Add support for Azure Managed identities on Azure worker nodes with Fusion (#6118)

Signed-off-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Signed-off-by: Adam Talbot <12817534+adamrtalbot@users.noreply.github.com>
Signed-off-by: Ben Sherman <bentshermann@gmail.com>
Co-authored-by: Paolo Di Tommaso <paolo.ditommaso@gmail.com>
Co-authored-by: Ben Sherman <bentshermann@gmail.com>

Author: 3 people

docs/reference/config.md

@@ -414,6 +414,11 @@ The following settings are available:
 `azure.batch.pools.<name>.vmType`
 : Specify the virtual machine type used by the pool identified with `<name>`.
 
+`azure.batch.poolIdentityClientId`
+: :::{versionadded} 25.05.0-edge
+  :::
+: Specify the client ID for an Azure [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) that is available on all Azure Batch node pools. This identity will be used for task-level authentication to Azure services. See {ref}`azure-managed-identities` for more details.
+
 `azure.managedIdentity.clientId`
 : Specify the client ID for an Azure [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview). See {ref}`azure-managed-identities` for more details. Defaults to environment variable `AZURE_MANAGED_IDENTITY_USER`.
 

modules/nf-lang/src/main/java/nextflow/config/scopes/AzureBatchConfig.java

@@ -88,6 +88,12 @@ Delete each task when it completes (default: `true`).
     """)
     public String location;
 
+    @ConfigOption
+    @Description("""
+        The client ID for an Azure managed identity that is available on all Azure Batch node pools. This identity will be used for task-level authentication to Azure services.
+    """)
+    public String poolIdentityClientId;
+
     @PlaceholderName("<name>")
     public Map<String, AzureBatchPoolConfig> pools;
 

plugins/nf-azure/src/main/nextflow/cloud/azure/batch/AzBatchService.groovy

@@ -50,6 +50,7 @@ import com.azure.compute.batch.models.ContainerConfiguration
 import com.azure.compute.batch.models.ContainerRegistryReference
 import com.azure.compute.batch.models.ContainerType
 import com.azure.compute.batch.models.ElevationLevel
+import com.azure.compute.batch.models.EnvironmentSetting
 import com.azure.compute.batch.models.MetadataItem
 import com.azure.compute.batch.models.MountConfiguration
 import com.azure.compute.batch.models.NetworkConfiguration
@@ -81,6 +82,7 @@ import groovy.transform.Memoized
 import groovy.util.logging.Slf4j
 import nextflow.Global
 import nextflow.Session
+import nextflow.cloud.azure.config.AzBatchOpts
 import nextflow.cloud.azure.config.AzConfig
 import nextflow.cloud.azure.config.AzFileShareOpts
 import nextflow.cloud.azure.config.AzPoolOpts
@@ -508,28 +510,40 @@ class AzBatchService implements Closeable {
 
         // Handle Fusion settings
         final fusionEnabled = FusionHelper.isFusionEnabled((Session)Global.session)
-        final launcher = fusionEnabled ? FusionScriptLauncher.create(task.toTaskBean(), 'az') : null
+        String fusionCmd = null
         if( fusionEnabled ) {
+            // Create the FusionScriptLauncher from the TaskBean
+            final taskBean = task.toTaskBean()
+            final launcher = FusionScriptLauncher.create(taskBean, 'az')
+            
+            // Add container options
             opts += "--privileged "
-            for( Map.Entry<String,String> it : launcher.fusionEnv() ) {
-                opts += "-e $it.key=$it.value "
+
+            // Add all environment variables from the launcher
+            final fusionEnv = launcher.fusionEnv()
+            if( fusionEnv ) {
+                for( Map.Entry<String,String> it : fusionEnv ) {
+                    opts += "-e $it.key=$it.value "
+                }
             }
+            
+            // Get the fusion submit command
+            final List<String> cmdList = launcher.fusionSubmitCli(task)
+            fusionCmd = cmdList ? String.join(' ', cmdList) : null
         }
 
         // Create container settings
         final containerOpts = new BatchTaskContainerSettings(container)
                 .setContainerRunOptions(opts)
 
