• Azure CLI (≥2.32.0)
  • Helm 3
  • A Kubernetes cluster with version ≥ v1.20
    • Follow the cluster-specific setup guide below before deploying Azure AD Workload Identity:
Cluster typeStepsGuide
Managed cluster1. Enable any OIDC-specific feature flags
2. Extract the OIDC issuer URL
Self-managed cluster1. Generate service account key pair or bring your own keys
2. Setup the public OIDC issuer URL
3. Generate OIDC discovery and JWKS documents
4. Configure kube-apiserver and kube-controller-manager flags

Azure AD Workload Identity Components

Mutating Admission WebhookProjects a signed service account token to a well-known path (/var/run/secrets/azure/tokens/azure-identity-token) and inject authentication-related environment variables to your pods based on annotated service account.Link
Azure AD Workload Identity CLI (azwi)A utility CLI that helps manage Azure AD Workload Identity and automate error-prone operations.Link