Workload Identity

This login mode uses Azure AD federated identity credentials to authenticate to Kubernetes clusters with Azure AD integration. This works by setting the environment variables:

  • AZURE_CLIENT_ID is Azure Active Directory application ID that is federated with workload identity
  • AZURE_TENANT_ID is Azure Active Directory tenant ID
  • AZURE_FEDERATED_TOKEN_FILE is the file containing signed assertion of workload identity. E.g. Kubernetes projected service account (jwt) token
  • AZURE_AUTHORITY_HOST is the base URL of an Azure Active Directory authority. E.g.

With workload identity, it’s possible to access Kubernetes clusters from CI/CD system such as Github, ArgoCD, etc. without storing Service Principal credentials in those external systems. To learn more, here is a sample to setup OIDC federation from Github.

In this login mode, token will not be cached on the filesystem.

Usage Examples

export KUBECONFIG=/path/to/kubeconfig

kubelogin convert-kubeconfig -l workloadidentity

kubectl get nodes