How to authenticate Azure Batch from Python Function App using Managed Identity?

Question

How to authenticate Azure Batch from Python Function App using Managed Identity?

Abh1234123 20

I'm trying to authenticate with Azure Batch from a Python Azure Function App using Managed Identity via DefaultAzureCredential.

What I’ve Tried:

I'm using the official azure-batch SDK and passed DefaultAzureCredential() to BatchServiceClient, like so:

python
CopyEdit
from azure.batch import BatchServiceClient
from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()
batch_client = BatchServiceClient(credential, batch_url="https://<my-batch-account>.<region>.batch.azure.com")

However, I get this error.


AttributeError: 'DefaultAzureCredential' object has no attribute 'signed_session'

📍 Stack trace:

File ".../azure_functions_worker/dispatcher.py", line ...
  ...
File ".../msrest/service_client.py", line 336, in send
  pipeline_response = self.config.pipeline.run(request, **kwargs)
AttributeError: 'DefaultAzureCredential' object has no attribute 'signed_session'

Alternative approach I tried:

credential = DefaultAzureCredential()
# legacy token
token = credential.get_token("https://batch.core.windows.net/.default")

token_auth = BasicTokenAuthentication({"access_token": token.token})
client = BatchServiceClient(
    credentials=token_auth,
    batch_url="https://<your-batch-account>.<region>.batch.azure.com"
)

But this doesn't work too.

Arko 2,130 Reputation points Microsoft External Staff

2025-04-08T16:31:04.6466667+00:00
Hello Abh1234123, the issue arises because the azure-batch SDK still expects an older credential format (specifically one that implements .signed_session() like msrest.authentication). DefaultAzureCredential from azure-identity is not directly compatible with the older SDKs like azure-batch.

To use Managed Identity from a Python Azure Function App to authenticate with Azure Batch, you'll need to manually get a token using DefaultAzureCredential, and then wrap it in a BasicTokenAuthentication object from msrest.authentication. This can work — but there are a couple of key details that are often missed. Kindly note, your function App's managed identity must have Contributor or Batch Service Reader role assignment on the Batch Account
Please try below and let me know-

from azure.batch import BatchServiceClient from azure.identity import DefaultAzureCredential from msrest.authentication import BasicTokenAuthentication # Get a token for Azure Batch credential = DefaultAzureCredential() token = credential.get_token("https://batch.core.windows.net/.default") # Wrap the token in BasicTokenAuthentication token_auth = BasicTokenAuthentication({"access_token": token.token}) # 3. Construct the BatchServiceClient with this token batch_client = BatchServiceClient( credentials=token_auth, batch_url="https://<your-batch-account>.<region>.batch.azure.com" ) # Try listing pools or jobs to verify auth works print(batch_client.pool.list()) # Example call

Accepted answer

0 additional answers

Your answer

Arko 2,130 Reputation points Microsoft External Staff

2025-04-08T16:31:04.6466667+00:00

Hello Abh1234123, the issue arises because the azure-batch SDK still expects an older credential format (specifically one that implements .signed_session() like msrest.authentication). DefaultAzureCredential from azure-identity is not directly compatible with the older SDKs like azure-batch.

To use Managed Identity from a Python Azure Function App to authenticate with Azure Batch, you'll need to manually get a token using DefaultAzureCredential, and then wrap it in a BasicTokenAuthentication object from msrest.authentication. This can work — but there are a couple of key details that are often missed. Kindly note, your function App's managed identity must have Contributor or Batch Service Reader role assignment on the Batch Account
Please try below and let me know-

from azure.batch import BatchServiceClient from azure.identity import DefaultAzureCredential from msrest.authentication import BasicTokenAuthentication # Get a token for Azure Batch credential = DefaultAzureCredential() token = credential.get_token("https://batch.core.windows.net/.default") # Wrap the token in BasicTokenAuthentication token_auth = BasicTokenAuthentication({"access_token": token.token}) # 3. Construct the BatchServiceClient with this token batch_client = BatchServiceClient( credentials=token_auth, batch_url="https://<your-batch-account>.<region>.batch.azure.com" ) # Try listing pools or jobs to verify auth works print(batch_client.pool.list()) # Example call

