-
Notifications
You must be signed in to change notification settings - Fork 651
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure Batch worker nodes can use a Managed Identity to stage and upload data #5232
Comments
Looking at the Azure Java docs, we should be able to attach the managed identity in the case where Nextflow is creating the Azure node pools (e.g. when using the autopools feature). This will make deployment much simpler but will need the role to be increased. |
I would expect it needs to be provided in the node pool creation nextflow/plugins/nf-azure/src/main/nextflow/cloud/azure/batch/AzBatchService.groovy Lines 715 to 784 in 5462d7a
|
OK, here's a to-do list for this feature:
From my reading of the SDK docs, all of this is possible right now. |
Let's focus on Fusion only support for managed identity |
I don't think that will work, there are too many moving parts and it will become a confusing mess of dependencies. For Fusion we will still need to do 3-6 which is all the hard stuff. |
The issue is similar to the fusion issue. The pipeline tests whether we can access data from two different containers test1 and test2 within the same storage account. This previously failed with fusion and it is also failing when using AZCOPY. We use system managed identity. We have used the most recent version of nextflow (and also tested most recent edge version). We have tested the most recent version of azcopy as well. |
I've upload here minimal example prepared by my colleagues (Malthe and Kristian): |
Thanks @zjupNN. I think it's pretty clear what we need to do now:
For the first implementation, this would require users to manually add the managed ID to each pool which isn't fun but would work. Later extensions would include:
|
Answer from Kristian (I'm just a proxy here, as my coleagues had blocked option to write commnets on github in their NN accounts): |
Originally posted by @adamrtalbot in #3314 (comment)
Now Managed Identities are supported by Nextflow (#4897), we should be able to modify the bash wrapper to adopt the Managed Identities. This is reasonably straightforward, as we can modify the bash wrapper to remove the SAS key and follow the instructions below. We might have to include an option to the Nextflow config:
and to be a perfect solution we should not generate a SAS key in the first place.
The text was updated successfully, but these errors were encountered: