Context
Follow-up to #305 (network security hardening). Once the VPN Gateway is removed and AI Foundry is accessed via private endpoint from Container Apps, the existing API key authentication becomes unnecessary and should be replaced with managed identity.
This issue also covers updating documentation to reflect the post-VPN architecture.
Changes
1. Migrate AI Foundry authentication: API key → managed identity
Container Apps currently authenticate to AI Foundry using an API key (AiCategorization:ApiKey config value, passed via api-key request header in AiCompletionClient). With the private endpoint in place, this should be replaced with managed identity (Azure RBAC).
What this involves:
- Assign the
Cognitive Services OpenAI User role to the Container Apps managed identity on each AI Foundry resource
- Update
AiCompletionClient to use DefaultAzureCredential / ManagedIdentityCredential and obtain a bearer token instead of passing the API key header
- Remove
AiCategorization:ApiKey from app configuration and Key Vault secrets
- Remove the
openAiApiKey secure output from infra/modules/openai.bicep
- Remove the corresponding Key Vault secret and any references in deployment workflows
Files to modify:
src/TechHub.Infrastructure/Services/AiCompletionClient.cssrc/TechHub.Core/Configuration/AiCategorizationOptions.cs — remove ApiKey propertyinfra/modules/openai.bicep — remove openAiApiKey outputinfra/main.bicep — add role assignment for managed identity; remove API key secret wiringinfra/modules/identity.bicep — add Cognitive Services OpenAI User role assignment
2. Update network architecture documentation
docs/network-architecture.md needs to reflect the post-VPN topology:
- Remove the VPN Gateway section and P2S client access description
- Add NSP section describing admin IP allowlist access
- Add AMPLS section describing private monitoring path
- Add AI Foundry PE section
- Update topology diagram
Acceptance Criteria
References
Context
Follow-up to #305 (network security hardening). Once the VPN Gateway is removed and AI Foundry is accessed via private endpoint from Container Apps, the existing API key authentication becomes unnecessary and should be replaced with managed identity.
This issue also covers updating documentation to reflect the post-VPN architecture.
Changes
1. Migrate AI Foundry authentication: API key → managed identity
Container Apps currently authenticate to AI Foundry using an API key (
AiCategorization:ApiKeyconfig value, passed viaapi-keyrequest header inAiCompletionClient). With the private endpoint in place, this should be replaced with managed identity (Azure RBAC).What this involves:
Cognitive Services OpenAI Userrole to the Container Apps managed identity on each AI Foundry resourceAiCompletionClientto useDefaultAzureCredential/ManagedIdentityCredentialand obtain a bearer token instead of passing the API key headerAiCategorization:ApiKeyfrom app configuration and Key Vault secretsopenAiApiKeysecure output frominfra/modules/openai.bicepFiles to modify:
src/TechHub.Infrastructure/Services/AiCompletionClient.cssrc/TechHub.Core/Configuration/AiCategorizationOptions.cs— removeApiKeypropertyinfra/modules/openai.bicep— removeopenAiApiKeyoutputinfra/main.bicep— add role assignment for managed identity; remove API key secret wiringinfra/modules/identity.bicep— addCognitive Services OpenAI Userrole assignment2. Update network architecture documentation
docs/network-architecture.mdneeds to reflect the post-VPN topology:Acceptance Criteria
openAiApiKeyoutput removed fromopenai.bicepAiCategorization:ApiKeyconfig value no longer exists in any environmentdocs/network-architecture.mdmatches the actual post-VPN architectureReferences