Authenticate to Azure OpenAI Service with an Azure Managed Identityv3.8+
Configure a chat route using Azure OpenAI Service with the GPT-4o model, and authenticate using an Azure Managed Identity.
To connect to Azure AI, you’ll need three values from your Azure OpenAI resource:
-
Deployment ID — The unique name of your deployed model.
- In the Azure AI Foundry Portal sidebar, select a resource and go to: Shared Resources > Deployments > Model deployments and click the deployment name.
- You can also see the deployment ID in the Azure OpenAI URL when calling the API, for example:
https://{AZURE_INSTANCE_NAME}.openai.azure.com/openai/deployments/{AZURE_DEPLOYMENT_ID}/...
-
Instance name — The name of your Azure OpenAI resource.
- This is the prefix in your API endpoint URL, for example:
https://{AZURE_INSTANCE_NAME}.openai.azure.com
- This is the prefix in your API endpoint URL, for example:
-
API Key — The key used to authenticate requests to your Azure OpenAI deployment in Azure AI Foundry.
- In the Azure AI Foundry Portal sidebar, select a resource and go to: Shared Resources > Deployments > Model deployments, then click the deployment name.
- The API key is visible in the Endpoint tile.
Environment variables
-
AZURE_INSTANCE_NAME: The name of the Azure OpenAI instance. -
AZURE_DEPLOYMENT_ID: The ID of the Azure OpenAI deployment. -
AZURE_OPENAI_API_KEY: The API key to use to connect to Azure OpenAI.
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-proxy-advanced
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: ${{ env "DECK_AZURE_INSTANCE_NAME" }}
azure_deployment_id: ${{ env "DECK_AZURE_DEPLOYMENT_ID" }}
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: ai-proxy-advanced
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
labels:
global: 'true'
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: '$AZURE_INSTANCE_NAME'
azure_deployment_id: '$AZURE_DEPLOYMENT_ID'
plugin: ai-proxy-advanced
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_proxy_advanced" "my_ai_proxy_advanced" {
enabled = true
config = {
targets = [
{
route_type = "llm/v1/chat"
auth = {
azure_use_managed_identity = true
}
model = {
provider = "azure"
name = "gpt-4o"
options = {
azure_api_version = "2023-01-01"
azure_instance = var.azure_instance_name
azure_deployment_id = var.azure_deployment_id
}
}
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "azure_openai_api_key" {
type = string
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-proxy-advanced
service: serviceName|Id
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: ${{ env "DECK_AZURE_INSTANCE_NAME" }}
azure_deployment_id: ${{ env "DECK_AZURE_DEPLOYMENT_ID" }}
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-proxy-advanced
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: '$AZURE_INSTANCE_NAME'
azure_deployment_id: '$AZURE_DEPLOYMENT_ID'
plugin: ai-proxy-advanced
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-proxy-advanced
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_proxy_advanced" "my_ai_proxy_advanced" {
enabled = true
config = {
targets = [
{
route_type = "llm/v1/chat"
auth = {
azure_use_managed_identity = true
}
model = {
provider = "azure"
name = "gpt-4o"
options = {
azure_api_version = "2023-01-01"
azure_instance = var.azure_instance_name
azure_deployment_id = var.azure_deployment_id
}
}
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "azure_openai_api_key" {
type = string
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-proxy-advanced
route: routeName|Id
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: ${{ env "DECK_AZURE_INSTANCE_NAME" }}
azure_deployment_id: ${{ env "DECK_AZURE_DEPLOYMENT_ID" }}
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-proxy-advanced
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: '$AZURE_INSTANCE_NAME'
azure_deployment_id: '$AZURE_DEPLOYMENT_ID'
plugin: ai-proxy-advanced
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=ai-proxy-advanced
kubectl annotate -n kong ingress konghq.com/plugins=ai-proxy-advanced
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_proxy_advanced" "my_ai_proxy_advanced" {
enabled = true
config = {
targets = [
{
route_type = "llm/v1/chat"
auth = {
azure_use_managed_identity = true
}
model = {
provider = "azure"
name = "gpt-4o"
options = {
azure_api_version = "2023-01-01"
azure_instance = var.azure_instance_name
azure_deployment_id = var.azure_deployment_id
}
}
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "azure_openai_api_key" {
type = string
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-proxy-advanced
consumer: consumerName|Id
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: ${{ env "DECK_AZURE_INSTANCE_NAME" }}
azure_deployment_id: ${{ env "DECK_AZURE_DEPLOYMENT_ID" }}
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-proxy-advanced
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: '$AZURE_INSTANCE_NAME'
azure_deployment_id: '$AZURE_DEPLOYMENT_ID'
plugin: ai-proxy-advanced
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong CONSUMER_NAME konghq.com/plugins=ai-proxy-advanced
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_proxy_advanced" "my_ai_proxy_advanced" {
enabled = true
config = {
targets = [
{
route_type = "llm/v1/chat"
auth = {
azure_use_managed_identity = true
}
model = {
provider = "azure"
name = "gpt-4o"
options = {
azure_api_version = "2023-01-01"
azure_instance = var.azure_instance_name
azure_deployment_id = var.azure_deployment_id
}
}
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "azure_openai_api_key" {
type = string
}
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: ai-proxy-advanced
consumer_group: consumerGroupName|Id
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: ${{ env "DECK_AZURE_INSTANCE_NAME" }}
azure_deployment_id: ${{ env "DECK_AZURE_DEPLOYMENT_ID" }}
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "ai-proxy-advanced",
"config": {
"targets": [
{
"route_type": "llm/v1/chat",
"auth": {
"azure_use_managed_identity": true
},
"model": {
"provider": "azure",
"name": "gpt-4o",
"options": {
"azure_api_version": "2023-01-01",
"azure_instance": "'$AZURE_INSTANCE_NAME'",
"azure_deployment_id": "'$AZURE_DEPLOYMENT_ID'"
}
}
}
]
},
"tags": []
}
'
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: ai-proxy-advanced
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
targets:
- route_type: llm/v1/chat
auth:
azure_use_managed_identity: true
model:
provider: azure
name: gpt-4o
options:
azure_api_version: '2023-01-01'
azure_instance: '$AZURE_INSTANCE_NAME'
azure_deployment_id: '$AZURE_DEPLOYMENT_ID'
plugin: ai-proxy-advanced
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong CONSUMERGROUP_NAME konghq.com/plugins=ai-proxy-advanced
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_ai_proxy_advanced" "my_ai_proxy_advanced" {
enabled = true
config = {
targets = [
{
route_type = "llm/v1/chat"
auth = {
azure_use_managed_identity = true
}
model = {
provider = "azure"
name = "gpt-4o"
options = {
azure_api_version = "2023-01-01"
azure_instance = var.azure_instance_name
azure_deployment_id = var.azure_deployment_id
}
}
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "azure_openai_api_key" {
type = string
}