Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Batch Account unable to authenticate with auto Storage Account when there is node identity reference configured #125195

Open
5 tasks
JerryZhangMS opened this issue Dec 17, 2024 · 3 comments
Open
5 tasks

Azure Batch Account unable to authenticate with auto Storage Account when there is node identity reference configured #125195

JerryZhangMS opened this issue Dec 17, 2024 · 3 comments
Assignees
@genlin
Labels
assigned-to-author managed-instance/subsvc Pri3 product-feedback triaged

Comments

@JerryZhangMS
Copy link

JerryZhangMS commented Dec 17, 2024
edited
Loading

Azure documentation issue guidance

Thanks for opening an issue in the Azure technical documentation repository.

We use GitHub issues as the primary channel for customer and community feedback about the Azure documentation.

Creating an issue

We prefer that you create documentation feedback issues using the Feedback link on the published article - the feedback control on the doc page creates an issue that contains all the article details so you can focus on the feedback part.

You can also create a feedback issue here in the repo. If you do this, please make sure your issue lists:

  • The relevant Azure service or technology.
  • A link to the published documentation article that you have feedback about.
  • Clear, specific feedback that the author can act on.

Pull requests and article contributions

If you know the change that is needed in an article, we encourage you to submit the changes directly using a pull request. If the change is large, or if you want to contribute an entire article, follow these guidelines:

  • Don't surprise us with a big pull request or a pull request with a new article! Submit an issue that describes the details of the proposed large change or new article.
  • Include the service or technology area.

We'll route the issue to the appropriate content team for review and discussion.

Tech support and product feedback

If you would like to contact Microsoft about other things, such as product feedback or tech support, please review these guidelines:

Hi, this is Jerry from Azure Batch support team.

I'm creating this Github issue to note down a confusing point which may impact other users.

When we use Batch Account, if we configured auto Storage Account of Batch Account authentication mode as Storage Key, normally we would expect that authentication from Batch to this Storage Account should use Storage Key.

But in the following scenario, it could not do that successfully.

  1. In addition to the above condition, we configured the node identity reference with any user assigned managed identities.
    image

  2. Then in Batch task, resource file, we select a blob or a container from the Auto storage account without any authentication information. (Neither SAS token, nor managed identity)
    image

The expected behavior should be Azure Batch node could use the Storage Account key to authenticate and download the file successfully. But after confirming with Production Group, this is not the design.

By current design, if the node identity reference part we have configured a user assigned managed identity (UAMI), then in resource file, we must also use that identity for authentication. Which means, for this issue, we have two solutions:

  1. Either, we can remove the identity from the node identity reference in the Storage Account page. Batch node will use Storage Account key instead to authenticate.
  2. Or, we can add same UAMI into Batch pool where the task is running, and give this UAMI enough permission on auto storage account. (For example, Storage Blob Data Reader) Batch will use that UAMI to authenticate.

Suggestion to PG team:
It's better to point this out by either a notification in Azure Portal, or in this document: https://learn.microsoft.com/en-us/troubleshoot/azure/hpc/batch/use-managed-identities-azure-batch-account-pool
@TPavanBalaji TPavanBalaji self-assigned this Dec 18, 2024
@TPavanBalaji
Copy link
Contributor

@JerryZhangMS
Thanks for your feedback! We will investigate and update as appropriate.

@TPavanBalaji
Copy link
Contributor

@JerryZhangMS
Thanks for your feedback and your contribution to Azure docs.
Feedback for this repository is moving away from GitHub to a system specific to the Microsoft Learn platform. Issues for this repository will soon be disabled, and additional comments from GitHub will no longer be possible. However, we are now tracking and triaging this issue in the new feedback system.
To learn more about our feedback systems, please see Provide feedback for Microsoft Learn content.

@TPavanBalaji TPavanBalaji assigned genlin and unassigned TPavanBalaji Dec 24, 2024
@TPavanBalaji
Copy link
Contributor

@JerryZhangMS
Thank you for bringing this to our attention.
I've delegated this to content author, who will review it and offer their insightful opinions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@genlin genlin

Labels
assigned-to-author managed-instance/subsvc Pri3 product-feedback triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@genlin @JerryZhangMS @TPavanBalaji