art5-2

Author: v-thpra

articles/service-connector/tutorial-python-aks-openai-workload-identity.md

@@ -11,14 +11,14 @@ keywords: "azure openai aks, kubernetes openai, service connector, workload iden
 ms.update-cycle: 180-days
 ms.collection: ce-skilling-ai-copilot
 ms.topic: tutorial
-ms.date: 09/30/2025
+ms.date: 02/04/2026
 ---
 
 # Tutorial: Connect AKS to Azure OpenAI
 
-This tutorial shows you how to connect your Azure Kubernetes Service (AKS) applications to Azure OpenAI using Service Connector with workload identity authentication. You'll establish credential-free connections by deploying a sample Python application that communicates with the Azure OpenAI.
+This tutorial shows you how to connect your Azure Kubernetes Service (AKS) applications to Azure OpenAI using Service Connector with workload identity authentication. You then establish and test your credential-free connections by deploying a sample Python application that communicates with the Azure OpenAI.
 
-You'll complete the following tasks:
+In this tutorial, you:
 
 > [!div class="checklist"]
 >
@@ -60,15 +60,15 @@ You start this tutorial by creating several Azure resources.
         --generate-ssh-keys
     ```
 
-1. Connect to the cluster using the [az aks get-credentials](/cli/azure/aks#az-aks-get-credentials) command.
+1. Connect to the cluster using the [`az aks get-credentials`](/cli/azure/aks#az-aks-get-credentials) command.
 
     ```azurecli
     az aks get-credentials \
         --resource-group MyResourceGroup \
         --name MyAKSCluster
     ```
 
-1. Create an Azure OpenAI resource using the [az cognitiveservices account create](/cli/azure/cognitiveservices/account#az-cognitiveservices-account-create) command. Optionally refer to [this tutorial](/azure/ai-services/openai/how-to/create-resource) for more instructions. Azure OpenAI is the target service that the AKS cluster connects to.
+1. Create an Azure OpenAI resource using the [`az cognitiveservices account create`](/cli/azure/cognitiveservices/account#az-cognitiveservices-account-create) command. Optionally refer to [this tutorial](/azure/ai-services/openai/how-to/create-resource) for more instructions. Azure OpenAI is the target service that the AKS cluster connects to.
 
     ```azurecli
     az cognitiveservices account create \
@@ -81,7 +81,7 @@ You start this tutorial by creating several Azure resources.
         --subscription <SubscriptionID>
     ```
 
-1. Deploy a model with the [az cognitiveservices deployment create](/cli/azure/cognitiveservices/account/deployment#az-cognitiveservices-account-deployment-create) command. The model is used in the sample application to test the connection.
+1. Deploy a model with the [`az cognitiveservices deployment create`](/cli/azure/cognitiveservices/account/deployment#az-cognitiveservices-account-deployment-create) command. The model is used in the sample application to test the connection.
 
     ```azurecli-interactive
     az cognitiveservices account deployment create \
@@ -95,7 +95,7 @@ You start this tutorial by creating several Azure resources.
         --capacity 1
     ```
 
-1. Create an Azure Container Registry (ACR) to store the containerized sample application. Use the [az acr create](/cli/azure/acr#az-acr-create) command, or refer to [this tutorial](/azure/container-registry/container-registry-get-started-portal).
+1. To store the containerized sample application, create an Azure Container Registry (ACR). Use the [`az acr create`](/cli/azure/acr#az-acr-create) command, or refer to [this tutorial](/azure/container-registry/container-registry-get-started-portal).
 
     ```azurecli-interactive
     az acr create \
@@ -104,7 +104,7 @@ You start this tutorial by creating several Azure resources.
         --sku Standard
     ```
 
-1. Enable anonymous pull using the [az acr update](/cli/azure/acr#az-acr-update) command so that the AKS cluster can consume the images in the registry.
+1. Enable anonymous pull using the [`az acr update`](/cli/azure/acr#az-acr-update) command so that the AKS cluster can consume the images in the registry.
 
