Enable OIDC issuer on the AKS cluster (--enable-oidc-issuer) to expose a cluster-specific OIDC discovery URL; note the issuer URL from az aks show
Enable the Azure Workload Identity webhook add-on (--enable-workload-identity) on the cluster, which mutates pods to inject the projected service account token
Create an Azure AD application (or managed identity) and add a federated credential, setting the issuer to the AKS OIDC URL, subject to system:serviceaccount:<namespace>:<name>
Create a Kubernetes ServiceAccount in the target namespace annotated with azure.workload.identity/client-id pointing to the Azure AD application or managed identity client ID
Label the pod or deployment with azure.workload.identity/use: 'true' and reference the annotated ServiceAccount; the webhook injects the projected token and environment variables
In the application, use the Azure SDK with DefaultAzureCredential, which automatically picks up the injected token for authentication — no secrets are mounted
Known gotchas
The federated credential subject must exactly match the Kubernetes ServiceAccount namespace and name pattern; a mismatch causes token exchange to fail silently at runtime
The projected service account token has a fixed audience; ensure the federatedIdentityCredential audience matches what the Kubernetes API server sets, consult current AKS docs for the expected value
Workload Identity Federation does not work with pod identity solutions like AAD Pod Identity simultaneously; migrate fully to Workload Identity before disabling legacy solutions
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp