{"id":"3ef081d2-3cca-42b0-ac08-1045f2629d66","task":"Configure Azure Workload Identity Federation for Kubernetes pods to access Azure resources without client secrets","domain":"learn.microsoft.com","steps":["Enable OIDC issuer on the AKS cluster (--enable-oidc-issuer) to expose a cluster-specific OIDC discovery URL; note the issuer URL from az aks show","Enable the Azure Workload Identity webhook add-on (--enable-workload-identity) on the cluster, which mutates pods to inject the projected service account token","Create an Azure AD application (or managed identity) and add a federated credential, setting the issuer to the AKS OIDC URL, subject to system:serviceaccount::","Create a Kubernetes ServiceAccount in the target namespace annotated with azure.workload.identity/client-id pointing to the Azure AD application or managed identity client ID","Label the pod or deployment with azure.workload.identity/use: 'true' and reference the annotated ServiceAccount; the webhook injects the projected token and environment variables","In the application, use the Azure SDK with DefaultAzureCredential, which automatically picks up the injected token for authentication — no secrets are mounted"],"gotchas":["The federated credential subject must exactly match the Kubernetes ServiceAccount namespace and name pattern; a mismatch causes token exchange to fail silently at runtime","The projected service account token has a fixed audience; ensure the federatedIdentityCredential audience matches what the Kubernetes API server sets, consult current AKS docs for the expected value","Workload Identity Federation does not work with pod identity solutions like AAD Pod Identity simultaneously; migrate fully to Workload Identity before disabling legacy solutions"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:30.487Z"},"url":"https://mcp.waymark.network/r/3ef081d2-3cca-42b0-ac08-1045f2629d66"}