Merge pull request #311397 from v-thpra/tjp-lf-servconnect-005

Q&M: Light Freshness - Service Connector - TJP005

Author: prmerger-automator[bot]

articles/service-connector/tutorial-python-aks-openai-workload-identity.md

@@ -1,7 +1,7 @@
 ---
 title: "Tutorial: Connect AKS to Azure OpenAI with Service Connector and Workload Identity"
 titleSuffix: Service Connector
-description: "Complete step-by-step guide: Connect Azure Kubernetes Service (AKS) to Azure OpenAI using Service Connector with workload identity authentication"
+description: "Complete step-by-step guide: Connect Azure Kubernetes Service (AKS) to Azure OpenAI using Service Connector with workload identity authentication."
 #customer intent: As a developer, I want to connect my AKS resource to Azure OpenAI.
 author: maud-lv
 ms.author: malev
@@ -11,23 +11,23 @@ keywords: "azure openai aks, kubernetes openai, service connector, workload iden
 ms.update-cycle: 180-days
 ms.collection: ce-skilling-ai-copilot
 ms.topic: tutorial
-ms.date: 09/30/2025
+ms.date: 02/04/2026
 ---
 
 # Tutorial: Connect AKS to Azure OpenAI
 
-This tutorial shows you how to connect your Azure Kubernetes Service (AKS) applications to Azure OpenAI using Service Connector with workload identity authentication. You'll establish credential-free connections by deploying a sample Python application that communicates with the Azure OpenAI.
+This tutorial shows you how to connect your Azure Kubernetes Service (AKS) applications to Azure OpenAI using Service Connector with workload identity authentication. You then establish and test your credential-free connections by deploying a sample Python application that communicates with the Azure OpenAI.
 
-You'll complete the following tasks:
+In this tutorial, you:
 
 > [!div class="checklist"]
 >
-> * Create an AKS cluster and Azure OpenAI resource with GPT-4 model
-> * Configure Service Connector to establish the connection with workload identity
-> * Clone a sample application
-> * Build and push container images to Azure Container Registry
-> * Deploy the application to AKS and verify the connection
-> * Clean up resources
+> * Create an AKS cluster and Azure OpenAI resource with GPT-4 model.
+> * Configure Service Connector to establish the connection with workload identity.
+> * Clone a sample application.
+> * Build and push container images to Azure Container Registry.
+> * Deploy the application to AKS and verify the connection.
+> * Clean up resources.
 
 ## Prerequisites
 
@@ -60,15 +60,15 @@ You start this tutorial by creating several Azure resources.
         --generate-ssh-keys
     ```
 
-1. Connect to the cluster using the [az aks get-credentials](/cli/azure/aks#az-aks-get-credentials) command.
+1. Connect to the cluster using the [`az aks get-credentials`](/cli/azure/aks#az-aks-get-credentials) command.
 
     ```azurecli
     az aks get-credentials \
         --resource-group MyResourceGroup \
         --name MyAKSCluster
     ```
 
-1. Create an Azure OpenAI resource using the [az cognitiveservices account create](/cli/azure/cognitiveservices/account#az-cognitiveservices-account-create) command. Optionally refer to [this tutorial](/azure/ai-services/openai/how-to/create-resource) for more instructions. Azure OpenAI is the target service that the AKS cluster will connect to.
+1. Create an Azure OpenAI resource using the [`az cognitiveservices account create`](/cli/azure/cognitiveservices/account#az-cognitiveservices-account-create) command. Optionally refer to [this tutorial](/azure/ai-services/openai/how-to/create-resource) for more instructions. Azure OpenAI is the target service that the AKS cluster connects to.
 
     ```azurecli
     az cognitiveservices account create \
@@ -81,7 +81,7 @@ You start this tutorial by creating several Azure resources.
         --subscription <SubscriptionID>
     ```
 
-1. Deploy a model with the [az cognitiveservices deployment create](/cli/azure/cognitiveservices/account/deployment#az-cognitiveservices-account-deployment-create) command. The model is used in the sample application to test the connection.
+1. Deploy a model with the [`az cognitiveservices deployment create`](/cli/azure/cognitiveservices/account/deployment#az-cognitiveservices-account-deployment-create) command. The model is used in the sample application to test the connection.
 
