Fixing AKS Workload Identity Login in Azure CLI

I just spent 2 hours trying to figure out how to log into Azure CLI using workload identity, and I hope to document how to fix it very quicly.

The situation

You have an AKS cluster with workload identity setup, and while trying to log into Azure CLI with a federated identity, you get the following error:

kubectl exec -n $NAMESPACE $POD_NAME -- bash -c \
  "az login \
     --identity \
     --allow-no-subscriptions \
     --client-id \$AZURE_CLIENT_ID"
ERROR: Identity not found
Interactive authentication is needed. Please run:
az login
command terminated with exit code 1

The solution

To fix this, you need to login with the federated identity file that’s automatically mounted for you.

kubectl exec -n $NAMESPACE $POD_NAME -- bash -c \
  "az login \
     --service-principal \
     -u \$AZURE_CLIENT_ID \
     -t \$AZURE_TENANT_ID \
     --federated-token \$(cat /var/run/secrets/azure/tokens/azure-identity-token)"

Leave a Reply