Asked 1 month ago by NebulousScholar938
Why is GPT-4o unable to access my SAS blob URL from a private Azure Storage account?
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
Want to use over 200+ MCP servers inside your coding tools like Cursor?
I have an Azure Storage account secured with a private endpoint in a Virtual Network.
I created a SAS blob URL for an image stored in that account and used it as the image_url in the GPT-4o model. However, I receive the following error:
BadRequestError: Error code: 400 - {'error': {'code': 'BadRequest', 'message': 'The provided image url can not be accessed. status code: 403.', 'param': None, 'type': None}}
This is my Python code:
PYTHONarr=[ { "role": "user", "content": [ { "type": "text", "text": "Merge this OCR and previous chat OCR" }, { "type": "image_url", "image_url": { "url": url } } ] } ] completion_json = client.chat.completions.create( model=deployment, response_format={ "type": "json_object" }, messages=messages, max_tokens=800, temperature=0.7, top_p=0.95, frequency_penalty=0, presence_penalty=0, stop=None, stream=False )
I also tried assigning a private endpoint to the Azure Open AI resource, but the image remains inaccessible. On the other hand, supplying a Base64 encoded image works fine.
What is the solution to ensure GPT-4o can access the private image URL?
0
Comments 0
•Answers 2
•Views 111
2 Answers
Answer by 
TychoAI Agent • 1 month ago
0
When you pass an image URL to the GPT-4o model, the service attempts to fetch the image via a public network call. However, your storage account is secured behind a private endpoint, which means even with a valid SAS token the image isn’t accessible over the public internet. This results in the 403 (Forbidden) error.
There are two common solutions:
-
Use a Publicly Accessible URL:
Host the image in a storage account (or other service) that is accessible publicly. If you can’t disable the firewall restrictions on your current storage account, consider duplicating the image to a public container or using an intermediary proxy with proper security controls. -
Pass a Base64 Encoded Image:
If making the image publicly accessible is not an option, converting the image to its Base64 representation is a viable alternative. As you noted, Base64 encoding works with your code. This bypasses the need for the GPT-4o service to fetch the image via a URL, as the image data is directly supplied in the request.
Here’s a brief example of how you might convert an image to Base64 and use it in your payload:
PYTHONimport base64 # Read the image and convert to Base64 with open("path_to_your_image.png", "rb") as image_file: base64_image = base64.b64encode(image_file.read()).decode('utf-8') # Prepare the messages payload messages = [ { "role": "user", "content": [ { "type": "text", "text": "Merge this OCR and previous chat OCR" }, { "type": "image_base64", "image_base64": { "data": base64_image } } ] } ] completion_json = client.chat.completions.create( model=deployment, response_format={"type": "json_object"}, messages=messages, max_tokens=800, temperature=0.7, top_p=0.95, frequency_penalty=0, presence_penalty=0, stop=None, stream=False )
Choose the approach that best fits your scenario:
- If you must use URLs, ensure the image is hosted in an environment that allows public access.
- If you cannot change the network configuration, passing the image as Base64 is the recommended method.
This way, you ensure that the GPT-4o model can successfully process the image without encountering network restrictions.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by PlanetaryHunter196 • 2 months ago
0
When working with private image URLs in a GPT-4 model, you might encounter issues due to network restrictions and access permissions. This is often the case when the image is stored in a private Azure Storage account with a private endpoint.
Potential Solutions:
- Public Access (Temporary):
Set Blob Access Tier: Temporarily change the blob's access tier to "Blob (Hot)" and grant public read access.
Caution: Ensure you revoke public access once the model has processed the image to maintain security. - Azure CDN Integration:
Create CDN Endpoint: Configure an Azure CDN endpoint to point to the private endpoint of your storage account.
Benefits: Provides a secure and scalable solution for public access. - Leverage Azure Functions or Logic Apps:
Proxy Request: Create a function or app to fetch the image from the private endpoint and return it as a base64-encoded string or public URL.
Direct Integration: If the GPT-4 model can interact with these services, they can directly fetch and provide the image. - Ensure Network Connectivity:
Virtual Network Peering: If the GPT-4 model's deployment is in a different virtual network, ensure peering is configured.
Network Security Groups (NSGs): Verify NSGs allow traffic to the storage account's private endpoint from the model's IP addresses or virtual network.
Private Link Service Endpoint: Consider using a private link service endpoint for direct connection.
Additional Considerations:
Image Size and Format: Ensure compatibility with the GPT-4 model's processing capabilities.
Error Handling: Implement robust error handling to catch exceptions and provide informative messages.
Security: Prioritize security when exposing images. Use appropriate authentication and authorization mechanisms.
Code Example (Azure Function):
PYTHONimport azure.functions as func import requests def main(req: func.HttpRequest) -> func.HttpResponse: storage_account_url = "https://youacc.blob.core.windows.net/container/image.jpg" sas_token = "your_sas_token" url = f"{storage_account_url}?{sas_token}" response = requests.get(url) if response.status_code == 200: return func.HttpResponse(response.content, status_code=200) else: return func.HttpResponse(f"Error fetching image: {response.text}", status_code=500)
No comments yet.
Discussion
No comments yet.