Configure managed identities in Batch pools

Managed identities for Azure resources eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure Active Directory (Azure AD) and using it to obtain Azure Active Directory (Azure AD) tokens.

This topic explains how to enable user-assigned managed identities on Batch pools and how to use managed identities within the nodes.

Important

Pools must be configured using Virtual Machine Configuration in order to use managed identities.

Creating pools with managed identities can be done by using the Batch .NET management library, but is not currently supported with the Batch .NET client library.

Create a user-assigned identity

First, create your user-assigned managed identity in the same tenant as your Batch account. This managed identity does not need to be in the same resource group or even in the same subscription.

Create a Batch pool with user-assigned managed identities

After you've created one or more user-assigned managed identities, you can create a Batch pool with that managed identity by using the Batch .NET management library.

var poolParameters = new Pool(name: "yourPoolName")
    {
        VmSize = "standard_d1_v2",
        ScaleSettings = new ScaleSettings
        {
            FixedScale = new FixedScaleSettings
            {
                TargetDedicatedNodes = 1
            }
        },
        DeploymentConfiguration = new DeploymentConfiguration
        {
            VirtualMachineConfiguration = new VirtualMachineConfiguration(
                new ImageReference(
                    "Canonical",
                    "UbuntuServer",
                    "18.04-LTS",
                    "latest"),
                "batch.node.ubuntu 18.04")
        },
        Identity = new BatchPoolIdentity
        {
            Type = PoolIdentityType.UserAssigned,
            UserAssignedIdentities = new Dictionary<string, UserAssignedIdentities>
            {
                ["Your Identity Resource Id"] =
                    new UserAssignedIdentities()
            }
        }
    };

var pool = await managementClient.Pool.CreateWithHttpMessagesAsync(
    poolName:"yourPoolName",
    resourceGroupName: "yourResourceGroupName",
    accountName: "yourAccountName",
    parameters: poolParameters,
    cancellationToken: default(CancellationToken)).ConfigureAwait(false);    

Use user-assigned managed identities in Batch nodes

Many Azure Batch technologies which access other Azure resources, such as Azure Storage or Azure Container Registry, support managed identities. For more information on using managed identities with Azure Batch, see the following links:

You can also manually configure your tasks so that the managed identities can directly access Azure resources that support managed identities.

Within the Batch nodes, you can get managed identity tokens and use them to authenticate through Azure AD authentication via the Azure Instance Metadata Service.

For Windows, the PowerShell script to get an access token to authenticate is:

$Response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -Method GET -Headers @{Metadata="true"} 

For Linux, the Bash script is:

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource={Resource App Id Url}' -H Metadata:true

For more information, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.

Next steps