):
 
     ```shell
     azd env set AZURE_USE_APPLICATION_INSIGHTS false
@@ -83,7 +80,7 @@ However, if your goal is to minimize costs while prototyping your application, f
     Application Insights is quite inexpensive already, so turning this off may not be worth the costs saved,
     but it is an option for those who want to minimize costs.
 
-6. Use OpenAI.com instead of Azure OpenAI: This is only a necessary step for Azure free/student accounts, as they do not currently have access to Azure OpenAI.
+1. Use OpenAI.com instead of Azure OpenAI: This is only a necessary step for Azure free/student accounts, as they do not currently have access to Azure OpenAI.
 
     ```shell
     azd env set OPENAI_HOST openai
@@ -94,7 +91,7 @@ However, if your goal is to minimize costs while prototyping your application, f
     Both Azure OpenAI and openai.com OpenAI accounts will incur costs, based on tokens used,
     but the costs are fairly low for the amount of sample data (less than $10).
 
-6. Disable vector search:
+1. Disable vector search:
 
     ```shell
     azd env set USE_VECTORS false
@@ -106,7 +103,7 @@ However, if your goal is to minimize costs while prototyping your application, f
     so the benefits of vector search would typically outweigh the costs, but it is possible to disable vector support.
     If you do so, the application will fall back to a keyword search, which is less accurate.
 
-7. Once you've made the desired customizations, follow the steps in the README [to run `azd up`](../README.md#deploying-from-scratch). We recommend using "eastus" as the region, for availability reasons.
+1. Once you've made the desired customizations, follow the steps in the README [to run `azd up`](../README.md#deploying-from-scratch). We recommend using "eastus" as the region, for availability reasons.
 
 ## Reducing costs locally