Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more here.

How can we improve Azure Batch?

← Batch

Support Managed Service Identity

We made application that uses Managed Service Identity.
It's easy and friendly way to access Azure Key Vault that contains some secrets.

Actually, Azure Batch is not support Managed Service Identity.
In this situation, We have to make another application between MSI enabled environment (Azure VM, Web Apps) and disabled environment (Azure Batch).

We don't want writing secrets in application package, environment variables and clear text configuration.
We want strongly Managed Service Identity in Azure Batch.

364 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Sunao Tomita shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
started  ·  Adminbatchuv (Other, Microsoft Azure) responded  · 

2021-02-17 Update: This feature is now in public preview in select regions. Please see https://docs.microsoft.com/azure/batch/managed-identity-pools.

Prior update: We appreciate everyone’s patience in this feature ask. There was quite a bit of complexity across different teams that needed to be resolved before we could begin. Although we have no ETA to share at this time, implementation of this feature has begun.

Show previous admin responses (2)

18 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Jiri Formacek commented  ·   ·  Flag as inappropriate

    Hello,
    Can you please provide update on extending preview to other regions? West EU would be good...
    Thank you
    Jiri

  • Dino Mehmedovic commented  ·   ·  Flag as inappropriate

    Any news on this feature?

    When I create Batch a
    Account I have "The managed identities for Azure resources feature in Azure Active Directory (Azure AD) provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code."

    But "DefaultAzureCredential" don't work.

  • Victor Tan commented  ·   ·  Flag as inappropriate

    We use Azure Data Factory to orchestrate jobs in Azure Batch. The jobs require access to Key Vault. The solution available is here https://docs.microsoft.com/en-us/azure/batch/credential-access-key-vault. This uses AzureRM together with powershell. While it works but not very intuitive and also AzureRM is deprecated. This solution does not work for Linux either. MS please implement a solution for this great product.

  • Michael commented  ·   ·  Flag as inappropriate

    Hello
    Is there any news / update or estimation on delivery of this feature?

    How could the MSI be utilized by Azure Batch?
    At the moment it looks like it's possible to enable a system assigned managed service identity on the account level, but it could make much more sense to have MSI enabled on the pool level.

    Given that the majority (if not all) of "compute" operations are done in context of tasks executed on nodes of a pool, then enabling MSI on a specific pool sounds like a better granularity for assigning permissions later on.
    Enabling MSI per-pool can translate into enabling MSI on the underlying VMSS (but that's already touching detailed design aspects..)

  • Benjamin commented  ·   ·  Flag as inappropriate

    Can we get some information about what the Managed Identity flag in an Azure Batch account does?

    I have a java app using DefaultAzureCredential but it can't find the environment variables needed to authenticate.
    I get these errors:

    02:02:36.986 [reactor-http-epoll-1] ERROR c.a.identity.EnvironmentCredential - Cannot create any credentials with the current environment variables
    02:02:37.091 [reactor-http-epoll-1] ERROR c.a.i.implementation.IdentityClient - Couldn't acquire access token from IMDS, verify your objectId, clientId or msiResourceId

    The only alternative is to use certificates to authenticate a Service Principle.
    But as Aida already mentioned, it seems counter-intuitive to have to hardcode the certificate password in our apps just to authenticate with the Azure Vault.
    May as well allow us to use non-password-encrypted certificates in Azure Batch...

  • Victor Tan commented  ·   ·  Flag as inappropriate

    how is the system managed identity use in the batch account? Will the nodes created in the pool carried that MSI?

  • Andreas commented  ·   ·  Flag as inappropriate

    Is there any news to share? Would be great to have that feature on Azure Batch.

  • Deepika Bandhanadham commented  ·   ·  Flag as inappropriate

    @Azure AD Team, Any update on this feature? I had to rewrite my code after testing it an MSI enabled Azure VM to make it work on Azure Batch. Last update is from May 2019.

  • Aida C. commented  ·   ·  Flag as inappropriate

    Just want to escalate this. I've spent the last 12 hours setting up certs, renewal policies, making code changes to an app that ALREADY supports MSI to also be able to use a certificate... all because Batch doesn't have this feature. All of that and I will STILL have to deploy a secret, the cert password, in my package, and even still that certificates private key is less secure than I would normally make it sense AES256/SHA256 seems to not be a supported format. This really makes Azure Batch feels second-class sadly.

  • Sean commented  ·   ·  Flag as inappropriate

    Can we please get an update on this? This is a standard feature of "regular" Azure Virtual Machines that you can configure with a single command line flag or config file option. We really, really don't want to have to store service principal credentials on our VMs if we can avoid it.

  • Manh Vo commented  ·   ·  Flag as inappropriate

    We have a similar problem as well. Batch Nodes are actually VM Scale Sets so it should support MSI natively.

  • Rivas, Hector commented  ·   ·  Flag as inappropriate

    MSI worked great locally, but we package our apps and trigger them from ADF, and they just fail to run. A service principal seems to be the only route.

  • Takekazu Omi commented  ·   ·  Flag as inappropriate

    I really want MSI support. MSI makes it easy to use AD authentication and easily creates secure applications.

    It is not secure for applications to store secrets in environment variables or application configuration files. If we can use MSI, it's easy to access the secret in KeyVault.

    MSI is a great Azure feature. You should support MSI with Azure Batch.

Batch

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice