-1

I'm trying to create several batch tasks from the Powershell script and looking for how specifying User Identity. Dotnet core APIs support this specifying, but nothing for Azure-CLI.

When I run a script below I get an error from my PowerShell script, which says that there are not enough permissions to perform this action:

az batch account login -g $resourceGroup -n $batchAccountName 
az batch task create --job-id $BatchJobId `
    --task-id "DeployIdHere" `
    --command-line $cmdCommand `
    --account-name $batchAccountName `
    --debug `
    --verbose `
    --output table

I assumed to find something like --elevation-level Admin but seems I don't get how it should look likes in common.

Joe Black
  • 23
  • 1
  • 1
  • 5

2 Answers2

0

You could use --json-file flag to create a task with specifying User Identity in the command az batch task create --job-id myjobtest --json-file .\task.json.

For format, see https://github.com/Azure/azure-docs-cli-python-samples/blob/master/batch/run-job/tasks.json

You also could add multiple tasks with the admin. A task JSON file will be something like this:

{
    "id": "mytasktest123",
    "commandLine": "/bin/bash -c \"sudo ls\"",
    "waitForSuccess": true,
    "userIdentity": {
        "autoUser": {
          "elevationLevel": "admin",
          "scope": "pool"
        },
        "userName": null
      }
    }

Result enter image description here

Let me know if you need further help.

Nancy
  • 26,865
  • 3
  • 18
  • 34
0

which says that there are not enough permissions to perform this action

When you use az batch account login -g $resourceGroup -n $batchAccountName login, it uses Auzre AD authentication, it uses the credential of the account which you logged in with az login.

If you use the command with --shared-key-auth parameter, it uses the Shared Key authentication, but your account also needs the permission to do Microsoft.Batch/batchAccounts/listKeys/action action. At first I thought Reader role is enough, but per my test, it does not have the permission to list keys of batch account.

So to fix the issue, you could let the Owner of the subscription/batch account give your user account which logged in with az login as an Owner or Contributor role. Navigate to the subscription/batch account in the portal -> Access control (IAM) -> Add -> Add role assignment -> search for your user account(or service principal), add it as Owner/Contributor role, details here. Then use az account clear to clear the local cache and run az batch account login -g $resourceGroup -n $batchAccountName again, az batch task create will work fine.

How to specify the task's user identity “Pool default user (Admin)” in the azure batch account?

The way is to use --json-file parameter, based on your requirement, specify the elevationLevel with nonadmin or admin in the .json file like below.

batch.json file:

{
  "id": "task1",
  "commandLine": "bash -c 'echo hello'",
  "userIdentity": {
    "autoUser": {
      "scope": "task",
      "elevationLevel": "admin"
    }
  }
}

Sample:

az batch task create --job-id myjob --json-file C:\Users\joyw\Desktop\batch.json

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54