Answer accepted by question author
Hello Daniel,
Thank you for reaching out and for providing the detailed explanation of your scenario.
From your description, I understand that you are attempting to assign separate user-assigned managed identities to different pools in order to maintain isolation across environments (for example, separate VNets and resource access). While doing so, you noticed that the Node Identity Reference for the AutoStorage configuration allows selecting only a single user-assigned managed identity, even though the documentation mentions that multiple identities can be defined.
This behavior is expected and is by design in Azure Batch.
The documentation you referenced states that multiple user-assigned managed identities can be defined at the pool identity level. This allows compute nodes in a pool to authenticate to different Azure resources (such as Key Vault, Storage, or App Configuration) using different identities when required.
However, the Node Identity Reference used for AutoStorage authentication is configured at the Batch account level, and therefore it supports only one user-assigned managed identity. Since the AutoStorage account is associated with the Batch account itself rather than individual pools, the service requires a single identity that all nodes will use when accessing AutoStorage.
As also noted in the documentation:
“You can define more than one user-assigned managed identity in the pool identity. However, the one that's defined in the node identity reference must also be defined in the pool identity.”
This means that:
- A pool may contain multiple user-assigned managed identities.
The identity used for Node Identity Reference (AutoStorage) must also be included in the pool identity.
The Node Identity Reference itself supports only one identity, which is why the portal does not allow adding additional identities in that field.
Given your architecture, the approach you described is the correct and recommended design:
One shared user-assigned managed identity used for AutoStorage access and configured as the Node Identity Reference.
Separate user-assigned managed identities per pool for accessing environment-specific resources such as Key Vault, Storage accounts, or other services.
Reference: Configure managed identities in Batch pools
The Usage of Managed Identity in the Azure Batch Account and Azure Batch Pool
Hope this helps! Please let me know if you have any queries.
-
Daniel-4204 270 Reputation points
@Hemalatha Thank you, I would like to accept your comment as the answer if you could convert it from Comment to Answer. -Daniel
-
Daniel-4204 270 Reputation points
I have a new Question about Azure SQL Metrics I am trying to ask. I have tried posting about 5 different variations in the last 2 hours. Every time I post I get this error: Can a moderator please review one of these deleted posts and see if it can be approved? I cannot find any violation. The title will be variations of "Why does my Azure SQL Database with auto-pause enabled show recurring CPU spikes every 5 minutes".
👁 User's imageThankyou, -Daniel
-
Hemalatha 14,525 Reputation points • Microsoft External Staff • Moderator
Hello Daniel,
Thank you for reaching out.
We are currently unable to review your posts because your account appears to be in private mode. Due to this restriction, the submitted questions are not visible on our end.
Could you please repost your query after ensuring that:
- No subscription IDs, resource names, or other sensitive details are included
- All personally identifiable information (PII) has been removed
Once the post is publicly accessible and compliant, we will be happy to review and assist you further.
Thank you for your understanding.
Sign in to comment