Azure KeyVault extension with Azure Batch account nodes

Question

Help needed if anyone has created batch accounts and batch pool nodes with latest recommended approach like using • Virtual Machine Configuration (migrated from legacy Cloud Services Configuration) • Used Azure KeyVault configuration to fetch certificate from KeyVault through user managed identity.

I’ve done batch account deployment through ARM template and everything is working except fetching certificate from KeyVault though I’ve deployed it through required configuration. Seems like KeyVault VM extensions not working. Followed document - https://learn.microsoft.com/en-us/azure/batch/batch-certificate-migration-guide

Any help or pointers would be greatly appreciated. Thanks!

Azure batch nodes should pull certificate automatically from Key Vault and install it on batch nodes.

Answer 1

Optimizing Azure Batch Certificate Management with Key Vault Integration: Key Steps and Considerations

To address the challenge with Azure Batch, specifically with the batch nodes not automatically pulling a certificate from Azure Key Vault despite following the configuration guidelines from the Azure Batch certificate migration guide. Let's go through a few points to troubleshoot some steps.

1. Migration to Virtual Machine Configuration: According to Microsoft's guidelines, you should avoid using CloudServiceConfiguration pools, as they are no longer supported. You should switch to VirtualMachineConfiguration pools instead, which offer features such as Managed Identity and the Azure Key Vault VM extension.

2. Use of Azure Key Vault VM Extension: To store and access secrets and certificates securely across Azure, you should use Azure Key Vault as the standard mechanism. You also need a user-assigned managed identity and the Azure Key Vault VM Extension on the pool to install certificates on your Batch pools​​ and access them securely.

3. Creating and Managing Certificates: To use Azure Key Vault for certificate management in Batch pools, you must do two things. First, you must create a certificate and store it in Azure Key Vault. Second, you must configure an access policy in Azure Key Vault that grants your user-assigned managed identity the permission to access secrets and certificates. These steps are essential for the proper operation of the certificate management feature.

4. Creating a Batch Pool with Managed Identity: To create a Batch pool, you need to link it to your managed identity. You cannot add the Key Vault VM extension to existing pools, so you may have to make a new pool. When you create the pool, use your certificate's Secret Identifier for observedCertificates and your managed identity's Client ID for msiClientId. .

5. Validation and Troubleshooting: To confirm that the certificate deployment was successful, log in to the compute node after setting up. If you encounter any problems, you may have to check the logs, verify the permissions, and make sure that the Key Vault VM extension is properly set up and working.

For a more detailed guide and troubleshooting, refer to the Microsoft Azure documentation on

Reference : Migrating Batch Account Certificates to Azure Key Vault​​, Using Certificates with Azure Key Vault and Batch​​, and Enabling Automatic Certificate Rotation in a Batch Pool​​.