Support Azure Workload Identity out of the box #1801
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
I've followed docs to setup workload identity on EKS to communicate with Azure, and it is working well, I see the following variables automatically propagated inside my pods on EKS cluster:
AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
AZURE_CLIENT_ID=XXXXXXXX
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token
AZURE_TENANT_ID=XXXXX
But terraform/azuread is asking for different variables like ARM_USE_OIDC, ARM_CLIENT_ID, ARM_OIDC_TOKEN, etc. It would be great if terraform/azuread supported such setup out of the box without additional configuration.
According to docs, you only need to use DefaultAzureCredential method and it will try all available options one by one, including workload identity.
New or Affected Resource(s)
- azuread_XXXXX
Potential Terraform Configuration
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.