Service Account Labels and Annotations

The following is a list of available labels and annotations that can be used to configure the behavior when exchanging the service account token for an AAD access token:

Pod

Labels

LabelDescriptionRecommended valueRequired?
azure.workload.identity/useThis label is required in the pod template spec. Only pods with this label will be mutated by the azure-workload-identity mutating admission webhook to inject the Azure specific environment variables and the projected service account token volume.true

Annotations

All annotations are optional. If the annotation is not specified, the default value will be used.

AnnotationDescriptionDefault
azure.workload.identity/service-account-token-expiration(Takes precedence if the service account is also annotated) Represents the expirationSeconds field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued.3600 (acceptable range: 3600 - 86400)
azure.workload.identity/skip-containersRepresents a semi-colon-separated list of containers (e.g. container1;container2) to skip adding projected service account token volume. By default, the projected service account token volume will be added to all containers.
azure.workload.identity/inject-proxy-sidecarInjects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an AAD token on behalf of the user with federated identity credential.true
azure.workload.identity/proxy-sidecar-portRepresents the port of the proxy sidecar.8000

Service Account

Annotations

All annotations are optional. If the annotation is not specified, the default value will be used.

AnnotationDescriptionDefault
azure.workload.identity/client-idRepresents the AAD application or user-assigned managed identity client ID to be used with the pod.
azure.workload.identity/tenant-idRepresents the Azure tenant ID where the AAD application or user-assigned managed identity is registered.AZURE_TENANT_ID environment variable extracted from azure-wi-webhook-config ConfigMap
azure.workload.identity/service-account-token-expirationRepresents the expirationSeconds field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued.3600 (acceptable range: 3600 - 86400)