RedPanda
Reputation: 532
Azure Batch - problems with Active Directory authentication
I'm following this other post about creating Azure Batch pools with custom machine images. I'm stuck on the Azure Active Directory (AD) authentication. I've followed all the tutorials on the other thread for registering an application and obtaining the application id, tenant id, and private key.
Here's the standard bit for creating the Batch Client:
credentials = ServicePrincipalCredentials(
client_id=APP_CLIENT_ID,
secret=APP_CLIENT_KEY,
tenant=APP_TENANT_ID,
resource='https://batch.core.windows.net'
)
self._batch_client = batch.BatchServiceClient(credentials, base_url=BATCH_ACCOUNT_URL)
Here is the code for creating a pool:
# Get details for configuring worker machines with the node image file
node_agents = self._batch_client.account.list_node_agent_skus()
image_agent = next(agent for agent in node_agents if 'ubuntu 16.04' in agent.id)
image_ref = batchmodels.ImageReference(virtual_machine_image_id='/subscriptions/<long_URL>')
virtual_machine_config = batchmodels.VirtualMachineConfiguration(
image_reference=image_ref,
node_agent_sku_id=image_agent.id
)
# Define an admin user account for the worker machines
user = batchmodels.AutoUserSpecification(
scope=batchmodels.AutoUserScope.pool,
elevation_level=batchmodels.ElevationLevel.admin
)
# Define the pool
new_pool = batch.models.PoolAddParameter(
id=self.id,
virtual_machine_configuration=virtual_machine_config,
vm_size=self._vm_size,
target_dedicated_nodes=self.nodes,
start_task=batch.models.StartTask(
command_line=start_commands,
user_identity=batchmodels.UserIdentity(auto_user=user),
wait_for_success=True,
resource_files=self._resource_files),
)
# Instantiate the pool
try:
self._batch_client.pool.add(new_pool)
self._created = True
except batchmodels.batch_error.BatchErrorException as err:
print_batch_exception(err)
raise
This triggers the following error output on the 3rd line, when trying to create image_agent:
Traceback (most recent call last):
File "C:\Echo\Code\pysource\Pysource\dataIO\Tests\TestAzure.py", line 170, in test_create_and_destroy_pool
pool.create(data=res_folder)
File "C:\Echo\Code\pysource\Pysource\dataIO\azureUtils.py", line 440, in create
image_agent = next(agent for agent in node_agents if 'ubuntu 16.04' in agent.id)
File "C:\Echo\Code\pysource\Pysource\dataIO\azureUtils.py", line 440, in <genexpr>
image_agent = next(agent for agent in node_agents if 'ubuntu 16.04' in agent.id)
File "C:\Users\Patrick\Anaconda3\lib\site-packages\msrest\paging.py", line 109, in __next__
self.advance_page()
File "C:\Users\Patrick\Anaconda3\lib\site-packages\msrest\paging.py", line 95, in advance_page
self._response = self._get_next(self.next_link)
File "C:\Users\Patrick\Anaconda3\lib\site-packages\azure\batch\operations\account_operations.py", line 119, in internal_paging
raise models.BatchErrorException(self._deserialize, response)
azure.batch.models.batch_error.BatchErrorException: {'lang': 'en-US', 'value': 'Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly.\nRequestId:1a38e970-fb6e-4d2e-b691-5c47f46186b1\nTime:2017-11-02T19:42:54.0264686Z'}
...with attached HTTP log:
requests.packages.urllib3.connectionpool: DEBUG: Starting new HTTPS
connection (1): <batch_name>.westus.batch.azure.com
requests.packages.urllib3.connectionpool: DEBUG: https://<batch_name>.westus.batch.azure.com:443 "GET /nodeagentskus?api-version=2017-09-01.6.0 HTTP/1.1" 401 529
msrest.http_logger: DEBUG: Request URL: 'https://<batch_name>.westus.batch.azure.com/nodeagentskus?api-version=2017-09-01.6.0'
msrest.http_logger: DEBUG: Request method: 'GET'
msrest.http_logger: DEBUG: Request headers:
msrest.http_logger: DEBUG: 'Accept': 'application/json'
msrest.http_logger: DEBUG: 'Accept-Encoding': 'gzip, deflate'
msrest.http_logger: DEBUG: 'Connection': 'keep-alive'
msrest.http_logger: DEBUG: 'User-Agent': 'python/3.5.2 (Windows-10-10.0.15063-SP0) requests/2.14.0 msrest/0.4.18 msrest_azure/0.4.15 batchserviceclient/4.0.0 Azure-SDK-For-Python'
msrest.http_logger: DEBUG: 'client-request-id': '03663a50-c006-11e7-b93e-847beb5642f2'
msrest.http_logger: DEBUG: 'accept-language': 'en-US'
msrest.http_logger: DEBUG: 'Authorization': '*****'
msrest.http_logger: DEBUG: 'Content-Type': 'application/json; odata=minimalmetadata; charset=utf-8'
msrest.http_logger: DEBUG: Request body:
msrest.http_logger: DEBUG: None
msrest.http_logger: DEBUG: Response status: 401
msrest.http_logger: DEBUG: Response headers:
msrest.http_logger: DEBUG: 'Content-Length': '529'
msrest.http_logger: DEBUG: 'Content-Type': 'application/json;odata=minimalmetadata'
msrest.http_logger: DEBUG: 'Server': 'Microsoft-HTTPAPI/2.0'
msrest.http_logger: DEBUG: 'request-id': '1a38e970-fb6e-4d2e-b691-5c47f46186b1'
msrest.http_logger: DEBUG: 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains'
msrest.http_logger: DEBUG: 'X-Content-Type-Options': 'nosniff'
msrest.http_logger: DEBUG: 'DataServiceVersion': '3.0'
msrest.http_logger: DEBUG: 'WWW-Authenticate': 'Bearer error="invalid_token", error_description="The access token is missing or invalid."'
msrest.http_logger: DEBUG: 'Date': 'Thu, 02 Nov 2017 19:42:53 GMT'
msrest.http_logger: DEBUG: Response content:
msrest.http_logger: DEBUG: b'{\r\n "odata.metadata":"https://<batch_name>.westus.batch.azure.com/$metadata#Microsoft.Azure.Batch.Protocol.Entities.Container.errors/@Element","code":"AuthenticationFailed","message":{\r\n "lang":"en-US","value":"Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly.\\nRequestId:1a38e970-fb6e-4d2e-b691-5c47f46186b1\\nTime:2017-11-02T19:42:54.0264686Z"\r\n },"values":[\r\n {\r\n "key":"AuthenticationErrorDetail","value":"Could not find identity for access token."\r\n }\r\n ]\r\n}'
msrest.exceptions: DEBUG: {'lang': 'en-US', 'value': 'Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly.\nRequestId:1a38e970-fb6e-4d2e-b691-5c47f46186b1\nTime:2017-11-02T19:42:54.0264686Z'}
The key message is this: "key":"AuthenticationErrorDetail","value":"Could not find identity for access token."
Note that if I hard-code the node_agent_sku_id the error moves from line 3 to the line just below the try statement, when attempting to add the new pool.
How can I begin to start troubleshooting this?
Upvotes: 1
Views: 956
Answers (1)
kiwidev
Reputation: 321
The resource for Azure Batch should be 'https://batch.core.windows.net/' (note the trailing slash).
Upvotes: 2
Related Questions
- Using Managed Identity in Azure Batch to Authenticate with Key Vault using Python in a Batch Pool
- How to authenticate in Django with Azure AD via django-microsoft-auth
- What flow should I use for authentication against Azure AD for a command line based application?
- Why is getting an Azure AD token via "acquire_token_with_username_password" failing?
- Authorization Access denied while accessing Azure Active Directory
- Azure ADAL authentication using python
- Azure Batch : Server failed to authenticate the request when trying to create pool using Python SDk
- azure batch network_configuration -> "failed to authenticate"
- Unable to auth as user programmatically
- Azure AD / Python AA