I'm trying to use a Service Principle to access a Batch pool from an Azure Function and running into authentication issues that I don't understand. The initial login with the Service Principle works fine, but then using the credentials to access the batch pool returns a 401.

Below is a condensed version of my code with comments at the key points

module.exports.dispatch = function (context) {

    MsRest.loginWithServicePrincipalSecret('AppId', 'Secret', 'TennantId', function(err, credentials){

        if (err) throw err;
        // This works as it prints the credentials
        context.log(credentials);

        var batch_client = new batch.ServiceClient(credentials, accountUrl);

        batch_client.pool.get('mycluster', function(error, result){

            if(error === null)
            {
                context.log('Accessed pool');
                context.log(result);
            }
            else
            {
                //Request to batch service returns a 401
                if(error.statusCode === 404)
                {
                    context.log('Pool not found yet returned 404...');

                }
                else
                {
                    context.log('Error occurred while retrieving pool data');
                    context.log(error);
                }

                //'Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly.
                context.res = { body: error.body.message.value };
                context.done();
            }
        });
    });
};

How can the initial login with a service principle work no problem, but then the credentials it returns not be able to access the batch pool?

The actual error says to check the auth header on the request, which I can see and the Authorisation header isn't even present.

I've triple checked the Active Directory access control for the batch account the App ID and secret are the ones belonging to the owner of the batch account. Any ideas what to try next?

The credentials expected by the Azure Batch npm client aren't the Azure Active Directory credentials/token, but the keys for the batch account. You can list your keys using the Azure CLI with a command like the following:

az batch account keys list -g "<resource-group-name>" -n "<batch-account-name>"

sample here

Then you can create the credentials parameter with those keys:

var credentials = new batch.SharedKeyCredentials('your-account-name', 'your-account-key');

You could still involve a Service Principal here if you wanted to store your batch keys in something like Key Vault, but then your code would be:

1. Get Service Principal auth against key vault to fetch name and key
2. Use name and key to create credentials

You cannot use the same OAuth token returned from the Azure Resource Management endpoint with Batch. Assuming your service principal has the correct RBAC permissions, auth with the Azure Batch endpoint: https://batch.core.windows.net/ instead (assuming you are using Public Azure).

You do not need to get the shared key credentials for the Batch account, credentials via AAD should be used instead if you are using an AAD service principal.