I just spent 2 hours trying to figure out how to log into Azure CLI using workload identity, and I hope to document how to fix it very quicly.
The situation
You have an AKS cluster with workload identity setup, and while trying to log into Azure CLI with a federated identity, you get the following error:
kubectl exec -n $NAMESPACE $POD_NAME -- bash -c \
"az login \
--identity \
--allow-no-subscriptions \
--client-id \$AZURE_CLIENT_ID"
ERROR: Identity not found
Interactive authentication is needed. Please run:
az login
command terminated with exit code 1
The solution
To fix this, you need to login with the federated identity file that’s automatically mounted for you.
kubectl exec -n $NAMESPACE $POD_NAME -- bash -c \
"az login \
--service-principal \
-u \$AZURE_CLIENT_ID \
-t \$AZURE_TENANT_ID \
--federated-token \$(cat /var/run/secrets/azure/tokens/azure-identity-token)"