Use a workload identity with an application on Azure Kubernetes Service (AKS)

Mr DevOps 🐳 ☸ ☁️ 🌐
7 min readMar 14, 2023
  • In this article
  1. Create a resource group
  2. Install the aks-preview Azure CLI extension
  3. Register the ‘EnableWorkloadIdentityPreview’ feature flag
  4. Create AKS cluster
  5. Export environmental variables
  6. Create an Azure Key Vault and secret
  7. Create a managed identity and grant permissions to access the secret
  8. Establish federated identity credential
  9. Deploy the workload

Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage Kubernetes clusters. In this tutorial, you will:

  • Deploy an AKS cluster using the Azure CLI with OpenID Connect Issuer and managed identity.
  • Create an Azure Key Vault and secret.
  • Create an Azure Active Directory workload identity and Kubernetes service account
  • Configure the managed identity for token federation
  • Deploy the workload and verify authentication with the workload identity.

This tutorial assumes a basic understanding of Kubernetes concepts. For more information, see Kubernetes core concepts for Azure Kubernetes Service (AKS).

If you don’t have an Azure subscription, create an Azure free account before you begin.


AKS preview features are available on a self-service, opt-in basis. Previews are provided “as is” and “as available,” and they’re excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren’t meant for production use. For more information, see the following support articles:

  • AKS support policies
  • Azure support FAQ
  • This article requires version 2.40.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
  • You have installed the latest version of the aks-preview extension, version 0.5.102 or later.
  • The identity you are using to create your cluster has the appropriate minimum permissions. For more information on access and identity for AKS, see Access and