Merge pull request #260382 from alfpark/alpark/batch7

Update Batch account cert migration guide

Author: v-dirichards

articles/batch/automatic-certificate-rotation.md

@@ -3,15 +3,15 @@ title: Enable automatic certificate rotation in a Batch pool
 description: You can create a Batch pool with a managed identity and a certificate that will automatically be renewed.
 ms.topic: conceptual
 ms.custom: devx-track-linux
-ms.date: 05/24/2023
+ms.date: 12/05/2023
 ---
 # Enable automatic certificate rotation in a Batch pool
 
  You can create a Batch pool with a certificate that will automatically be renewed. To do so, your pool must be created with a [user-assigned managed identity](managed-identity-pools.md) that will have access to the certificate in [Azure Key Vault](../key-vault/general/overview.md).
 
 ## Create a user-assigned identity
 
-First, [create your user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity) in the same tenant as your Batch account. This managed identity does not need to be in the same resource group or even in the same subscription.
+First, [create your user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity) in the same tenant as your Batch account. This managed identity doesn't need to be in the same resource group or even in the same subscription.
 
 Be sure to note the **Client ID** of the user-assigned managed identity. You'll need this value later.
 
@@ -37,6 +37,9 @@ In your key vault, assign a Key Vault access policy that allows your user-assign
 
 Create a Batch pool with your managed identity by using the [Batch .NET management library](/dotnet/api/overview/azure/batch#management-library). For more information, see [Configure managed identities in Batch pools](managed-identity-pools.md).
 
+> [!TIP]
+> Existing pools cannot be updated with the Key Vault VM extension. You will need to recreate your pool.
+
 The following example uses the Batch Management REST API to create a pool. Be sure to use your certificate's **Secret Identifier** for `observedCertificates` and your managed identity's **Client ID** for `msiClientId`, replacing the example data below.
 
 REST API URI
@@ -84,10 +87,10 @@ Request Body
                             "authenticationSettings": {
                                 "msiEndpoint": "http://169.254.169.254/metadata/identity",
                                 "msiClientId": "b9f6dd56-d2d6-4967-99d7-8062d56fd84c"
-                            }  
+                            }
                         },
-                    }                
-               ]            
+                    }
+               ]
             }
         },
         "scaleSettings": {

articles/batch/batch-certificate-migration-guide.md

@@ -3,7 +3,7 @@ title: Migrate Batch account certificates to Azure Key Vault
 description: Learn how to migrate Batch account certificates to Azure Key Vault and plan for feature end of support.
 ms.service: batch
 ms.topic: how-to
-ms.date: 03/08/2023
+ms.date: 12/05/2023
 ---
 
 # Migrate Batch account certificates to Azure Key Vault
@@ -22,15 +22,15 @@ After the certificates feature in Azure Batch is retired on February 29, 2024, a
 
 ## Alternative: Use Azure Key Vault VM extension with pool user-assigned managed identity
 
-Azure Key Vault is a fully managed Azure service that provides controlled access to store and manage secrets, certificates, tokens, and keys. Key Vault provides security at the transport layer by ensuring that any data flow from the key vault to the client application is encrypted. Azure Key Vault gives you a secure way to store essential access information and to set fine-grained access control. You can manage all secrets from one dashboard. Choose to store a key in either software-protected or hardware-protected hardware security modules (HSMs). You also can set Key Vault to auto-renew certificates.
+Azure Key Vault is a fully managed Azure service that provides controlled access to store and manage secrets, certificates, tokens, and keys. Key Vault provides security at the transport layer by ensuring that any data flow from the key vault to the client application is encrypted. Azure Key Vault gives you a secure way to store essential access information and to set fine-grained access control. You can manage all secrets from one dashboard. Choose to store a key in either software-protected or hardware-protected hardware security modules (HSMs). You also can set Key Vault to autorenew certificates.
 
 For a complete guide on how to enable Azure Key Vault VM Extension with Pool User-assigned Managed Identity, see [Enable automatic certificate rotation in a Batch pool](automatic-certificate-rotation.md).
 
 ## FAQs
 
 - Do `CloudServiceConfiguration` pools support Azure Key Vault VM extension and managed identity on pools?
 
