ExAzureCore.Auth.TokenSource.WorkloadIdentity (ex_azure_core v0.3.0)

Copy Markdown

Workload Identity token source for AKS (Azure Kubernetes Service).

Fetches tokens using the AKS Workload Identity flow, which reads a projected service account token from disk and exchanges it for an Azure AD access token.

How It Works

  1. Kubernetes projects a service account token to a file in the pod
  2. This source reads the JWT from that file
  3. Exchanges it with Azure AD using the OAuth2 federated credential flow
  4. Returns an Azure AD access token

Environment Variables

AKS automatically sets these environment variables when Workload Identity is enabled:

  • AZURE_FEDERATED_TOKEN_FILE - Path to the projected service account token
  • AZURE_CLIENT_ID - Client ID of the Azure AD application or managed identity
  • AZURE_TENANT_ID - Azure AD tenant ID
  • AZURE_AUTHORITY_HOST - (optional) Authority host URL

Configuration

Configuration can be provided explicitly or read from environment variables:

  • :scope (required) - Token scope (e.g., "https://management.azure.com/.default")
  • :tenant_id (optional) - Azure AD tenant ID (defaults to AZURE_TENANT_ID)
  • :client_id (optional) - Client ID (defaults to AZURE_CLIENT_ID)
  • :token_file_path (optional) - Token file path (defaults to AZURE_FEDERATED_TOKEN_FILE)
  • :cloud (optional) - Azure cloud: :public, :government, :china, :germany

Examples

# Auto-detect from environment variables
config = %{scope: "https://management.azure.com/.default"}

# Explicit configuration
config = %{
  scope: "https://vault.azure.net/.default",
  tenant_id: "my-tenant-id",
  client_id: "my-client-id",
  token_file_path: "/var/run/secrets/azure/tokens/azure-identity-token"
}