Batch pool with user assigned Managed Identity and Key Vault extension
Published Feb 15 2024 10:08 PM 1,697 Views
Microsoft

On Feb 29th, 2024, the certificate feature in Azure Batch Account will be retired. To continue using the certificate with Batch task, user will need to migrate the Batch account certificates to Azure Key Vault. But since there is not an existing example provided, that might be a little difficult.

 

This blog will mainly focus on providing an example about how to recreate the Batch pool with required user assigned Managed Identity and Key Vault extension. Currently the Batch pool with user assigned Managed Identity and extension is only supported by ARM template and REST API call. Creating a pool with extension is unsupported in Azure Portal. Creating a pool with user assigned Managed Identity is unsupported in Az PowerShell module and Azure CLI.

 

Pre-requisite:

To follow this blog, please prepare the following points:

JerryZhangMS_0-1708057692831.png

 

JerryZhangMS_1-1708057692836.png

 

 

Reminder:

In this blog, a sample Batch pool with the only necessary setup is created. If any additional feature is needed, please kindly modify the related part in ARM/bicep template or REST API request payload.

 

The pool created in this blog contains the following properties:

  • OS:  Windows Server 2019 Datacenter with latest version
  • Node Agent:  batch.node.windows amd64
  • Key Vault extension version 3.0: Install one certificate with thumbprint FDBB….F3A0 into LocalMachine/My certificate store
  • Scale: 1 fixed dedicated node
  • VM SKU:  standard_ds2_v2

 

 

The expected result:

Created pool’s node can be in a healthy status:

JerryZhangMS_2-1708057692840.png

 

And if we RDP into the node, we should be able to see the expected certificate saved into LocalMachine/My path:

JerryZhangMS_3-1708057692853.png

 

JerryZhangMS_4-1708057692867.png

 

 

Sample REST API call: (The parts in red need to be replaced by own resource information)

HTTP method: PUT

URL: https://management.azure.com/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Batch/batchAccounts/{batch account name}/pools/{pool name}?api-version=2023-11-01

Request headers:  Authorization header with Microsoft Entra ID authentication Bearer token is required. Please refer to this document, or just simply search for API Playground in Azure Portal. The second way is easier because it will automatically generate the Authorization header.

JerryZhangMS_5-1708057692869.png

 

Request body:

{

  "identity": {

    "type": "UserAssigned",

    "userAssignedIdentities": {

        "/subscriptions/5102xxxx-xxxx-xxxx-xxxx-xxxxa4473453/resourceGroups/Batch/providers/Microsoft.ManagedIdentity/userAssignedIdentities/usedbybatch": {}

    }

 },

  "properties": {

    "vmSize": "STANDARD_DS2_V2",

    "deploymentConfiguration": {

      "virtualMachineConfiguration": {

        "imageReference": {

            "publisher": "microsoftwindowsserver",

            "offer": "windowsserver",

            "sku": "2019-datacenter",

            "version": "latest"

        },

        "nodeAgentSkuId": "batch.node.windows amd64",

        "extensions": [

          {

            "name": "KeyVaultExtension",

            "type": "KeyVaultForWindows",

            "publisher": "Microsoft.Azure.KeyVault",

            "typeHandlerVersion": "3.0",

            "autoUpgradeMinorVersion": true,

            "enableAutomaticUpgrade": true,

            "settings": {

                "secretsManagementSettings": {

                    "pollingIntervalInS": "300",

                    "linkOnRenewal": true,

                    "requireInitialSync": true,

                    "observedCertificates": [

                        {

                          "url": "https://batchusermode.vault.azure.net/secrets/classiccs ",

                          "certificateStoreName": "My",

                          "certificateStoreLocation": "LocalMachine",

                          "accounts": ["Network Service", "Local Service"],

                          "keyExportable": true

                        }

                    ]

                },

                "authenticationSettings": {

                    "msiEndpoint": "http://169.254.169.254/metadata/identity/oauth2/token",

                    "msiClientId": "58eaxxxx-xxxx-xxxx-xxxx-xxxxf2d41227"

                }

            }

          }

        ]

      }

    },

    "scaleSettings": {

      "fixedScale": {

          "targetDedicatedNodes": 1,

          "targetLowPriorityNodes": 0

      }

    }

  }

}

 

 

Sample ARM template: (The parts in red need to be replaced by own resource information.)

Attention! According to the ARM template rule, to deploy a Batch pool which is child resource type, we must give the Batch Account name in the name property as well. The name here should be {BatchAccountName}/{PoolName}.

{

    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

    "contentVersion": "1.0.0.0",

    "parameters": {},

    "resources": [

        {

            "name": "jerrybatchmode/MIwithKVextARM",

            "apiVersion": "2023-11-01",

            "type": "Microsoft.Batch/batchAccounts/pools",

            "identity": {

                "type": "UserAssigned",

                "userAssignedIdentities": {

                    "/subscriptions/5102xxxx-xxxx-xxxx-xxxx-xxxxa4473453/resourceGroups/Batch/providers/Microsoft.ManagedIdentity/userAssignedIdentities/usedbybatch": {}

                }

            },

            "properties": {

                "vmSize": "STANDARD_DS2_V2",

                "deploymentConfiguration": {

                    "virtualMachineConfiguration": {

                        "imageReference": {

                            "publisher": "microsoftwindowsserver",

                            "offer": "windowsserver",

                            "sku": "2019-datacenter",

                            "version": "latest"

                        },

                        "nodeAgentSkuId": "batch.node.windows amd64",

                        "extensions": [

                            {

                                "name": "KeyVaultExtension",

                                "type": "KeyVaultForWindows",

                                "publisher": "Microsoft.Azure.KeyVault",

                                "typeHandlerVersion": "3.0",

                                "autoUpgradeMinorVersion": true,

                                "enableAutomaticUpgrade": true,

                                "settings": {

                                    "secretsManagementSettings": {

                                        "pollingIntervalInS": "300",

                                        "linkOnRenewal": true,

                                        "requireInitialSync": true,

                                        "observedCertificates": [

                                            {

                                                "url": "https://batchusermode.vault.azure.net/secrets/classiccs ",

                                                "certificateStoreName": "My",

                                                "certificateStoreLocation": "LocalMachine",

                                                "accounts": [ Network Service", Local Service" ],

                                                "keyExportable": true

                                            }

                                        ]

                                    },

                                    "authenticationSettings": {

                                        "msiEndpoint": "http://169.254.169.254/metadata/identity/oauth2/token",

                                        "msiClientId": "58eaxxxx-xxxx-xxxx-xxxx-xxxxf2d41227"

                                    }

                                }

                            }

                        ]

                    }

                },

                "scaleSettings": {

                    "fixedScale": {

                        "targetDedicatedNodes": 1,

                        "targetLowPriorityNodes": 0

                    }

                }

            }

        }

    ]

}

Co-Authors
Version history
Last update:
‎Feb 15 2024 09:04 PM
Updated by: