Accessing Keyvault with Azure Active Directory on Windows Azure Batch Pool Node

MattChandler-1653 1 Reputation point
2020-06-23T18:39:56.027+00:00

So I have a ton of python scripts I'm running on-prem. I want to move them all to Azure and started looking at the steps.

Steps I took:

  1. I created an Azure Batch account - windows with the science variety so that python and all are already installed.
  2. I created a key vault to store usernames and passwords for our existing storage account and Azure Data Warehouse
  3. I am using a storage account to store the python code.

What happens: The python runs great when called from a scheduled data factory pipeline.

What I have been banging my head on for a week++
I wanted to use Azure Active Directory to authenticate with the keyvault. I initially thought I would just be able to run the python for the windows node in the batch account and use windows authentication with python "DefaultCredential" by instructing the node or pool to use a particular AAD account when running like a "run-as" or something, however, it doesn't look that easy.

It looks like I have to create an app registration, or managed Identity then use that with a service prinipal to then connect to the keyvault to finally get the user/pass for the Azure Data Warehouse.

Links I have reviewed:
https://learn.microsoft.com/en-us/azure/batch/batch-aad-auth
https://learn.microsoft.com/en-us/azure/batch/batch-user-accounts
https://learn.microsoft.com/en-us/azure/batch/credential-access-key-vault
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
as well as a ton of youtube videos and whatnot

I guess I'm just really stuck in understanding the flow of authentication from an Azure Batch Pool/Node to KeyVault.

Just looking for advice or guidance or some corrections in what I am missing. I will say that authenticating from Data Factory, Logic Apps and other services like Azure Functions to KeyVault seem so easy because you can literally pick the AAD/AD account.

Thanks.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,180 questions
Azure Batch
Azure Batch
An Azure service that provides cloud-scale job scheduling and compute management.
320 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,457 questions
{count} votes