On Feb 29th, 2024, the certificate feature in Azure Batch Account will be retired. To continue using the certificate with Batch task, user will need to migrate the Batch account certificates to Azure Key Vault. But since there is not an existing example provided, that might be a little difficult.
This blog will mainly focus on providing an example about how to recreate the Batch pool with required user assigned Managed Identity and Key Vault extension. Currently the Batch pool with user assigned Managed Identity and extension is only supported by ARM template and REST API call. Creating a pool with extension is unsupported in Azure Portal. Creating a pool with user assigned Managed Identity is unsupported in Az PowerShell module and Azure CLI.
To follow this blog, please prepare the following points:
In this blog, a sample Batch pool with the only necessary setup is created. If any additional feature is needed, please kindly modify the related part in ARM/bicep template or REST API request payload.
The pool created in this blog contains the following properties:
Created pool’s node can be in a healthy status:
And if we RDP into the node, we should be able to see the expected certificate saved into LocalMachine/My path:
HTTP method: PUT
URL: https://management.azure.com/subscriptions/{subscription ID}/resourceGroups/{resource group name}/providers/Microsoft.Batch/batchAccounts/{batch account name}/pools/{pool name}?api-version=2023-11-01
Request headers: Authorization header with Microsoft Entra ID authentication Bearer token is required. Please refer to this document, or just simply search for API Playground in Azure Portal. The second way is easier because it will automatically generate the Authorization header.
Request body:
{
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/5102xxxx-xxxx-xxxx-xxxx-xxxxa4473453/resourceGroups/Batch/providers/Microsoft.ManagedIdentity/userAssignedIdentities/usedbybatch": {}
}
},
"properties": {
"vmSize": "STANDARD_DS2_V2",
"deploymentConfiguration": {
"virtualMachineConfiguration": {
"imageReference": {
"publisher": "microsoftwindowsserver",
"offer": "windowsserver",
"sku": "2019-datacenter",
"version": "latest"
},
"nodeAgentSkuId": "batch.node.windows amd64",
"extensions": [
{
"name": "KeyVaultExtension",
"type": "KeyVaultForWindows",
"publisher": "Microsoft.Azure.KeyVault",
"typeHandlerVersion": "3.0",
"autoUpgradeMinorVersion": true,
"enableAutomaticUpgrade": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "300",
"linkOnRenewal": true,
"requireInitialSync": true,
"observedCertificates": [
{
"url": "https://batchusermode.vault.azure.net/secrets/classiccs ",
"certificateStoreName": "My",
"certificateStoreLocation": "LocalMachine",
"accounts": ["Network Service", "Local Service"],
"keyExportable": true
}
]
},
"authenticationSettings": {
"msiEndpoint": "http://169.254.169.254/metadata/identity/oauth2/token",
"msiClientId": "58eaxxxx-xxxx-xxxx-xxxx-xxxxf2d41227"
}
}
}
]
}
},
"scaleSettings": {
"fixedScale": {
"targetDedicatedNodes": 1,
"targetLowPriorityNodes": 0
}
}
}
}
Attention! According to the ARM template rule, to deploy a Batch pool which is child resource type, we must give the Batch Account name in the name property as well. The name here should be {BatchAccountName}/{PoolName}.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"name": "jerrybatchmode/MIwithKVextARM",
"apiVersion": "2023-11-01",
"type": "Microsoft.Batch/batchAccounts/pools",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/5102xxxx-xxxx-xxxx-xxxx-xxxxa4473453/resourceGroups/Batch/providers/Microsoft.ManagedIdentity/userAssignedIdentities/usedbybatch": {}
}
},
"properties": {
"vmSize": "STANDARD_DS2_V2",
"deploymentConfiguration": {
"virtualMachineConfiguration": {
"imageReference": {
"publisher": "microsoftwindowsserver",
"offer": "windowsserver",
"sku": "2019-datacenter",
"version": "latest"
},
"nodeAgentSkuId": "batch.node.windows amd64",
"extensions": [
{
"name": "KeyVaultExtension",
"type": "KeyVaultForWindows",
"publisher": "Microsoft.Azure.KeyVault",
"typeHandlerVersion": "3.0",
"autoUpgradeMinorVersion": true,
"enableAutomaticUpgrade": true,
"settings": {
"secretsManagementSettings": {
"pollingIntervalInS": "300",
"linkOnRenewal": true,
"requireInitialSync": true,
"observedCertificates": [
{
"url": "https://batchusermode.vault.azure.net/secrets/classiccs ",
"certificateStoreName": "My",
"certificateStoreLocation": "LocalMachine",
"accounts": [ Network Service", Local Service" ],
"keyExportable": true
}
]
},
"authenticationSettings": {
"msiEndpoint": "http://169.254.169.254/metadata/identity/oauth2/token",
"msiClientId": "58eaxxxx-xxxx-xxxx-xxxx-xxxxf2d41227"
}
}
}
]
}
},
"scaleSettings": {
"fixedScale": {
"targetDedicatedNodes": 1,
"targetLowPriorityNodes": 0
}
}
}
}
]
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.