How to enable Workload Identity in EA

[peqi-ms]

Is your feature request related to a problem? Please describe.
Hi, we are hosting our services in AKS in multiple regions(e.g. eus, wus, scus, ea).
Currently, we are using aad-pod-identity talking to Azure KeyVault and generate/inject tokencredential into our services on AKS clusters.
Aad-pod-identity will be deprecated, so we are onboarding to workload identity.
Both our MSI(user assigned managed identity), KV, and services are allocated per region, and one of our regions is East Asia.
According to Doc here: "e2e-test-images/busybox", we can't generate federated credential between "EastAsia AKS oidc issuer" and "EastAsia user-assigned-managed-identity". Looks like we can generate federated credential by a dedicated identity generated by other region, but this going to be a big change and not compliance. Is there a workaround for this?
Describe the solution you'd like

Describe alternatives you've considered

Additional context

[peqi-ms]

Another question is we are using " tokenCredential = new ManagedIdentityCredential();" [Azure.Identity 1.5.0]in our code, By checking your example code, "DefaultAzureCredential" will use the environment variables injected by the Azure Workload Identity, I assume ManagedIdentityCredential will act the same as DefaultAzureCredential, so we dont need change our code in this case? https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet

[RichardChen820]

@aramase Do you have any insight on how to bypass the limitation on East Asia, it is a blocker for us as well to migrate pod identity to workload identity.

[aramase]

Another question is we are using " tokenCredential = new ManagedIdentityCredential();" [Azure.Identity 1.5.0]in our code, By checking your example code, "DefaultAzureCredential" will use the environment variables injected by the Azure Workload Identity, I assume ManagedIdentityCredential will act the same as DefaultAzureCredential, so we dont need change our code in this case? https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet

@peqi-ms The minimum required SDK versions are documented here.

[isolenov]

Do you have any insight on how to bypass the limitation on East Asia, it is a blocker for us as well to migrate pod identity to workload identity.

The only possible work-around is to use identity from a different region.

[aramase]

Closing this issue with #838 (comment) and #838 (comment). Feel free to reopen if you have any questions.

[brosev]

Hi @aramase, looks like this issue was closed without a solution to the initial question regarding to the EastAsia region? This is a blocker for us moving off of AADpod identity to Workload Identity. Is there a solution to this blocker that can be found somewhere?

If not what is the workaround for EastAsia?

[brosev]

@RichardChen820 Curious if you were able to find a workaround for this east asia Issue?

Thanks.