Skip to content

[azidentity] Allow Identity Binding mode to be set via configuration options instead of env vars #25663

New issue
New issue
Open
#25664
Open
[azidentity] Allow Identity Binding mode to be set via configuration options instead of env vars#25663
#25664
Assignees
chlowell
Labels
Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@clnv

Description

@clnv
clnv
opened on Nov 24, 2025

Feature Request

Follow-up to: #25056

Background

Tody the identity binding mode in workload identity is controlled only via environment variables defined in:

azure-sdk-for-go/sdk/azidentity/internal/customtokenproxy/transport.go

Lines 20 to 26 in 4620071

const (
AzureKubernetesCAData = "AZURE_KUBERNETES_CA_DATA"
AzureKubernetesCAFile = "AZURE_KUBERNETES_CA_FILE"
AzureKubernetesSNIName = "AZURE_KUBERNETES_SNI_NAME"
AzureKubernetesTokenProxy = "AZURE_KUBERNETES_TOKEN_PROXY"
)

In addition, the Azure Federated Token for workload identity is currently only read from a file on disk:

azure-sdk-for-go/sdk/azidentity/workload_identity.go

Lines 70 to 72 in 4620071

// TokenFilePath is the path of a file containing a Kubernetes service account token. Defaults to the value of the
// environment variable AZURE_FEDERATED_TOKEN_FILE.
TokenFilePath string

This makes the behavior hard to configure from code and hard to integrate into libiraries that already have their own configuration and/or use non-file token sources.

Request

  1. Add a configuration option to set the identity binding proxy from code with explicit options taking precedence over env vars.
  2. Keep env-var behavior as the default when the option is not set.
  3. For workload identity, allow callers to provide a GetFederatedToken style override so that the token can come from non-file sources (e.g., token from request in csi scenario), while preserving the current file-based behavior as the default.

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Azure Identity SDK Improvements

Status

Untriaged

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions