ExAzureCore. Auth. TokenSource. WorkloadIdentity
(ex_azure_core v0.2.0)
Copy Markdown
Workload Identity token source for AKS (Azure Kubernetes Service).
Fetches tokens using the AKS Workload Identity flow, which reads a projected service account token from disk and exchanges it for an Azure AD access token.
How It Works
- Kubernetes projects a service account token to a file in the pod
- This source reads the JWT from that file
- Exchanges it with Azure AD using the OAuth2 federated credential flow
- Returns an Azure AD access token
Environment Variables
AKS automatically sets these environment variables when Workload Identity is enabled:
AZURE_FEDERATED_TOKEN_FILE- Path to the projected service account tokenAZURE_CLIENT_ID- Client ID of the Azure AD application or managed identityAZURE_TENANT_ID- Azure AD tenant IDAZURE_AUTHORITY_HOST- (optional) Authority host URL
Configuration
Configuration can be provided explicitly or read from environment variables:
:scope(required) - Token scope (e.g., "https://management.azure.com/.default"):tenant_id(optional) - Azure AD tenant ID (defaults to AZURE_TENANT_ID):client_id(optional) - Client ID (defaults to AZURE_CLIENT_ID):token_file_path(optional) - Token file path (defaults to AZURE_FEDERATED_TOKEN_FILE):cloud(optional) - Azure cloud::public,:government,:china,:germany
Examples
# Auto-detect from environment variables
config = %{scope: "https://management.azure.com/.default"}
# Explicit configuration
config = %{
scope: "https://vault.azure.net/.default",
tenant_id: "my-tenant-id",
client_id: "my-client-id",
token_file_path: "/var/run/secrets/azure/tokens/azure-identity-token"
}