         // submit command line
-        final String cmd = fusionEnabled
-                ? launcher.fusionSubmitCli(task).join(' ')
-                : "bash -o pipefail -c 'bash ${TaskRun.CMD_RUN} 2>&1 | tee ${TaskRun.CMD_LOG}'"
+        final String cmd = fusionEnabled && fusionCmd
+                    ? fusionCmd
+                    : "bash -o pipefail -c 'bash ${TaskRun.CMD_RUN} 2>&1 | tee ${TaskRun.CMD_LOG}'"
         // cpus and memory
         final slots = computeSlots(task, pool)
         // max wall time
-        final constraints = new BatchTaskConstraints()
-        if( task.config.getTime() )
-            constraints.setMaxWallClockTime( Duration.of(task.config.getTime().toMillis(), ChronoUnit.MILLIS) )
+        final constraints = taskConstraints(task)
 
         log.trace "[AZURE BATCH] Submitting task: $taskId, cpus=${task.config.getCpus()}, mem=${task.config.getMemory()?:'-'}, slots: $slots"
         return new BatchTaskCreateContent(taskId, cmd)
@@ -539,6 +553,27 @@ class AzBatchService implements Closeable {
                 .setOutputFiles(outputFileUrls(task, sas))
                 .setRequiredSlots(slots)
                 .setConstraints(constraints)
+                .setEnvironmentSettings(taskEnv(config.batch()))
+    }
+
+    protected List<EnvironmentSetting> taskEnv(AzBatchOpts opts) {
+        return opts.poolIdentityClientId
+            ? List.of(new EnvironmentSetting("FUSION_AZ_MSI_CLIENT_ID")
+                .setValue(opts.poolIdentityClientId))
+            : List.<EnvironmentSetting>of()
+    }
+
+    /**
+     * Create task constraints based on the task configuration
+     * 
+     * @param task The task run to create constraints for
+     * @return The BatchTaskConstraints object
+     */
+    protected BatchTaskConstraints taskConstraints(TaskRun task) {
+        final constraints = new BatchTaskConstraints()
+        if( task.config.getTime() )
+            constraints.setMaxWallClockTime( Duration.of(task.config.getTime().toMillis(), ChronoUnit.MILLIS) )
+        return constraints
     }
 
     AzTaskKey runTask(String poolId, String jobId, TaskRun task) {
@@ -599,6 +634,13 @@ class AzBatchService implements Closeable {
         List<OutputFile> result = new ArrayList<>(20)
         result << destFile(TaskRun.CMD_EXIT, task.workDir, sas)
         result << destFile(TaskRun.CMD_LOG, task.workDir, sas)
+        result << destFile(TaskRun.CMD_OUTFILE, task.workDir, sas)
+        result << destFile(TaskRun.CMD_ERRFILE, task.workDir, sas)
+        result << destFile(TaskRun.CMD_SCRIPT, task.workDir, sas)
+        result << destFile(TaskRun.CMD_RUN, task.workDir, sas)
+        result << destFile(TaskRun.CMD_STAGE, task.workDir, sas)
+        result << destFile(TaskRun.CMD_TRACE, task.workDir, sas)
+        result << destFile(TaskRun.CMD_ENV, task.workDir, sas)
         return result
     }
 

plugins/nf-azure/src/main/nextflow/cloud/azure/config/AzBatchOpts.groovy

@@ -56,6 +56,7 @@ class AzBatchOpts implements CloudTransferOptions {
     Boolean deleteTasksOnCompletion
     CopyToolInstallMode copyToolInstallMode
     Duration jobMaxWallClockTime
+    String poolIdentityClientId
 
     Map<String,AzPoolOpts> pools
 
@@ -73,6 +74,7 @@ class AzBatchOpts implements CloudTransferOptions {
         deletePoolsOnCompletion = config.deletePoolsOnCompletion
         deleteTasksOnCompletion = config.deleteTasksOnCompletion
         jobMaxWallClockTime = config.jobMaxWallClockTime ? config.jobMaxWallClockTime as Duration : Duration.of('30d')
+        poolIdentityClientId = config.poolIdentityClientId
         pools = parsePools(config.pools instanceof Map ? config.pools as Map<String,Map> : Collections.<String,Map>emptyMap())
         maxParallelTransfers = config.maxParallelTransfers ? config.maxParallelTransfers as int : MAX_TRANSFER
         maxTransferAttempts = config.maxTransferAttempts ? config.maxTransferAttempts as int : MAX_TRANSFER_ATTEMPTS

plugins/nf-azure/src/main/nextflow/cloud/azure/fusion/AzFusionEnv.groovy

@@ -36,28 +36,40 @@ import org.pf4j.Extension
 @Slf4j
 class AzFusionEnv implements FusionEnv {
 
