Add project managed identity Search role + fix Ep1 model example (#5, #38, #75)#82
Open
farzad528 wants to merge 1 commit into
Open
Add project managed identity Search role + fix Ep1 model example (#5, #38, #75)#82farzad528 wants to merge 1 commit into
farzad528 wants to merge 1 commit into
Conversation
Two community-reported fixes for the Foundry IQ cookbooks: - infra: grant the Foundry project's system-assigned managed identity the Search Index Data Reader role on the search service. This is the keyless RBAC the agent needs to call the Knowledge Base MCP endpoint; without it the agent + MCP flow fails with masked 401/405 errors during tool invocation. Verified against the canonical agentic-retrieval pipeline docs (project managed identity requires exactly Search Index Data Reader). Regenerated azuredeploy.json from main.bicep. Addresses #5. - Episode 1: correct the FOUNDRY_MODEL_DEPLOYMENT_NAME example from gpt-4o to gpt-4o-mini for consistency with the rest of the notebook, README, and the default deployment. Also tightened the agent/MCP troubleshooting callout to match the canonical RBAC (project identity needs only Search Index Data Reader) and note the Bicep now assigns it automatically. Co-authored-by: Akira Sato <satodayo@users.noreply.github.com> Co-authored-by: Alex Mane <alexmanie@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two community-reported fixes for the Foundry IQ cookbooks, both incorporated from contributor PRs that could not merge cleanly after the repo was restructured under
Foundry-IQ/.1. Grant the Foundry project managed identity a Search role - addresses #5
The deployment previously assigned Azure AI Search roles only to the human user, never to the Foundry project's managed identity. As a result the agent + Knowledge Base MCP flow failed with the masked
401/405errors from #5 unless you assigned the role by hand.infra/main.bicepnow grants the project's system-assigned managed identitySearch Index Data Readeron the search service (scoped, least-privilege). Verified against the canonical agentic retrieval pipeline docs - the project managed identity needs exactly this role.infra/azuredeploy.jsonregenerated from Bicep viaaz bicep build.Incorporates @alexmanie's PR #75.
2. Fix the Episode 1 model deployment example
Episode 1 still showed
FOUNDRY_MODEL_DEPLOYMENT_NAME=gpt-4oin one place, inconsistent withgpt-4o-miniused everywhere else in the notebook, the README, and the default deployment. Corrected togpt-4o-mini.Incorporates @satodayo's PR #38.
Also
Search Index Data Reader) and notes the Bicep now assigns it automatically.Validation
az bicep buildsucceeds (only pre-existing warnings); the new role assignment is present inazuredeploy.json, scoped to the search service with correctdependsOn.gpt-4oreferences remain.Closes #5