Workload Identity support for Azure Arc-enabled Kubernetes clusters now Generally Available!

We’re excited to announce that Workload Identity support for Azure Arc-enabled Kubernetes is now Generally Available (GA)! This milestone brings a secure way for applications running on Arc-connected clusters running outside of Azure to authenticate to Azure services without managing secrets. Traditionally, workloads outside Azure relied on static credentials or certificates to access Azure resources like Event Hubs, Azure Key Vault, and Azure Storage. Managing these secrets introduces operational overhead and security risks. With Microsoft Entra Workload ID federation, your Kubernetes workloads can now:

• Authenticate securely using OpenID Connect (OIDC) without storing secrets.
• Exchange trusted tokens for Azure access tokens to interact with services securely.

This means no more manual secret rotation and reduced attack surface, all while maintaining compliance and governance.

How It Works

The integration uses Service Account Token Volume Projection and aligns with Kubernetes best practices for identity federation. The process involves a few concise steps:

• Enable OIDC issuer and workload identity on your Arc-enabled cluster using Azure CLI.

  az connectedk8s connect --name "${CLUSTER_NAME}" --resource-group "${RESOURCE_GROUP}" --enable-oidc-issuer –-enable-workload-identity

• Configure a user-assigned managed identity in Azure to trust tokens from your Azure Arc enabled Kubernetes cluster's OIDC issuer URL. This involves creating a federated identity credential that links the Azure identity with the Kubernetes service account.
• Applications running in pods, using the annotated Kubernetes service account, can then request Azure tokens via Microsoft Entra ID and access resources they’re authorized for (e.g., Azure Storage, Azure Key Vault).

This integration uses Kubernetes-native construct of Service Account Token Volume Projection and aligns with Kubernetes best practices for identity federation.

Supported platforms

Along with support for AKS-Arc, we now support a broad ecosystem of CNCF-conformant distributions, including:

• Red Hat OpenShift
• Rancher K3s
• VMware Tanzu Kubernetes Grid (TKGm)

So, whether you’re running clusters in retail stores, manufacturing plants, or remote edge sites, you can connect them to Azure Arc and enable secure identity federation for your workloads to access Azure services.

Ready to get started? Follow our step-by-step guide on Deploying and Configuring Workload Identity Federation in Azure Arc-enabled Kubernetes to secure your edge workloads today!