Answer 1

If you're trying to call Azure Batch APIs from a Python-based Azure Function App using Managed Identity, you’ll need a Storage Account, an Azure Batch Account, Linux Consumption/EPM Function App (Python 3.10+) and a System-assigned Managed Identity

Example-


# Set storage name and create storage account

$storageName = "arkstorage$((Get-Random -Maximum 99999))"

az storage account create `

  --name $storageName `

  --resource-group arkorg `

  --location centralindia `

  --sku Standard_LRS

# Create Azure Batch account linked to the storage account

az batch account create `

  --name arkbatchaccount `

  --resource-group arkorg `

  --location centralindia `

  --storage-account $storageName

# Create Premium Elastic App Plan (for Linux Functions)

az functionapp plan create `

  --resource-group arkorg `

  --name arkfuncplan `

  --location centralindia `

  --number-of-workers 1 `

  --sku EP1 `

  --is-linux

# Create Function App with System-assigned Managed Identity

az functionapp create `

  --resource-group arkorg `

  --plan arkfuncplan `

  --name arkbatchfuncapp `

  --runtime python `

  --runtime-version 3.10 `

  --functions-version 4 `

  --os-type Linux `

  --storage-account $storageName `

  --assign-identity

enter image description here

Assign Permissions to the Function App


# Get the principal ID of the function's managed identity

$principalId = az functionapp identity show `

  --resource-group arkorg `

  --name arkbatchfuncapp `

  --query principalId `

  -o tsv

# Get the Batch account scope

$batchScope = az batch account show `

  --name arkbatchaccount `

  --resource-group arkorg `

  --query id `

  -o tsv

# Assign "Contributor" role (minimum needed for most Batch operations)

az role assignment create `

  --assignee $principalId `

  --role "Contributor" `

  --scope $batchScope

Create Function App Project with Batch SDK


func init arkbatchfunc --worker-runtime python

cd arkbatchfunc

func new --template "HTTP trigger" --name BatchTrigger

Update requirements.txt


azure-functions

azure-identity

azure-batch

msrest

Install pip install -r requirements.txt

Write Python Function Code to Authenticate via Managed Identity

Inside BatchTrigger/function_app.py (or init.py)


import logging

import azure.functions as func

from azure.identity import DefaultAzureCredential

from azure.batch import BatchServiceClient

from azure.batch.models import BatchErrorException

def main(req: func.HttpRequest) -> func.HttpResponse:

    try:

        credential = DefaultAzureCredential()

        batch_url = "https://arkbatchaccount.centralindia.batch.azure.com"

        batch_client = BatchServiceClient(

            credential=credential,

            batch_url=batch_url

        )

        # Example: List pools

        pool_list = list(batch_client.pool.list())

        pool_ids = [p.id for p in pool_list]

        return func.HttpResponse(f"Connected! Pools: {pool_ids}", status_code=200)

    except BatchErrorException as be:

        logging.error(f"Batch error: {be}")

        return func.HttpResponse("Batch error occurred", status_code=500)

    except Exception as e:

        logging.error(f"General error: {e}")

        return func.HttpResponse("Unhandled error occurred", status_code=500)

Deploy to Azure and Get Function URL


func azure functionapp publish arkbatchfuncapp

az functionapp function show `

  --resource-group arkorg `

  --name arkbatchfuncapp `

  --function-name BatchTrigger `

  --query "invokeUrlTemplate" `

  -o tsv

Get function key


az functionapp function keys list `

  --resource-group arkorg `

  --name arkbatchfuncapp `

  --function-name BatchTrigger `

  --query "default" `

  -o tsv

enter image description here

Test it via your url in my case-


https://arkbatchfuncapp.azurewebsites.net/api/batch?code=<your-function-key>

This setup uses Azure Managed Identity and Azure Identity SDK (no hardcoded credentials) to securely authenticate your Function App with Azure Batch

enter image description here

Arko 2,130 Reputation points Microsoft External Staff

2025-04-09T03:59:13.3033333+00:00

Hello Abh1234123, hope you found my suggestion useful to resolve your query.
Arko 2,130 Reputation points Microsoft External Staff

2025-04-10T08:00:54.6433333+00:00

Following up on this. If you find it useful. kindly accept the answer for QnA community members looking for similar answer to refer to it. Thanks

Share via

How to authenticate Azure Batch from Python Function App using Managed Identity?

0 additional answers

Your answer