     ```azurecli-interactive
     az acr update \
@@ -113,7 +113,7 @@ You start this tutorial by creating several Azure resources.
         --anonymous-pull-enabled
     ```
 
-1. Create a user-assigned managed identity with the [az identity create](/cli/azure/identity#az-identity-create) command, or by referring to [this tutorial](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). When the connection is created, the user-assigned managed identity is used to enable the [workload identity](/entra/workload-id/workload-identities-overview) for AKS workloads.
+1. Create a user-assigned managed identity with the [`az identity create`](/cli/azure/identity#az-identity-create) command, or by referring to [this tutorial](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities). When the connection is created, the user-assigned managed identity is used to enable the [workload identity](/entra/workload-id/workload-identities-overview) for AKS workloads.
 
     ```azurecli
     az identity create \
@@ -146,20 +146,20 @@ Refer to the [AKS service connection quickstart](quickstart-portal-aks-connectio
    |--------------------------------|---------------------|-------------------------------------------------------------------------|
    | **Authentication type**        | *Workload Identity* | The authentication method to connect the app to Azure OpenAI. Workload identity is recommended for enhanced security. Alternative methods include connection string and service principal, and require credential management considerations. |
    | **Subscription**               | *My Subscription*   | The subscription that contains the user-assigned managed identity.                         |
-   | **User assigned managed identity** | *myidentity*    | The user-assigned managed identity that enables workload identity authentication for the AKS cluster. |
+   | **User assigned managed identity** | *MyIdentity*    | The user-assigned managed identity that enables workload identity authentication for the AKS cluster. |
 
 Once the connection is created, you can view its details in the **Service Connector** pane.
 
 ### [Azure CLI](#tab/azure-cli)
 
-Create a service connection from AKS to the Azure OpenAI resource by running the [az aks connection create cognitiveservices](/cli/azure/aks/connection/create#az-aks-connection-create-cognitiveservices) command in the Azure CLI. 
+Create a service connection from AKS to the Azure OpenAI resource by running the [`az aks connection create cognitiveservices`](/cli/azure/aks/connection/create#az-aks-connection-create-cognitiveservices) command in the Azure CLI. 
 
 ```azurecli
 az aks connection create cognitiveservices \
    --workload-identity <user-identity-resource-id>
 ```
 
-When you use the preceding command, Service Connector prompts you step by step to specify the AKS resource group, AKS cluster name, target service resource group, cognitive service account name, and user-assigned identity resource ID.
+When you use the preceding command, Service Connector prompts you step by step to specify: the AKS resource group, AKS cluster name, target service resource group, cognitive service account name, and user-assigned identity resource ID.
 
 Alternatively, you can provide the complete command directly:
 
@@ -195,13 +195,13 @@ az aks connection create cognitiveservices \
 
 ## Build and push container images to Azure Container Registry
 
-1. Build and push the images to your container registry using the Azure CLI [az acr build](/cli/azure/acr#az_acr_build) command.
+1. Build and push the images to your container registry using the Azure CLI [`az acr build`](/cli/azure/acr#az_acr_build) command.
 
     ```azurecli-interactive
     az acr build --registry myregistry --image sc-demo-openai-identity:latest ./
     ```
 
-1. View the images in your container registry using the [az acr repository list](/cli/azure/acr/repository#az_acr_repository_list) command.
+1. View the images in your container registry using the [`az acr repository list`](/cli/azure/acr/repository#az_acr_repository_list) command.
 
     ```azurecli-interactive
     az acr repository list --name myregistry --output table
@@ -215,7 +215,7 @@ az aks connection create cognitiveservices \
    * Replace `<ServiceAccountCreatedByServiceConnector>` with the service account name. It can be found in the Azure portal, in the **Service Connector** pane.
    * Replace `<SecretCreatedByServiceConnector>` with the secret name. It can be found in the Azure portal, in the **Service Connector** pane.
 
-1. Deploy the pod to your cluster with the `kubectl apply` command, which creates a pod named `sc-demo-openai-identity` in the default namespace of your AKS cluster. Install `kubectl` locally using the [az aks install-cli](/cli/azure/aks#az_aks_install_cli) command if it isn't installed. 
+1. Deploy the pod to your cluster with the `kubectl apply` command, which creates a pod named `sc-demo-openai-identity` in the default namespace of your AKS cluster. Install `kubectl` locally using the [`az aks install-cli`](/cli/azure/aks#az_aks_install_cli) command if it isn't installed. 
 
    ```Bash
    kubectl apply -f pod.yaml