     ```azurecli-interactive
     az cognitiveservices account deployment create \
@@ -95,7 +95,7 @@ You start this tutorial by creating several Azure resources.
         --capacity 1
     ```
 
-1. Create an Azure Container Registry (ACR) to store the containerized sample application. Use the [az acr create](/cli/azure/acr#az-acr-create) command, or refer to [this tutorial](/azure/container-registry/container-registry-get-started-portal).
+1. To store the containerized sample application, create an Azure Container Registry (ACR). Use the [`az acr create`](/cli/azure/acr#az-acr-create) command, or refer to [this tutorial](/azure/container-registry/container-registry-get-started-portal).
 
     ```azurecli-interactive
     az acr create \
@@ -104,7 +104,7 @@ You start this tutorial by creating several Azure resources.
         --sku Standard
     ```
 
-1. Enable anonymous pull using [az acr update](/cli/azure/acr#az-acr-update) command so that the AKS cluster can consume the images in the registry.
+1. Enable anonymous pull using the [`az acr update`](/cli/azure/acr#az-acr-update) command so that the AKS cluster can consume the images in the registry.
 
     ```azurecli-interactive
     az acr update \
@@ -113,7 +113,7 @@ You start this tutorial by creating several Azure resources.
         --anonymous-pull-enabled
     ```
 
-1. Create a user-assigned managed identity with the [az identity create](/cli/azure/identity#az-identity-create) command, or by referring to [this tutorial](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). When the connection is created, the user-assigned managed identity is used to enable the [workload identity](/entra/workload-id/workload-identities-overview) for AKS workloads.
+1. Create a user-assigned managed identity with the [`az identity create`](/cli/azure/identity#az-identity-create) command, or by referring to [this tutorial](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). When the connection is created, the user-assigned managed identity is used to enable the [workload identity](/entra/workload-id/workload-identities-overview) for AKS workloads.
 
     ```azurecli
     az identity create \
@@ -131,35 +131,35 @@ Refer to the [AKS service connection quickstart](quickstart-portal-aks-connectio
 
 1. Basics tab:
 
-    | Setting             | Example value     | Description                                                                               |
-    |---------------------|-------------------| ------------------------------------------------------------------------------------------|
-    | **Kubernetes namespace** | *default*    | The Kubernetes namespace.                                                                 |
-    | **Service type**    | *OpenAI Service*  | The target service type.                                                                  |
-    | **Connection name** | *openai_conn*     | Use the connection name provided by Service Connector or choose your own connection name. |
-    | **Subscription**    | *My Subscription* | The Azure subscription containing your Azure OpenAI resource.                             |
-    | **OpenAI**          | *MyOpenAI*        | The target Azure OpenAI resource you want to connect to.                                  |
-    | **Client type**     | *Python*          | The programming language or framework for the connection configuration.                   |
+   | Setting             | Example value     | Description                                                                               |
+   |---------------------|-------------------| ------------------------------------------------------------------------------------------|
+   | **Kubernetes namespace** | *default*    | The Kubernetes namespace.                                                                 |
+   | **Service type**    | *OpenAI Service*  | The target service type.                                                                  |
+   | **Connection name** | *openai_conn*     | Use the connection name provided by Service Connector or choose your own connection name. |
+   | **Subscription**    | *My Subscription* | The Azure subscription containing your Azure OpenAI resource.                             |
+   | **OpenAI**          | *MyOpenAI*        | The target Azure OpenAI resource you want to connect to.                                  |
+   | **Client type**     | *Python*          | The programming language or framework for the connection configuration.                   |
     
