Install KeyVaultExtension on base image for azure batch pool for cert rotation

0
votes

We want to use the key vault extension to handle getting new certs onto our batch nodes. I was wondering if what's the preferred way to install Azure VM extensions onto azure batch nodes since the machines don't appear as regular VMs in the azure portal or cli that we can interact with. It seems using the key vault extension seems like the best way to update certificates on a machine? We are currently using an base image for the batch nodes but I read that it's a bad practice to have extensions pre-installed on base images? What's the best way to go about this?

Thanks!

1
azureazure-keyvaultazure-batch

1 Answers

1
votes

2021-02-17 Updated Answer:

Select VM extensions are now supported on Batch pools. For KeyVaultExtension, you will need Managed Identity support on Batch pools which is now in public preview in select regions. Please see this doc for extensions on Batch pools and this doc for managed identity.

Original Answer:

Currently, arbitrary VM extensions are not supported on Azure Batch Pools (thus compute nodes). As of now, to update certificates on Batch pool compute nodes, you will need to add a new certificate on the account, patch the Batch pool with the new certificate reference, and then reboot the corresponding active compute nodes.

For your specific ask of installing Key Vault based certificates, this has been requested in UserVoice.