ClientAuthenticationError: (PermissionDenied) Principal does not have access to API/Operation.

[Krish054]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

1. My organization already has a resource group with the necessary resources in them, i.e. app service, ai search, document intelligence etc.
2. I'm owner of the resource group but I do not have the permission to create a new resource group - hence I cannot use azd up. My plan is to create env variables locally, then index the documents and finally az webapp deploy the code to my existing app service.
3. So, locally, first I ran azd auth login and then azd env set for all the variables listed here and in main.parameters.json
4. Next I ran .\scripts\prepdocs.ps1 which runs prepdocs.py to create an index in azure ai search. But I get this error - Principal does not have access to API/Operation.
5. What am I missing here? I presume it has to do something with role assignments as I did not run azd up?

@pamelafox any inputs from you will be highly appreciated!

Any log messages given by the failure

Loading azd .env file from current environment
Creating python virtual environment ".venv"
Installing dependencies from "requirements.txt" into virtual environment

Running "prepdocs.py"
./app/backend/prepdocs.py "\data*" --verbose --subscriptionid subscriptionid --storageaccount storageaccount --container container --storageresourcegroup storageresourcegroup --searchservice searchservice --index index --openaihost "" --openaimodelname "" --openaiservice openaiservice --openaideployment openaideployment --openaicustomurl "" --openaiorg "" --documentintelligenceservice documentintelligenceservice

\app\backend\prepdocs.py:221: SyntaxWarning: invalid escape sequence '*'
epilog="Example: prepdocs.py '.\data*' --storageaccount myaccount --container mycontainer --searchservice mysearch --index myindex -v",
Using local files: \data*
Ensuring search index index exists
Search index index already exists
Ingesting 'Test.pdf'
Extracting text from '\data\Test.pdf' using Azure Document Intelligence
Traceback (most recent call last):
File "\app\backend\prepdocs.py", line 479, in
loop.run_until_complete(main(ingestion_strategy, setup_index=not args.remove and not args.removeall))
File "C:\Python312\Lib\asyncio\base_events.py", line 687, in run_until_complete
return future.result()
^^^^^^^^^^^^^^^
File "\app\backend\prepdocs.py", line 215, in main
await strategy.run()
File "\app\backend\prepdocslib\filestrategy.py", line 84, in run
sections = await parse_file(file, self.file_processors, self.category, self.image_embeddings)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "\app\backend\prepdocslib\filestrategy.py", line 26, in parse_file
pages = [page async for page in processor.parser.parse(content=file.content)]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "\app\backend\prepdocslib\pdfparser.py", line 54, in parse
poller = await document_intelligence_client.begin_analyze_document(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv\Lib\site-packages\azure\core\tracing\decorator_async.py", line 94, in wrapper_use_tracer
return await func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv\Lib\site-packages\azure\ai\documentintelligence\aio_operations_operations.py", line 3241, in begin_analyze_document
raw_result = await self._analyze_document_initial( # type: ignore
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File ".venv\Lib\site-packages\azure\ai\documentintelligence\aio_operations_operations.py", line 130, in _analyze_document_initial
map_error(status_code=response.status_code, response=response, error_map=error_map)
File ".venv\Lib\site-packages\azure\core\exceptions.py", line 161, in map_error
raise error
azure.core.exceptions.ClientAuthenticationError: (PermissionDenied) Principal does not have access to API/Operation.
Code: PermissionDenied
Message: Principal does not have access to API/Operation.

Expected/desired behavior

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

azd version?

run azd version and copy paste here.

Versions

azd version 1.9.6

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[pamelafox]

If you haven't run azd up, then you need to also set all the roles that are set in infra/main.bicep. You should be able to set them with this script:
https://github.com/Azure-Samples/azure-search-openai-demo/blob/main/scripts/roles.ps1

[cforce]

I have the issue when running this on azure web app and asking a question. The mentioned spi roles shall not be needed for the server app to execute , are they? Send like the auth context has not proper rights to access cognitive api