Skip to content

[Identity] Enable identity binding mode for WorkloadIdentityCredential in AKS #53436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

[Identity] Enable identity binding mode for WorkloadIdentityCredential in AKS #53436

wants to merge 7 commits into from

Conversation

@JonathanCrd
Copy link
Member

@JonathanCrd JonathanCrd commented Oct 22, 2025
edited
Loading

Fixes https://github.com/Azure/azure-sdk-for-net-pr/issues/2050

This PR adds opt-in Kubernetes token proxy support to WorkloadIdentityCredential to work around Entra ID's limit on federated identity credentials (FICs) per managed identity. When enabled, the credential redirects all token requests to an AKS-provided proxy that handles the FIC exchange centrally.

Changes

New API

  • Added AzureKubernetesTokenProxy property to WorkloadIdentityCredentialOptions (opt-in, default: false)

Environment Variables

When AzureKubernetesTokenProxy = true, the credential reads:

Variable Description
AZURE_KUBERNETES_TOKEN_PROXY Base HTTPS URL for the proxy endpoint (required)
AZURE_KUBERNETES_CA_FILE Path to PEM bundle with proxy CA certificates
AZURE_KUBERNETES_CA_DATA PEM-encoded CA bundle (mutually exclusive with CA_FILE)
AZURE_KUBERNETES_SNI_NAME TLS Server Name Indication (optional)

Key Behaviors

  • Opt-in only: Disabled by default, requires explicit AzureKubernetesTokenProxy = true
  • Fail-fast validation: Invalid/incomplete configuration throws InvalidOperationException at construction
  • Certificate rotation: Automatically monitors CA_FILE for changes and updates TLS configuration
  • netstandard2.0 compatible: Custom PEM parsing and certificate validation for legacy framework support

Implementation

Uses DelegatingHandler to intercept HTTP requests and redirect them to the proxy endpoint while preserving paths and query parameters. Implements custom certificate handling for netstandard2.0 compatibility.

Testing

  • 10 unit tests (configuration validation, URL parsing, error handling)
  • ⚠️ 3 live tests (CA file/data, SNI scenarios - require AKS environment) STILL PENDING TO TEST AGAINST AKS
  • ✅ All frameworks: net8.0, net9.0, net462, netstandard2.0

Example

var credential = new WorkloadIdentityCredential(new WorkloadIdentityCredentialOptions
{
    AzureKubernetesTokenProxy = true  // Enable proxy mode
});

var token = await credential.GetTokenAsync(
    new TokenRequestContext(new[] { "https://management.azure.com/.default" }));

@JonathanCrd JonathanCrd changed the title Identity/wic-aks-fic-limit [Identity] Enable identity binding mode for WorkloadIdentityCredential in AKS Oct 22, 2025
@JonathanCrd JonathanCrd self-assigned this Oct 22, 2025
@JonathanCrd JonathanCrd moved this from Untriaged to In Progress in Azure Identity SDK Improvements Oct 22, 2025
@JonathanCrd JonathanCrd added this to the 2025-11 milestone Oct 22, 2025
@github-actions
Copy link

github-actions bot commented Oct 22, 2025
edited
Loading

API Change Check

APIView identified API level changes in this PR and created the following API reviews

Azure.Identity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christothes christothes Awaiting requested review from christothes christothes will be requested when the pull request is marked ready for review christothes is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

@JonathanCrd JonathanCrd

Labels

Azure.Identity

Projects

Azure Identity SDK Improvements
Status: In Progress

Milestone

2025-11

Development

Successfully merging this pull request may close these issues.

1 participant

@JonathanCrd