I am having trouble getting Batch tasks to authenticate to Azure Table Storage so they can write the results of their computation directly to a table. Specifically, I use DefaultAzureCredential to attempt to authenticate using a Managed Identity, and it fails with the following message:
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
The call to
DefaultAzureCredential() is running inside a Docker container.
Here's what I've done:
In the Azure portal, I manually created a user-defined Managed Identity to be used by all nodes in a Batch pool. It shares a subscription with the Batch pool, but is in a different Resource Group.
I granted "Storage Table Data Contributor" role to this identity, so that code authenticated as it may write to the Table. (but the code never gets this far)
When creating the Batch pool, I set this Managed Identity on the pool, with the same settings shown here. I can verify that this identity is shown on the pool configuration in the portal.
I launch a job in this pool. Tasks are created with auto-user specification, I'm not sure if this makes a difference.
In the portal I see that launched tasks have a configuration: "User Identity = Task default user (Admin)"
The task fails when the code running in its container gets to
DefaultAzureCredential() with the error shown above.
Some specific doubts I have:
Is the identity I've set on the pool also the same one that its tasks run under?
Does Managed Identity work from inside Docker?
How would I go about debugging this?
I know support for Managed Identity is still in beta for a lot of products, and I'm ok using the beta.