I'm trying to create a batch pool via the az CLI as follows: az batch pool create --json-file foo.json.
The contents of foo.json are
{
"id": "testpool2",
"vmSize": "standard_d2s_v3",
"virtualMachineConfiguration": {
"imageReference": {
"publisher": "microsoftwindowsserver",
"offer": "windowsserver",
"sku": "2019-datacenter-core-with-containers-smalldisk",
"version": "latest"
},
"nodeAgentSKUId": "batch.node.windows amd64",
"windowsConfiguration": {
"enableAutomaticUpdates": false
},
"containerConfiguration": {
"type": "dockerCompatible",
"containerImageNames": [
"mcr.microsoft.com/windows/servercore:10.0.17763.2928-amd64"
]
},
"nodePlacementConfiguration": {
"policy": "Zonal"
}
},
"resizeTimeout": "PT15M",
"targetDedicatedNodes": 1,
"targetLowPriorityNodes": 0,
"enableAutoScale": false,
"enableInterNodeCommunication": false,
"networkConfiguration": {
"subnetId": "/subscriptions/path/to/my/subnet",
"dynamicVNetAssignmentScope": "none",
"publicIPAddressConfiguration": {
"provision": "BatchManaged"
}
},
"taskSlotsPerNode": 1,
"taskSchedulingPolicy": {
"nodeFillType": "Pack"
},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/path/to/my/user/assigned/identity": {}
}
}
}
This successfully creates the pool, but with a null identity property. Not surprisingly, any authentication relying on that user-assigned identity being in place fails.
Per the documentation, the --json-file property accepts a JSON file that conforms to the REST API body. However, the REST API body does not contain a suitable identity block.
I looked at the JSON that's POSTed to the REST API when creating the pool through the portal, and it looks very similar to what I have, except it's structured like this:
"properties": {
"id": "id value",
...etc...
},
"identity": {
"type": "UserAssigned",
...etc...
}
Making my JSON match up with that request body results in a JSON parsing error. The JSON I'm providing is syntactically correct, it just seems like it's expecting the contents of the properties section only.
There's this existing question which has a terrible link-only answer to Microsoft Q&A, where the recommendation is to add an identity block that looks exactly like the one I'm providing. Please note that as far as I can tell this question is not a duplicate of that one -- they are receiving a different error, and they didn't explicitly state that they are using the Azure CLI, just that they're trying to use "JSON".
There doesn't seem to be any definitive documentation or examples of how to use the --json-file parameter with the Azure CLI to create a batch pool that uses a user-assigned identity. If it is possible, some guidance on how to accomplish it would be most welcome.
After searching in vain for an answer to the same question, I posted a slight variation of the question on the MS support page and they came up with a working solution for our case, which seems to be near-identical to what has been asked here.
Edit:
Adding the following to the JSON file made it work in our case.
{
"type": "Microsoft.Batch/batchAccounts/pools",
"name": "TestPool",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {"/subscriptions/<MySubscription>/resourceGroups/<MyResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<MyUserAssignedManagedIdentity>":{}}
},
"properties":{ All the remaining properties defining the pool itself }
}