Simplify credential management with least‑privilege, granular access for Azure Red Hat OpenShift workloads—now generally available.
Azure Red Hat OpenShift now supports managed identities and workload identities as a generally available capability, so you can run OpenShift clusters and applications on Azure without long-lived service principal credentials.
ARO, identity, and Azure governance
With GA support for managed identities and workload identities, Azure Red Hat OpenShift uses short‑lived credentials and least‑privilege access to help organizations strengthen their security posture. This approach reduces reliance on long‑lived credentials and overly broad permissions, supporting enterprise security requirements while improving how identity is managed for OpenShift workloads.
As an Azure-native service, Azure Red Hat OpenShift also integrates directly with Microsoft Entra workload identities, Azure RBAC strengthening your overall security and identity management posture.
Platform identity: managed identities for ARO operators
At the platform layer, ARO now uses multiple user assigned managed identities rather than a single service principal with broad rights. Each identity is mapped to a specific ARO component and associated with a dedicated built-in ARO role, so permissions are scoped according to least privilege principles and aligned with Azure RBAC best practices.
You can wire this model in several ways: create identities and role assignments up front and reference them during deployment or use the Azure portal “all-in-one” experience to have identities and assignments created for you as part of cluster creation. Clusters can be deployed using the Azure portal or ARM/Bicep templates, and the native az aro (the formal az aro is available in version 2.84.0 or higher) commands provide a similar end-to-end experience for CLI-driven environments.
For an architectural deep dive into operators, scopes, and role assignment patterns, see Understand managed identities in Azure Red Hat OpenShift.
Application access: workload identity for Azure services
For applications running on ARO, this capability provides workload identity—a way for pods to obtain short-lived tokens for an Azure managed identity without storing secrets in the cluster. Using Microsoft Entra workload identities and OIDC federation, you bind a user assigned managed identity to a Kubernetes service account; workloads using that service account automatically receives tokens for the associated identity at runtime.
This enables very granular patterns: for example, granting a specific application read-only access to a single Key Vault, storage account, or Azure SQL database, without sharing credentials across namespaces or relying on a cluster wide service principal. Enterprise teams can use this to connect AI and data workloads on ARO to services like Azure OpenAI, Azure SQL, or Azure Storage—giving each app just the access it needs for inference, data access, or logging while staying within standard Azure governance controls. The Learn guide, Deploy and configure an application using workload identity on an Azure Red Hat OpenShift managed identity cluster, walks through the workflow end-to-end.
Existing preview clusters and how to start
If you deployed ARO clusters with managed identities during the preview, no changes are required: those clusters automatically transition to GA and are fully supported for production use, with no migration or redeployment needed. You can continue to upgrade them using the standard OpenShift mechanisms, following the managed identity update guidance in the documentation for upgrade steps.
Clusters built with the current service principal model continue to receive full support; however, there is not yet a migration path available to move from service principal to managed identity. To adopt managed identity, you deploy a new ARO cluster with managed identities enabled and migrate workloads to it.
To get started with new clusters, begin with Understand managed identities in Azure Red Hat OpenShift to review concepts and considerations, then create a cluster using the Azure portal, an ARM/Bicep template, or the ARO CLI. Joint Red Hat–Microsoft demos and videos provide an end-to-end view of the experience, from deploying a managed identity enabled cluster through configuring workload identity for applications consuming Azure services.
Resources:
- Interactive Demo - Create a managed identity Azure Red Hat OpenShift cluster
- Concepts / architecture
Understand managed identities in Azure Red Hat OpenShift
https://learn.microsoft.com/en-us/azure/openshift/howto-understand-managed-identities[learn.microsoft] - Cluster creation
Create an Azure Red Hat OpenShift cluster with managed identities
https://learn.microsoft.com/en-us/azure/openshift/howto-create-openshift-cluster[learn.microsoft] - Applications / workload identity
Deploy and configure an application using workload identity on an Azure Red Hat OpenShift managed identity cluster
https://learn.microsoft.com/en-us/azure/openshift/howto-deploy-configure-application[learn.microsoft] - Automation (ARM/Bicep)
Deploy an Azure Red Hat OpenShift cluster with an ARM template or Bicep
https://learn.microsoft.com/en-us/azure/openshift/quickstart-openshift-arm-bicep-template[learn.microsoft] - Joint story from Red Hat
Managed Identity and Workload Identity support in Azure Red Hat OpenShift - https://www.redhat.com/en/blog/general-availability-managed-identity-and-workload-identity-microsoft-azure-red-hat-openshift
Microsoft