 1. Authentication tab:
 
-| Authentication Setting         | Example value       | Description                                                             |
-|--------------------------------|---------------------|-------------------------------------------------------------------------|
-| **Authentication type**        | *Workload Identity* | The authentication method to connect the app to Azure OpenAI. Workload identity is recommended for enhanced security. Alternative methods include connection string and service principal, and require credential management considerations. |
-| **Subscription**               | *My Subscription*   | The subscription that contains the user-assigned managed identity.                         |
-| **User assigned managed identity** | *myidentity*    | The user-assigned managed identity that enables workload identity authentication for the AKS cluster. |
+   | Authentication Setting         | Example value       | Description                                                             |
+   |--------------------------------|---------------------|-------------------------------------------------------------------------|
+   | **Authentication type**        | *Workload Identity* | The authentication method to connect the app to Azure OpenAI. Workload identity is recommended for enhanced security. Alternative methods include connection string and service principal, and require credential management considerations. |
+   | **Subscription**               | *My Subscription*   | The subscription that contains the user-assigned managed identity.                         |
+   | **User assigned managed identity** | *MyIdentity*    | The user-assigned managed identity that enables workload identity authentication for the AKS cluster. |
 
 Once the connection is created, you can view its details in the **Service Connector** pane.
 
 ### [Azure CLI](#tab/azure-cli)
 
-Create a service connection from AKS to the Azure OpenAI resource by running the [az aks connection create cognitiveservices](/cli/azure/aks/connection/create#az-aks-connection-create-cognitiveservices) command in the Azure CLI. 
+Create a service connection from AKS to the Azure OpenAI resource by running the [`az aks connection create cognitiveservices`](/cli/azure/aks/connection/create#az-aks-connection-create-cognitiveservices) command in the Azure CLI. 
 
 ```azurecli
 az aks connection create cognitiveservices \
    --workload-identity <user-identity-resource-id>
 ```
 
-When using the above command, Service Connector prompts you to specify the AKS resource group, AKS cluster name, target service resource group, cognitive service account name, and user-assigned identity resource ID step by step.
+When you use the preceding command, Service Connector prompts you step by step to specify: the AKS resource group, AKS cluster name, target service resource group, cognitive service account name, and user-assigned identity resource ID.
 
 Alternatively, you can provide the complete command directly:
 
@@ -195,13 +195,13 @@ az aks connection create cognitiveservices \
 
 ## Build and push container images to Azure Container Registry
 
-1. Build and push the images to your container registry using the Azure CLI [az acr build](/cli/azure/acr#az_acr_build) command.
+1. Build and push the images to your container registry using the Azure CLI [`az acr build`](/cli/azure/acr#az_acr_build) command.
 
     ```azurecli-interactive
     az acr build --registry myregistry --image sc-demo-openai-identity:latest ./
     ```
 
-1. View the images in your container registry using the [az acr repository list](/cli/azure/acr/repository#az_acr_repository_list) command.
+1. View the images in your container registry using the [`az acr repository list`](/cli/azure/acr/repository#az_acr_repository_list) command.
 
     ```azurecli-interactive
     az acr repository list --name myregistry --output table
@@ -211,11 +211,11 @@ az aks connection create cognitiveservices \
 
 1. Replace the placeholders in the `pod.yaml` file in the `azure-openai-workload-identity` folder.
 
-   * Replace `<YourContainerImage>` with the name of the image you built earlier. For example `<myregistry>.azurecr.io/<sc-demo-openai-identity>:<latest>`.
+   * Replace `<YourContainerImage>` with the name of the image you built earlier. For example, `<myregistry>.azurecr.io/<sc-demo-openai-identity>:<latest>`.
    * Replace `<ServiceAccountCreatedByServiceConnector>` with the service account name. It can be found in the Azure portal, in the **Service Connector** pane.
    * Replace `<SecretCreatedByServiceConnector>` with the secret name. It can be found in the Azure portal, in the **Service Connector** pane.
 
-1. Deploy the pod to your cluster with the `kubectl apply` command, which creates a pod named `sc-demo-openai-identity` in the default namespace of your AKS cluster. Install `kubectl` locally using the [az aks install-cli](/cli/azure/aks#az_aks_install_cli) command if it isn't installed. 
+1. Deploy the pod to your cluster with the `kubectl apply` command, which creates a pod named `sc-demo-openai-identity` in the default namespace of your AKS cluster. Install `kubectl` locally using the [`az aks install-cli`](/cli/azure/aks#az_aks_install_cli) command if it isn't installed. 
 
    ```Bash
    kubectl apply -f pod.yaml