Azure
Flexible subject declaration in federated identity credentials - Integration with AKS
Currently federated identity credentials created as part of workload identity require static declaration of subject <service-account-name, namespace-name>. Flexible FIC would allow for prefix pattern based declaration, thus allowing for scalable FIC declaration on subject.
Tentative ETA for preview: CY2025H1
Hi,
GCP's implementation of workload identity supports CEL. Are there any plans to introduce this in Azure as well? Our use-case is an ephemeral environment, where we append a unique identifier for each PR.
We have an implementation today that uses the Graph API whenever a new deployment is detected, but this feels very hacky, rather than just specifying a prefix, similar to assertion.subject.startsWith('system:serviceaccount:my-namespace:my-service').
Hi @shashankbarsin, We're actively using AKS and have partially migrated to Workload Identity following the deprecation of AAD Pod Identity. However, due to the current limitation of 20 federated identity credentials (FICs) per managed identity, we've been constrained in fully completing the migration.
We're excited about this new capability and would appreciate any guidance on the steps required to enable or adopt it. We're also very interested in participating as early adopters—please let us know how we can get involved.
Thank you !
Hey @shashankbarsin Can you acknowledge that user assigned managed identity will be supported? We are thrilled to adopt it soon as it will be applicable.
Any news on when we might expect this ? Really would help us out with our use case of many namespaces in a single cluster
Hello, any news on this because it's already nearing CY2026, any update on ETA?
Is it covered by https://learn.microsoft.com/en-us/azure/aks/identity-bindings-concepts? If so, when will AKS with API server virtual network integration be supported?
