Configure managed identities in Batch pools

Managed identities for Azure resources eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure Active Directory (Azure AD) and using it to obtain Azure Active Directory (Azure AD) tokens.

This topic explains how to enable user-assigned managed identities on Batch pools and how to use managed identities within the nodes.

Important

Pools must be configured using Virtual Machine Configuration in order to use managed identities.

Creating pools with managed identities can be done by using the Batch .NET management library, but is not currently supported with the Batch .NET client library.

Create a user-assigned identity

First, create your user-assigned managed identity in the same tenant as your Batch account. You can create the identity using the Azure portal, the Azure Command-Line Interface (Azure CLI), PowerShell, Azure Resource Manager, or the Azure REST API. This managed identity does not need to be in the same resource group or even in the same subscription.

Important

Identities must be configured as user-assigned managed identities. The system-assigned managed identity is available for retrieving customer-managed keys from Azure KeyVault, but these are not supported in batch pools.

Create a Batch pool with user-assigned managed identities

After you've created one or more user-assigned managed identities, you can create a Batch pool with that identity or those identities. You can:

• Use the Azure portal to create the Batch pool
• Use the Batch .NET management library to create the Batch pool

Create Batch pool in Azure portal

To create a Batch pool with a user-assigned managed identity through the Azure portal:

1. Sign in to the Azure portal.
2. In the search bar, enter and select Batch accounts.
3. On the Batch accounts page, select the Batch account where you want to create a Batch pool.
4. In the menu for the Batch account, under Features, select Pools.
5. In the Pools menu, select Add to add a new Batch pool.
6. For Pool ID, enter an identifier for your pool.
7. For Identity, change the setting to User assigned.
8. Under User assigned managed identity, select Add.
9. Select the user assigned managed identity or identities you want to use. Then, select Add.
10. Under Operating System, select the publisher, offer, and SKU to use.
11. Optionally, enable the managed identity in the container registry:
    1. For Container configuration, change the setting to Custom. Then, select your custom configuration.
    2. For Start task select Enabled. Then, select Resource files and add your storage container information.
    3. Enable Container settings.
    4. Change Container registry to Custom
    5. For Identity reference, select the storage container.

Create Batch pool with .NET

To create a Batch pool with a user-assigned managed identity with the Batch .NET management library, use the following example code:

var poolParameters = new Pool(name: "yourPoolName")
    {
        VmSize = "standard_d1_v2",
        ScaleSettings = new ScaleSettings
        {
            FixedScale = new FixedScaleSettings
            {
                TargetDedicatedNodes = 1
            }
        },
        DeploymentConfiguration = new DeploymentConfiguration
        {
            VirtualMachineConfiguration = new VirtualMachineConfiguration(
                new ImageReference(
                    "Canonical",
                    "UbuntuServer",
                    "18.04-LTS",
                    "latest"),
                "batch.node.ubuntu 18.04")
        },
        Identity = new BatchPoolIdentity
        {
            Type = PoolIdentityType.UserAssigned,
            UserAssignedIdentities = new Dictionary<string, UserAssignedIdentities>
            {
                ["Your Identity Resource Id"] =
                    new UserAssignedIdentities()
            }
        }
    };

var pool = await managementClient.Pool.CreateWithHttpMessagesAsync(
    poolName:"yourPoolName",
    resourceGroupName: "yourResourceGroupName",
    accountName: "yourAccountName",
    parameters: poolParameters,
    cancellationToken: default(CancellationToken)).ConfigureAwait(false);    

Use user-assigned managed identities in Batch nodes

Many Azure Batch technologies which access other Azure resources, such as Azure Storage or Azure Container Registry, support managed identities. For more information on using managed identities with Azure Batch, see the following links:

• Resource files
• Output files
• Azure Container Registry
• Azure Blob container file system

You can also manually configure your tasks so that the managed identities can directly access Azure resources that support managed identities.

Within the Batch nodes, you can get managed identity tokens and use them to authenticate through Azure AD authentication via the Azure Instance Metadata Service.

For Windows, the PowerShell script to get an access token to authenticate is:

$Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -Method GET -Headers @{Metadata="true"} 

For Linux, the Bash script is:

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -H Metadata:true

For more information, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.

Next steps

• Learn more about Managed identities for Azure resources.
• Learn how to use customer-managed keys with user-managed identities.
• Learn how to enable automatic certificate rotation in a Batch pool.