Cognitive Services CLI command reference<\/a> lists the parameter options for each cognitive services CLI command.<\/p>\n\n\n\nSecure key access with Azure Key Vault<\/strong><\/p>\n\n\n\nYou can develop applications that consume cognitive services by using a key for authentication. However, this means that the application code must be able to obtain the key. One option is to store the key in an environment variable or a configuration file where the application is deployed, but this approach leaves the key vulnerable to unauthorized access. A better approach when developing applications on Azure is to store the key securely in Azure Key Vault, and provide access to the key through a managed identity<\/em> (in other words, a user account used by the application itself).<\/p>\n\n\n\nCreate a key vault and add a secret<\/strong><\/p>\n\n\n\nFirst, you need to create a key vault and add a secret<\/em> for the cognitive services key.<\/p>\n\n\n\nMake a note of the key1<\/strong> value for your cognitive services resource (or copy it to the clipboard).<\/li>In the Azure portal, on the Home<\/strong> page, select the \uff0bCreate a resource<\/strong> button, search for Key Vault<\/em>, and create a Key Vault<\/strong> resource with the following settings:<\/li><\/ul>\n\n\n\nSubscription<\/strong>: Your Azure subscription<\/em><\/li>Resource group<\/strong>: The same resource group as your cognitive service resource<\/em><\/li>Key vault name<\/strong>: Enter a unique name<\/em><\/li>Region<\/strong>: The same region as your cognitive service resource<\/em><\/li>Pricing tier<\/strong>: Standard<\/li><\/ul>\n\n\n\nWait for deployment to complete and then go to your key vault resource.<\/li> In the left navigation pane, select Secrets<\/strong> (in the Settings section).<\/li>Select + Generate\/Import<\/strong> and add a new secret with the following settings :Upload options<\/strong>: Manual<\/li>Name<\/strong>: Cognitive-Services-Key (it’s important to match this exactly, because later you’ll run code that retrieves the secret based on this name)<\/em><\/li>Value<\/strong>: Your key1<\/strong> cognitive services key<\/em><\/li><\/ul><\/li><\/ul>\n\n\n\nCreate a service principal<\/strong><\/p>\n\n\n\nTo access the secret in the key vault, your application must use a service principal that has access to the secret. You’ll use the Azure command line interface (CLI) to create the service principal and grant access to the secret in Azure Vault.<\/p>\n\n\n\n
Return to Visual Studio Code, and in the integrated terminal for the 02-cognitive-security<\/strong> folder, run the following Azure CLI command, replacing <spName><\/em> with a suitable name for an application identity (for example, ai-app<\/em>). Also replace <subscriptionId><\/em> and <resourceGroup><\/em> with the correct values for your subscription ID and the resource group containing your cognitive services and key vault resources:<\/li><\/ul>\n\n\n\nTip<\/strong>: If you are unsure of your subscription ID, use the az account show<\/strong> command to retrieve your subscription information – the subscription ID is the id<\/strong> attribute in the output.<\/p>\n\n\n\naz ad sp create-for-rbac -n \"api:\/\/<spName>\" --role owner --scopes subscriptions\/<subscriptionId>\/resourceGroups\/<resourceGroup><\/code><\/pre>\n\n\n\nThe output of this command includes information about your new service principal. It should look similar to this:<\/p>\n\n\n\n
“`<\/p>\n\n\n\n
{<\/p>\n\n\n\n
“appId”: “abcd12345efghi67890jklmn”,<\/p>\n\n\n\n
“displayName”: “ai-app”,<\/p>\n\n\n\n
“name”: “http:\/\/ai-app”,<\/p>\n\n\n\n
“password”: “1a2b3c4d5e6f7g8h9i0j”,<\/p>\n\n\n\n
“tenant”: “1234abcd5678fghi90jklm”<\/p>\n\n\n\n
