Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,114 questions
Accessing Keyvault with Azure Active Directory on Windows Azure Batch Pool Node
MattChandler-1653
1
Reputation point
So I have a ton of python scripts I'm running on-prem. I want to move them all to Azure and started looking at the steps.
Steps I took:
- I created an Azure Batch account - windows with the science variety so that python and all are already installed.
- I created a key vault to store usernames and passwords for our existing storage account and Azure Data Warehouse
- I am using a storage account to store the python code.
What happens: The python runs great when called from a scheduled data factory pipeline.
What I have been banging my head on for a week++
I wanted to use Azure Active Directory to authenticate with the keyvault. I initially thought I would just be able to run the python for the windows node in the batch account and use windows authentication with python "DefaultCredential" by instructing the node or pool to use a particular AAD account when running like a "run-as" or something, however, it doesn't look that easy.
It looks like I have to create an app registration, or managed Identity then use that with a service prinipal to then connect to the keyvault to finally get the user/pass for the Azure Data Warehouse.
Links I have reviewed:
https://learn.microsoft.com/en-us/azure/batch/batch-aad-auth
https://learn.microsoft.com/en-us/azure/batch/batch-user-accounts
https://learn.microsoft.com/en-us/azure/batch/credential-access-key-vault
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
as well as a ton of youtube videos and whatnot
I guess I'm just really stuck in understanding the flow of authentication from an Azure Batch Pool/Node to KeyVault.
Just looking for advice or guidance or some corrections in what I am missing. I will say that authenticating from Data Factory, Logic Apps and other services like Azure Functions to KeyVault seem so easy because you can literally pick the AAD/AD account.
Thanks.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee2020-06-29T22:47:34.74+00:00 What aspect of the flow were you hoping to understand?
You can probably combine these two diagrams to get an image of it. Azure Batch creates and manages a pool of nodes/VMs, installs the applications you want to run, and schedules jobs to run on the nodes. The application submits tokens to get authenticated and protected through key vault.
Sign in to comment