Configure managed identities in Batch pools

Managed identities for Azure resources eliminate complicated identity and credential management by providing an identity for the Azure resource in Microsoft Entra ID (Azure AD ID). This identity is used to obtain Microsoft Entra tokens to authenticate with target resources in Azure.

This topic explains how to enable user-assigned managed identities on Batch pools and how to use managed identities within the nodes.

Important

Pools must be configured using Virtual Machine Configuration in order to use managed identities.

Creating pools with managed identities can be done by using the Batch .NET management library, but is not currently supported with the Batch .NET client library.

Create a user-assigned managed identity

First, create your user-assigned managed identity in the same tenant as your Batch account. You can create the identity using the Azure portal, the Azure Command-Line Interface (Azure CLI), PowerShell, Azure Resource Manager, or the Azure REST API. This managed identity doesn't need to be in the same resource group or even in the same subscription.

Tip

A system-assigned managed identity created for a Batch account for customer data encryption cannot be used as a user-assigned managed identity on a Batch pool as described in this document. If you wish to use the same managed identity on both the Batch account and Batch pool, then use a common user-assigned managed identity instead.

Create a Batch pool with user-assigned managed identities

After you've created one or more user-assigned managed identities, you can create a Batch pool with that identity or those identities. You can:

Warning

In-place updates of pool managed identities are not supported while the pool has active nodes. Existing compute nodes will not be updated with changes. It is recommended to scale the pool down to zero compute nodes before modifying the identity collection to ensure all VMs have the same set of identities assigned.

Create Batch pool in Azure portal

To create a Batch pool with a user-assigned managed identity through the Azure portal:

  1. Sign in to the Azure portal.
  2. In the search bar, enter and select Batch accounts.
  3. On the Batch accounts page, select the Batch account where you want to create a Batch pool.
  4. In the menu for the Batch account, under Features, select Pools.
  5. In the Pools menu, select Add to add a new Batch pool.
  6. For Pool ID, enter an identifier for your pool.
  7. For Identity, change the setting to User assigned.
  8. Under User assigned managed identity, select Add.
  9. Select the user assigned managed identity or identities you want to use. Then, select Add.
  10. Under Operating System, select the publisher, offer, and SKU to use.
  11. Optionally, enable the managed identity in the container registry:
    1. For Container configuration, change the setting to Custom. Then, select your custom configuration.
    2. For Start task select Enabled. Then, select Resource files and add your storage container information.
    3. Enable Container settings.
    4. Change Container registry to Custom
    5. For Identity reference, select the storage container.

Create Batch pool with .NET

To create a Batch pool with a user-assigned managed identity with the Batch .NET management library, use the following example code:

var poolParameters = new Pool(name: "yourPoolName")
    {
        VmSize = "standard_d2_v3",
        ScaleSettings = new ScaleSettings
        {
            FixedScale = new FixedScaleSettings
            {
                TargetDedicatedNodes = 1
            }
        },
        DeploymentConfiguration = new DeploymentConfiguration
        {
            VirtualMachineConfiguration = new VirtualMachineConfiguration(
                new ImageReference(
                    "Canonical",
                    "0001-com-ubuntu-server-jammy",
                    "22_04-lts",
                    "latest"),
                "batch.node.ubuntu 22.04")
        },
        Identity = new BatchPoolIdentity
        {
            Type = PoolIdentityType.UserAssigned,
            UserAssignedIdentities = new Dictionary<string, UserAssignedIdentities>
            {
                ["Your Identity Resource Id"] =
                    new UserAssignedIdentities()
            }
        }
    };

var pool = await managementClient.Pool.CreateWithHttpMessagesAsync(
    poolName:"yourPoolName",
    resourceGroupName: "yourResourceGroupName",
    accountName: "yourAccountName",
    parameters: poolParameters,
    cancellationToken: default(CancellationToken)).ConfigureAwait(false);

Use user-assigned managed identities in Batch nodes

Many Azure Batch functions that access other Azure resources directly on the compute nodes, such as Azure Storage or Azure Container Registry, support managed identities. For more information on using managed identities with Azure Batch, see the following links:

You can also manually configure your tasks so that the managed identities can directly access Azure resources that support managed identities.

Within the Batch nodes, you can get managed identity tokens and use them to authenticate through Microsoft Entra authentication via the Azure Instance Metadata Service.

For Windows, the PowerShell script to get an access token to authenticate is:

$Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -Method GET -Headers @{Metadata="true"}

For Linux, the Bash script is:

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -H Metadata:true

For more information, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.

Next steps