Service Account Labels and Annotations

The following is a list of available labels and annotations that can be used to configure the behavior when exchanging the service account token for an AAD access token:

Service Account

Labels

LabelDescriptionRecommended valueRequired?
azure.workload.identity/useRepresents the service account is to be used for workload identity.true

Annotations

AnnotationDescriptionDefault
azure.workload.identity/client-idRepresents the AAD application client ID to be used with the pod.
azure.workload.identity/tenant-idRepresents the Azure tenant ID where the AAD application is registered.AZURE_TENANT_ID environment variable extracted from azure-wi-webhook-config ConfigMap
azure.workload.identity/service-account-token-expirationRepresents the expirationSeconds field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued.3600 (acceptable range: 3600 - 86400)

Pod

Annotations

AnnotationDescriptionDefault
azure.workload.identity/service-account-token-expiration(Takes precedence if the service account is also annotated) Represents the expirationSeconds field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued.3600 (acceptable range: 3600 - 86400)
azure.workload.identity/skip-containersRepresents a semi-colon-separated list of containers (e.g. container1;container2) to skip adding projected service account token volume. By default, the projected service account token volume will be added to all containers if the service account is labeled with azure.workload.identity/use: true.