+    /**
+     * Get the environment variables for Fusion with Azure, taking into 
+     * account a managed identity ID if provided
+     *
+     * @param scheme The storage scheme ('az' for Azure)
+     * @param config The Fusion configuration
+     * @param managedIdentityId Optional managed identity client ID from pool options
+     * @return Map of environment variables
+     */
     @Override
     Map<String, String> getEnvironment(String scheme, FusionConfig config) {
         if (scheme != 'az') {
             return Collections.<String, String> emptyMap()
         }
 
         final cfg = AzConfig.config
+        final managedIdentityId = cfg.batch().poolIdentityClientId
         final result = new LinkedHashMap(10)
 
         if (!cfg.storage().accountName) {
             throw new IllegalArgumentException("Missing Azure Storage account name")
         }
 
-        if (cfg.storage().accountKey && cfg.storage().sasToken) {
-            throw new IllegalArgumentException("Azure Storage Access key and SAS token detected. Only one is allowed")
-        }
-
         result.AZURE_STORAGE_ACCOUNT = cfg.storage().accountName
-        // In theory, generating an impromptu SAS token for authentication methods other than
-        // `azure.storage.sasToken` should not be necessary, because those methods should already allow sufficient
-        // access for normal operation. Nevertheless, #5287 heavily implies that failing to do so causes the Azure
-        // Storage plugin or Fusion to fail. In any case, it may be possible to remove this in the future.
+
+        // If pool has a managed identity, ONLY add the MSI client ID
+        // DO NOT add any SAS token or reference cfg.storage().sasToken
+        if (managedIdentityId) {
+            result.FUSION_AZ_MSI_CLIENT_ID = managedIdentityId
+            // No SAS token is added or generated
+            return result
+        }
+        
+        // If no managed identity, use the standard environment with SAS token
         result.AZURE_STORAGE_SAS_TOKEN = getOrCreateSasToken()
 
         return result
@@ -68,9 +80,13 @@ class AzFusionEnv implements FusionEnv {
      * authentication method.
      */
     synchronized String getOrCreateSasToken() {
-
         final cfg = AzConfig.config
 
+        // Check for incompatible configuration
+        if (cfg.storage().accountKey && cfg.storage().sasToken) {
+            throw new IllegalArgumentException("Azure Storage Access key and SAS token detected. Only one is allowed")
+        }
+
         // If a SAS token is already defined in the configuration, just return it
         if (cfg.storage().sasToken) {
             return cfg.storage().sasToken

plugins/nf-azure/src/test/nextflow/cloud/azure/batch/AzBatchServiceTest.groovy

@@ -6,17 +6,17 @@ import java.time.Instant
 import java.time.temporal.ChronoUnit
 import java.util.function.Predicate
 
-import com.azure.compute.batch.BatchClient
 import com.azure.compute.batch.models.BatchPool
-import com.azure.compute.batch.models.BatchJobCreateContent
 import com.azure.compute.batch.models.ElevationLevel
+import com.azure.compute.batch.models.EnvironmentSetting
 import com.azure.core.exception.HttpResponseException
 import com.azure.core.http.HttpResponse
 import com.azure.identity.ManagedIdentityCredential
 import com.google.common.hash.HashCode
 import nextflow.Global
 import nextflow.Session
 import nextflow.SysEnv
+import nextflow.cloud.azure.config.AzBatchOpts
 import nextflow.cloud.azure.config.AzConfig
 import nextflow.cloud.azure.config.AzManagedIdentityOpts
 import nextflow.cloud.azure.config.AzPoolOpts
@@ -31,8 +31,6 @@ import nextflow.util.MemoryUnit
 import reactor.core.publisher.Flux
 import spock.lang.Specification
 import spock.lang.Unroll
-import com.azure.compute.batch.models.BatchJobConstraints
-import com.azure.compute.batch.models.BatchPoolInfo
 /**
  *
  * @author Paolo Di Tommaso <paolo.ditommaso@gmail.com>
@@ -839,6 +837,32 @@ class AzBatchServiceTest extends Specification {
         [managedIdentity: [clientId: 'client-123']]     | 'client-123'
     }
 
