How to authenticate with Key Vault from Azure Batch

1
votes

I've been following this guide to use a certificate to authenticate with key vault from azure batch. Every certificate I generate causes errors on import into azure batch, some examples are listed below:

code : InvalidPropertyValue message : The value provided for one of the properties in the request body is invalid. PropertyName: data Reason: The specified data and the password do not match

or

Unable to get property 'tbsCertificate' of undefined or null reference

or

Unable to decrypt PKCS#8 ShroudedKeyBag, wrong password?

Are there any requirements for the certificate that I'm not aware of? Alternatively is it possible to assign a managed identity or service principal to my Azure Batch Pool instead, if certificates are not working.

2
c#azureazure-keyvaultazure-batch

2 Answers

2
votes

Using this article as a guide, I added the below options to the makecert command.

-a sha256 -len 2048

This certificate on it's own still wont work, you then need to run pvk2pfx with only the below options:

pvk2pfx -pvk batchcertificate.pvk -spc batchcertificate.cer

This opens the wizard, using which you then need to:

  1. select "yes export the private key"
  2. Tick the following options:
    • "include all certificates in the certification path if possible"
    • "Export all extended properties"
    • "Enable certificate privacy"
  3. On the next page, add a password
0
votes

You can try your hand at this documentation as well: https://samcogan.com/secure-credential-access-with-azure-batch-and-keyvault/

I believe that Microsoft will publish more documentation on this specifically in the future.