Unable to override search endpoint used for authentication (Azure Government)

[nitroxeno]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Attempting to deploy to Azure Government. I manually updated all references to .com Azure endpoints to .us endpoints. Successfully published application and able to access the app-backend UI. However, when attempting to send a prompt, it responds with the error <class 'azure.core.exceptions.ClientAuthenticationError'>. After further reviewing the app insights, I can see the failure is on the DocumentsOperations.search_post when doing a GET /msi/token. The endpoint being referenced in the path is "http://169.254.129.10:8081/msi/token?api-version=2019-08-01&resource=https://search.azure.com". I can't seem to find how to override this behavior and change the resource to search.azure.us?

Any log messages given by the failure

Traceback (most recent call last):
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/opentelemetry/trace/init.py", line 583, in use_span
yield span
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/tracing/decorator_async.py", line 105, in wrapper_use_tracer
return await func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/search/documents/_generated/aio/operations/_documents_operations.py", line 408, in search_post
pipeline_response: PipelineResponse = await self._client._pipeline.run( # pylint: disable=protected-access
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 219, in run
return await first_node.send(pipeline_request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
response = await self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
response = await self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_base_async.py", line 68, in send
response = await self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Previous line repeated 2 more times]
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_redirect_async.py", line 73, in send
response = await self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_retry_async.py", line 180, in send
response = await self.next.send(request)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication_async.py", line 98, in send
await await_result(self.on_request, request)
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_tools_async.py", line 56, in await_result
return await result
^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/policies/_authentication_async.py", line 70, in on_request
self._token = await await_result(self._credential.get_token, *self._scopes)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/core/pipeline/_tools_async.py", line 56, in await_result
return await result
^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/decorators.py", line 21, in wrapper
token = await fn(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_credentials/managed_identity.py", line 141, in get_token
return await self._credential.get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 49, in get_token
return await super().get_token(*scopes, claims=claims, tenant_id=tenant_id, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/get_token_mixin.py", line 93, in get_token
token = await self._request_token(
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_base.py", line 57, in _request_token
return await cast(AsyncManagedIdentityClient, self._client).request_token(*scopes, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/aio/_internal/managed_identity_client.py", line 35, in request_token
token = self._process_response(response, request_time)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/8dcef00aee2dbf9/antenv/lib/python3.11/site-packages/azure/identity/_internal/managed_identity_client.py", line 63, in _process_response
raise ClientAuthenticationError(
azure.core.exceptions.ClientAuthenticationError: (None) An unexpected error occured while fetching the AAD Token.
Code: None
Message: An unexpected error occured while fetching the AAD Token.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
169.254.129.10:8081
GET /msi/token
Error: 500
Path: http://169.254.129.10:8081/msi/token?api-version=2019-08-01&resource=https://search.azure.com
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Expected/desired behavior

Should be able to replace all Azure Commercial hard coded endpoints with Azure Government endpoints.

OS and Version?

Windows 11 23H2

azd version?

azd version 1.10.2 (commit 84ea22048b9a1c167bc4ae2095cc7f91798ef11e)

Versions

Mention any other details that might be useful

I can see the openai.chat GET /msi/token is calling path "http://169.254.129.10:8081/msi/token?api-version=2019-08-01&resource=https://cognitiveservices.azure.us" so manually updating that endpoint seems to be sticking, just not the search endpoint. I realize there is likely not a lot of users attempting to deploy to Gov, but just wanted to check to see if anyone had any other ideas or places to look? TIA!

[pamelafox]

Did you look at the discussion here? #1475 That dev mentions setting the audience, did you try that?

[jrudley]

Even after looking at 1475, we need a list of changes to get this working in Azure Gov. I can get the entire infrastructure deployed, but it bombs on the search side. I modified the code to use keys instead of the token, but I must still be missing something some where.