+    def 'should use pool identity client id for fusion tasks' () {
+        given:
+        def POOL_IDENTITY_CLIENT_ID = 'pool-identity-123'
+        def exec = Mock(AzBatchExecutor) {
+            getConfig() >> new AzConfig([
+                batch: [poolIdentityClientId: POOL_IDENTITY_CLIENT_ID],
+                storage: [sasToken: 'test-sas-token', accountName: 'testaccount']
+            ])
+        }
+        def service = new AzBatchService(exec)
+        
+        and:
+        Global.session = Mock(Session) {
+            getConfig() >> [fusion: [enabled: true]]
+        }
+
+        when:
+        def env = [:] as Map<String,String>
+        if( service.config.batch().poolIdentityClientId && true ) { // fusionEnabled = true
+            env.put('FUSION_AZ_MSI_CLIENT_ID', service.config.batch().poolIdentityClientId)
+        }
+        
+        then:
+        env['FUSION_AZ_MSI_CLIENT_ID'] == POOL_IDENTITY_CLIENT_ID
+    }
+
 
     def 'should cache job id' () {
         given:
@@ -972,4 +996,55 @@ class AzBatchServiceTest extends Specification {
         null     | 0
     }
 
+    def 'should create task constraints' () {
+        given:
+        def exec = Mock(AzBatchExecutor)
+        def service = new AzBatchService(exec)
+        def task = Mock(TaskRun) {
+            getConfig() >> Mock(TaskConfig) {
+                getTime() >> TIME
+            }
+        }
+        
+        when:
+        def result = service.taskConstraints(task)
+        
+        then:
+        result != null
+        if (TIME) {
+            assert result.maxWallClockTime != null
+            assert result.maxWallClockTime.toMillis() == TIME.toMillis()
+        } else {
+            assert result.maxWallClockTime == null
+        }
+        
+        where:
+        TIME << [
+            null,
+            Duration.of('1h'),
+            Duration.of('30m'),
+            Duration.of('2d')
+        ]
+    }
+
+    @Unroll
+    def 'should create task env' () {
+        given:
+        def exec = Mock(AzBatchExecutor)
+        def service = new AzBatchService(exec)
+        List<EnvironmentSetting> env
+
+        when:
+        env = service.taskEnv(new AzBatchOpts([:]))
+        then:
+        env == []
+
+        when:
+        env = service.taskEnv(new AzBatchOpts([poolIdentityClientId:'12345']))
+        then:
+        env.size() == 1
+        env.first.name == 'FUSION_AZ_MSI_CLIENT_ID'
+        env.first.value == '12345'
+    }
+
 }

plugins/nf-azure/src/test/nextflow/cloud/azure/config/AzureConfigTest.groovy

@@ -83,6 +83,23 @@ class AzureConfigTest extends Specification {
         cfg.batch().autoPoolOpts().scaleInterval == Duration.of('5 min')
         cfg.batch().autoPoolOpts().autoScale == false
         !cfg.batch().canCreatePool()
+        cfg.batch().poolIdentityClientId == null
+    }
+
+    def 'should get azure batch pool identity client id' () {
+        given:
+        def POOL_IDENTITY_CLIENT_ID = 'pool-identity-123'
+        def session = Mock(Session) {
+            getConfig() >> [ azure:
+                                     [batch:[
+                                             poolIdentityClientId: POOL_IDENTITY_CLIENT_ID
+                                     ] ]]
+        }
+
+        when:
+        def cfg = AzConfig.getConfig(session)
+        then:
+        cfg.batch().poolIdentityClientId == POOL_IDENTITY_CLIENT_ID
     }
 
     def 'should get azure batch options' () {