Using Managed Identity in Azure Batch to Authenticate with Key Vault using Python in a Batch Pool

3
votes

I am trying to use the system-assigned managed identity of azure batch to access the Azure Key Vault. I have found some code online, but I didn't know if this is possible or the certificate route is the only possibility. I have enabled a managed identity for the batch account and added it to the keyvault. But when I try to get the managed identity from the python sdk in a batch pool, then it fails and I can't get a connection to the key vault.

I have tried the old azure-keyvault package (version 1.1.0) and the newer version 4.0.

This is using the older key vault package, which gives an HTTPRequest error:

from azure.keyvault import KeyVaultClient
from msrestazure.azure_active_directory import MSIAuthentication

credentials = MSIAuthentication(resource='https://vault.azure.net')

kvclient = KeyVaultClient(credentials)
res = kvclient.get_secret("https://kv.vault.azure.net/", "secret", "").value

For the newer azure keyvault package I used this:

import os
import cmd
from azure.keyvault.secrets import SecretClient
from azure.identity import ManagedIdentityCredential

keyVaultName = "kv"
KVUri = f"https://{keyVaultName}.vault.azure.net"

credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)

secretName = "secret"
retrieved_secret = client.get_secret(secretName)

but it can't find the ManagedIdentityCredential. This is part of the error:

SharedTokenCacheCredential.get_token failed: Shared token cache unavailable
VisualStudioCodeCredential.get_token failed: Failed to get Azure user details from Visual Studio Code.
AzureCliCredential.get_token failed: Please run 'az login' to set up an account
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
    EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
    ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. No identity has been assigned to this resource.
    SharedTokenCacheCredential: Shared token cache unavailable
    VisualStudioCodeCredential: Failed to get Azure user details from Visual Studio Code.
    AzureCliCredential: Please run 'az login' to set up an account
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
1
pythonazure-active-directoryazure-keyvaultazure-batchazure-managed-identity

1 Answers

7
votes

2021-02-17 Updated Answer:

Managed Identity on Batch pools is now in public preview in select regions. Please see this doc.

Original Answer:

This is currently not a supported scenario. Please read the documentation about this feature and the specific FAQ item addressing it at the bottom of the document.

Please also see the UserVoice request.