Support Azure Managed Identities for AKS Workload Identity and other resources #5
Description
Hi Team!
We have started utilizing the Akeyless SDK in our .NET Core applications. We deploy these applications to a Kubernetes cluster (AKS) and use workload identities for pods, as suggested in the documentation. Our goal is to use this library to obtain Azure's CloudId token and authenticate with Akeyless. Unfortunately, the current implementation does not support this functionality for our usage.
During debugging, I noticed that the code linked above reads from the http://169.254.169.254/metadata/identity/oauth2/token endpoint provided by IMDS. The issue with this approach is that this endpoint is intended for virtual machines rather than pods. In this context, a virtual machine refers to an AKS node, which does not have a workload identity assigned - it only has its own agent pool identity and additional identities. Therefore, there is no way to obtain a token for the pod's workload identity using this endpoint. In a pod, the token for the managed identity (workload identity), which can be exchanged for CloudId, is stored in /var/run/secrets/azure/.... The correct method to obtain the token for a pod is to use the Azure Identity library, as described here. This approach can be also used in Azure Functions which is another our use-case.
While a workaround is to implement this part manually, it would be beneficial to integrate it into the SDK.
Additionally, another related issue is that the current implementation does not allow specifying the client_id parameter for the token endpoint. When more than one managed identity (and no system identity) is assigned to a VM, an HTTP call fails with the error "Multiple user assigned identities." (documentation).