}<\/p>\n\n\n\nMake a note of the appId<\/strong>, password<\/strong>, and tenant<\/strong> values – you will need them later (if you close this terminal, you won’t be able to retrieve the password; so it’s important to note the values now – you can paste the output into a new text file in Visual Studio Code to ensure you can find the values you need later!)<\/p>\n\n\n\nTo assign permission for your new service principal to access secrets in your Key Vault, run the following Azure CLI command, replacing <keyVaultName><\/em> with the name of your Azure Key Vault resource and <spName><\/em> with the same value you provided when creating the service principal.<\/li><\/ul>\n\n\n\naz keyvault set-policy -n kv-exceed20112021 --spn \"api:\/\/ai-app\" --secret-permissions get list<\/code><\/pre>\n\n\n\nUse the service principal in an application<\/strong><\/p>\n\n\n\nNow you’re ready to use the service principal identity in an application, so it can access the secret congitive services key in your key vault and use it to connect to your cognitive services resource.<\/p>\n\n\n\n
Note<\/strong>: In this exercise, we’ll store the service principal credentials in the application configuration and use them to authenticate a ClientSecretCredential<\/strong> identity in your application code. This is fine for development and testing, but in a real production application, an administrator would assign a managed identity<\/em> to the application so that it uses the service principal identity to access resources, without caching or storing the password.<\/p>\n\n\n\nIn Visual Studio Code, expand the 02-cognitive-security<\/strong> folder and the C-Sharp<\/strong> or Python<\/strong> folder depending on your language preference.<\/li>Right-click the keyvault-client<\/strong> folder and open an integrated terminal. Then install the packages you will need to use Azure Key Vault and the Text Analytics API in your cognitive services resource by running the appropriate command for your language preference:<\/li><\/ul>\n\n\n\nC#<\/strong><\/p>\n\n\n\ndotnet add package Azure.AI.TextAnalytics –version 5.0.0<\/p>\n\n\n\n
dotnet add package Azure.Identity –version 1.3.0<\/p>\n\n\n\n
dotnet add package Azure.Security.KeyVault.Secrets –version 4.2.0-beta.3<\/p>\n\n\n\n
Python<\/strong><\/p>\n\n\n\npip install azure-ai-textanalytics==5.0.0<\/p>\n\n\n\n
pip install azure-identity==1.5.0<\/p>\n\n\n\n
pip install azure-keyvault-secrets==4.2.0View the contents of the keyvault-client<\/strong> folder, and note that it contains a file for configuration settings:C#<\/strong>: appsettings.json<\/li>Python<\/strong>: .env<\/li><\/ul><\/li><\/ul>\n\n\n\nOpen the configuration file and update the configuration values it contains to reflect the following settings:<\/p>\n\n\n\n
The endpoint<\/strong> for your Cognitive Services resource<\/li>The name of your Azure Key Vault<\/strong> resource<\/li>The tenant<\/strong> for your service principal<\/li>The appId<\/strong> for your service principal<\/li>The password<\/strong> for your service principal<\/li><\/ul>\n\n\n\nSave your changes.<\/p>\n\n\n\nNote that the keyvault-client<\/strong> folder contains a code file for the client application:C#<\/strong>: Program.cs<\/li>Python<\/strong>: keyvault-client.py<\/li><\/ul><\/li><\/ul>\n\n\n\nOpen the code file and review the code it contains, noting the following details:<\/p>\n\n\n\n
The namespace for the SDK you installed is imported<\/li> Code in the Main<\/strong> function retrieves the application configuration settings, and then it uses the service principal credentials to get the cognitive services key from the key vault.<\/li>The GetLanguage<\/strong> function uses the SDK to create a client for the service, and then uses the client to detect the language of the text that was entered.<\/li>Return to the integrated terminal for the keyvault-client<\/strong> folder, and enter the following command to run the program:<\/li><\/ul>\n\n\n\nC#<\/strong><\/p>\n\n\n\ndotnet run<\/code><\/pre>\n\n\n\n
![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img1-4.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img2-4.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img3-3-1024x440.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img4-3-1024x463.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img5-3-1024x469.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img6-3-1024x305.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img7-3.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img8-3-1024x537.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/img9-3-1024x202.png\")
<\/figure>\n\n\n\n