Add Azure workload identity federation guide (#4751)

* Add Azure workload identity federation doc.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Shortcodes.

Signed-off-by: Alexander Trauzzi <[email protected]>

* De-localize Microsoft links.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Remove references to pod identities.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Add system and user managed identity comparison.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Add a second reference to the sample app.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Apply suggestions from code review

Co-authored-by: Mark Fussell <[email protected]>
Signed-off-by: Alexander Trauzzi <[email protected]>

* Portability note.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Relocate some content to main azure auth guide and reflow.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Make another mention of Dapr guides within the main doc.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Reflow authenticating azure some more.

Signed-off-by: Alexander Trauzzi <[email protected]>

* Reflow authenticating azure some more.

Signed-off-by: Alexander Trauzzi <[email protected]>

---------

Signed-off-by: Alexander Trauzzi <[email protected]>
Co-authored-by: Mark Fussell <[email protected]>

Author: atrauzzi

daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/authenticating-azure.md

@@ -9,38 +9,41 @@ aliases:
 weight: 10000
 ---
 
-Most Azure components for Dapr support authenticating with Microsoft Entra ID. Thanks to this:
-
-- Administrators can leverage all the benefits of fine-tuned permissions with Azure Role-Based Access Control (RBAC).
-- Applications running on Azure services such as Azure Container Apps, Azure Kubernetes Service, Azure VMs, or any other Azure platform services can leverage [Managed Identities (MI)](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) and [Workload Identity](https://learn.microsoft.com/azure/aks/workload-identity-overview). These offer the ability to authenticate your applications without having to manage sensitive credentials.
-
 ## About authentication with Microsoft Entra ID
 
-Microsoft Entra ID is Azure's identity and access management (IAM) solution, which is used to authenticate and authorize users and services.
+Microsoft Entra ID is Azure's identity and access management (IAM) solution, which is used to authenticate and authorize users and services. It's built on top of open standards such OAuth 2.0, which allows services (applications) to obtain access tokens to make requests to Azure services, including Azure Storage, Azure Service Bus, Azure Key Vault, Azure Cosmos DB, Azure Database for Postgres, Azure SQL, etc.
 
-Microsoft Entra ID is built on top of open standards such OAuth 2.0, which allows services (applications) to obtain access tokens to make requests to Azure services, including Azure Storage, Azure Service Bus, Azure Key Vault, Azure Cosmos DB, Azure Database for Postgres, Azure SQL, etc. 
+## Options to authenticate
 
-> In Azure terminology, an application is also called a "Service Principal".
+Applications can authenticate with Microsoft Entra ID and obtain an access token to make requests to Azure services through several methods:
 
-Some Azure components offer alternative authentication methods, such as systems based on "shared keys" or "access tokens". Although these are valid and supported by Dapr, you should authenticate your Dapr components using Microsoft Entra ID whenever possible to take advantage of many benefits, including:
+ - [Workload identity federation]({{< ref howto-wif.md >}}) - The recommended way to configure your Microsoft Entra ID tenant to trust an external identity provider.  This includes service accounts from Kubernetes or AKS clusters. [Learn more about workload identity federation](https://learn.microsoft.com/entra/workload-id/workload-identities-overview).
+ - [System and user assigned managed identities]({{< ref howto-mi.md >}}) - Less granular than workload identity federation, but retains some of the benefits.  [Learn more about system and user assigned managed identities](https://learn.microsoft.com/azure/aks/use-managed-identity).
+ - [Client ID and secret]({{ < ref howto-aad.md >}}) - Not recommended as it requires you to maintian and associate credentials at the application level.
+ - Pod Identities - [Deprecated approach for authenticating applications running on Kubernetes pods](https://learn.microsoft.com/azure/aks/use-azure-ad-pod-identity) at a pod level.  This should no longer be used.
 
-- [Managed Identities and Workload Identity](#managed-identities-and-workload-identity)
-- [Role-Based Access Control](#role-based-access-control)
-- [Auditing](#auditing)
-- [(Optional) Authentication using certificates](#optional-authentication-using-certificates)
+If you are just getting started, it is recommended to use workload identity federation.
+
+## Managed identities and workload identity federation
 
-### Managed Identities and Workload Identity
+When your application is running on a supported Azure service (such as Azure VMs, Azure Container Apps, Azure Web Apps, etc), an identity for your application can be assigned at the infrastructure level.
 
-With Managed Identities (MI), your application can authenticate with Microsoft Entra ID and obtain an access token to make requests to Azure services. When your application is running on a supported Azure service (such as Azure VMs, Azure Container Apps, Azure Web Apps, etc), an identity for your application can be assigned at the infrastructure level.
+This is done through [system or user assigned managed identities]({{< ref howto-mi.md >}}), or [workload identity federation]({{< ref howto-wif.md >}}).
 
-Once using MI, your code doesn't have to deal with credentials, which:
+Once using managed identities, your code doesn't have to deal with credentials, which:
 
 - Removes the challenge of managing credentials safely
 - Allows greater separation of concerns between development and operations teams
 - Reduces the number of people with access to credentials
 - Simplifies operational aspects–especially when multiple environments are used
 
-Applications running on Azure Kubernetes Service can similarly leverage [Workload Identity](https://learn.microsoft.com/azure/aks/workload-identity-overview) to automatically provide an identity to individual pods.
+While some Dapr Azure components offer alternative authentication methods, such as systems based on "shared keys" or "access tokens", you should always try to authenticate your Dapr components using Microsoft Entra ID whenever possible. This offers many benefits, including:
+
+- [Role-Based Access Control](#role-based-access-control)
+- [Auditing](#auditing)
+- [(Optional) Authentication using certificates](#optional-authentication-using-certificates)
+
+It's recommended that applications running on Azure Kubernetes Service leverage [workload identity federation](https://learn.microsoft.com/entra/workload-id/workload-identity-federation) to automatically provide an identity to individual pods.
 
 ### Role-Based Access Control
 

daprdocs/content/en/developing-applications/integrations/Azure/azure-authentication/howto-wif.md

@@ -0,0 +1,111 @@
+---
+type: docs
+title: "How to: Use workload identity federation"
+linkTitle: "How to: Use workload identity federation"
+weight: 20000
+description: "Learn how to configure Dapr to use workload identity federation on Azure."
+---
+
+This guide will help you configure your Kubernetes cluster to run Dapr with Azure workload identity federation.
+
+## What is it?
+
+[Workload identity federation](https://learn.microsoft.com/entra/workload-id/workload-identities-overview) 
+is a way for your applications to authenticate to Azure without having to store or manage credentials as part of 
+your releases.
+
+By using workload identity federation, any Dapr components running on Kubernetes and AKS that target Azure can authenticate transparently
+with no extra configuration.
+
+## Guide 
+
+We'll show how to configure an Azure Key Vault resource against your AKS cluster. You can adapt this guide for different 
+Dapr Azure components by substituting component definitions as necessary.
+
+For this How To, we'll use this [Dapr AKS secrets sample app](https://github.com/dapr/samples/dapr-aks-workload-identity-federation).
+
+### Prerequisites
+
+ - AKS cluster with workload identity enabled
+ - Microsoft Entra ID tenant
+
+### 1 - Enable workload identity federation
+
+Follow [the Azure documentation for enabling workload identity federation on your AKS cluster](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#deploy-your-application4).
+
+The HowTo walks through configuring your Azure Entra ID tenant to trust an identity that originates from your AKS cluster issuer.
+It also guides you in setting up a [Kubernetes service account](https://kubernetes.io/docs/concepts/security/service-accounts/) which 
+is associated with an Azure managed identity you create.
+
+Once completed, return here to continue with step 2.
+
+### 2 - Add a secret to Azure Key Vault
+
+In the Azure Key Vault you created and add a secret called `dapr` with the value of `Hello Dapr!`.
+
+### 3 - Configure the Azure Key Vault dapr component
+
+By this point, you should have a Kubernetes service account with a name similar to `workload-identity-sa0a1b2c`.
+
+Apply the following to your Kubernetes cluster, remembering to update `your-key-vault` with the name of your key vault:
+
+```yaml
+---
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: demo-secret-store # Be sure not to change this, as our app will be looking for it.
+spec:
+  type: secretstores.azure.keyvault
+  version: v1
+  metadata:
+  - name: vaultName
+    value: your-key-vault # Replace
+```
+
+You'll notice that we have not provided any details specific to authentication in the component definition.  This is intentional, as Dapr is able to leverage the Kubernetes service account to transparently authenticate to Azure.
+
+### 4 - Deploy the test application
+
+Go to the  [workload identity federation sample application](https://github.com/dapr/samples/dapr-aks-workload-identity-federation) and prepare a build of the image.
+
+Make sure the image is pushed up to a registry that your AKS cluster has visibility and permission to pull from.
+
+Next, create a deployment for our sample AKS secrets app container along with a Dapr sidecar.
+
+Remember to update `dapr-wif-k8s-service-account` with your service account name and `dapraksworkloadidentityfederation` with an image your cluster can resolve:
+
+
+```yaml
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: aks-dapr-wif-secrets
+  labels:
+    app: aks-dapr-wif-secrets
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: aks-dapr-wif-secrets
+  template:
+    metadata:
+      labels:
+        app: aks-dapr-wif-secrets
+        azure.workload.identity/use: "true" # Important
+      annotations:
+        dapr.io/enabled: "true" # Enable Dapr
+        dapr.io/app-id: "aks-dapr-wif-secrets"
+    spec:
+      serviceAccountName: dapr-wif-k8s-service-account # Remember to replace
+      containers:
+        - name: workload-id-demo
+          image: dapraksworkloadidentityfederation # Remember to replace
+          imagePullPolicy: Always
+```
+Once the application is up and running, it should output the following:
+
+```
+Fetched Secret: Hello dapr!
+```

daprdocs/content/en/reference/components-reference/supported-secret-stores/azure-keyvault.md

@@ -297,31 +297,14 @@ In Kubernetes, you store the client secret or the certificate into the Kubernete
     ```bash
     kubectl apply -f azurekeyvault.yaml
     ```
-1. Create and assign a managed identity at the pod-level via either:
-   - [Microsoft Entra ID workload identity](https://learn.microsoft.com/azure/aks/workload-identity-overview) (preferred method)
-   - [Microsoft Entra ID pod identity](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity#create-a-pod-identity)  
-
-
-   **Important**: While both Microsoft Entra ID pod identity and workload identity are in preview, currently Microsoft Entra ID Workload Identity is planned for general availability (stable state).
+1. Create and assign a managed identity at the pod-level via [Microsoft Entra ID workload identity](https://learn.microsoft.com/azure/aks/workload-identity-overview)
 
 1. After creating a workload identity, give it `read` permissions:
    - [On your desired KeyVault instance](https://docs.microsoft.com/azure/key-vault/general/assign-access-policy?tabs=azure-cli#assign-the-access-policy)
-   - In your application deployment. Inject the pod identity both:
-     - Via a label annotation
-     - By specifying the Kubernetes service account associated with the desired workload identity 
-
-   ```yaml
-   apiVersion: v1
-   kind: Pod
-   metadata:
-     name: mydaprdemoapp
-     labels:
-       aadpodidbinding: $POD_IDENTITY_NAME
-   ```
 
 #### Using Azure managed identity directly vs. via Microsoft Entra ID workload identity
 
-When using **managed identity directly**, you can have multiple identities associated with an app, requiring `azureClientId` to specify which identity should be used. 
+When using **managed identity directly**, you can have multiple identities associated with an app, requiring `azureClientId` to specify which identity should be used.
 
 However, when using **managed identity via Microsoft Entra ID workload identity**, `azureClientId` is not necessary and has no effect. The Azure identity to be used is inferred from the service account tied to an Azure identity via the Azure federated identity.