-  No. `CloudServiceConfiguration` pools will be [retired](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/) on the same date as Azure Batch account certificate retirement on February 29, 2024. We recommend that you migrate to `VirtualMachineConfiguration` pools before that date where you'll be able to use these solutions.
+  No. `CloudServiceConfiguration` pools will be [retired](https://azure.microsoft.com/updates/azure-batch-cloudserviceconfiguration-pools-will-be-retired-on-29-february-2024/) on the same date as Azure Batch account certificate retirement on February 29, 2024. We recommend that you migrate to `VirtualMachineConfiguration` pools before that date where you're able to use these solutions.
 
 - Do user subscription pool allocation Batch accounts support Azure Key Vault?
 
@@ -40,9 +40,21 @@ For a complete guide on how to enable Azure Key Vault VM Extension with Pool Use
 
   Yes. See the documentation for [Windows](../virtual-machines/extensions/key-vault-windows.md) and [Linux](../virtual-machines/extensions/key-vault-linux.md).
 
+- Can you update existing pools with a Key Vault VM extension?
+
+  No, these properties aren't updateable on the pool. You need to recreate pools.
+
 - How do I get references to certificates on Linux Batch Pools since `$AZ_BATCH_CERTIFICATES_DIR` will be removed?
 
-  The Key Vault VM extension for Linux allows you to specify the `certificateStoreLocation`, which is an absolute path to where the certificate will be stored.
+  The Key Vault VM extension for Linux allows you to specify the `certificateStoreLocation`, which is an absolute path to where the certificate are stored. The Key Vault VM extension will scope certificates installed at the specified location with only superuser (root) privileges. You need to make sure that your tasks run elevated to access these certificates by default, or copy the certificates to an accessible directly and/or adjust certificate files with proper file modes. You can run such commands as part of an elevated start task or job prep task.
+
+- How do I install `.cer` files that don't contain private keys?
+
+  Key Vault doesn't consider these files to be privileged as they don't contain private key information. You can install `.cer` files using either of the following methods. Use Key Vault [secrets](../key-vault/secrets/about-secrets.md) with appropriate access privileges for the associated User-assigned Managed Identity and fetch the `.cer` file as part of your start task to install. Alternatively, store the `.cer` file as an Azure Storage Blob and reference as a Batch [resource file](resource-files.md) in your start task to install.
+
+- How do I access Key Vault extension installed certificates for task-level nonadmin autouser pool identities?
+
+  Task-level autousers are created on-demand and can't be predefined for specifying into the `accounts` property in the Key Vault VM extension. You'll need a custom process that exports the required certificate into a commonly accessible store or ACLs appropriately for access by task-level autousers.
 
 - Where can I find best practices for using Azure Key Vault?
 

articles/batch/create-pool-extensions.md

@@ -1,14 +1,14 @@
 ---
 title: Use extensions with Batch pools
-description: Extensions are small applications that facilitate post-provisioning configuration and setup on Batch compute nodes. 
+description: Extensions are small applications that facilitate post-provisioning configuration and setup on Batch compute nodes.
 ms.topic: how-to
 ms.custom: devx-track-linux
-ms.date: 05/26/2023
+ms.date: 12/05/2023
 ---
 
 # Use extensions with Batch pools
 
-Extensions are small applications that facilitate post-provisioning configuration and setup on Batch compute nodes. You can select any of the extensions that are allowed by Azure Batch and have them installed on the compute nodes as they are provisioned. After that, the extension can perform its intended operation.
+Extensions are small applications that facilitate post-provisioning configuration and setup on Batch compute nodes. You can select any of the extensions that are allowed by Azure Batch and have them installed on the compute nodes as they're provisioned. After that, the extension can perform its intended operation.
 
 You can check the live status of the extensions you use and retrieve the information they return in order to pursue any detection, correction, or diagnostics capabilities.
 
@@ -18,6 +18,9 @@ You can check the live status of the extensions you use and retrieve the informa
 - The CustomScript extension type is reserved for the Azure Batch service and can't be overridden.
 - Some extensions may need pool-level Managed Identity accessible in the context of a compute node in order to function properly. Please see [configuring managed identities in Batch pools](managed-identity-pools.md) if applicable for the extension(s).
 
+> [!TIP]
+> Extensions cannot be added to an existing pool. Pools must be recreated to add, remove, or update extensions.
+
 ## Supported extensions
 
 The following extensions can currently be installed when creating a Batch pool: