comments added

Author: Vivek Reddy

pkg/splunk/client/azureblobclient.go

@@ -178,6 +178,23 @@ func NewAzureBlobClient(
 		scopedLog.Info("Using Azure AD authentication")
 
 		// Create a Token Credential using DefaultAzureCredential.
+		// The Azure SDK uses environment variables to configure authentication when using DefaultAzureCredential. 
+		// For Workload Identity, by adding annotations to the pod's service account: 
+		// azure.workload.identity/client-id: <CLIENT_ID>
+		// the following environment variables are typically used: 
+		// AZURE_AUTHORITY_HOST: The Azure Active Directory endpoint (default is https://login.microsoftonline.com/).
+		// AZURE_CLIENT_ID: The client ID of the Azure AD application linked to the pod's service account.
+		// AZURE_TENANT_ID: The tenant ID of the Azure Active Directory where the Azure AD application resides.
+		// AZURE_FEDERATED_TOKEN_FILE: The path to the file containing the token issued by Kubernetes, usually mounted as a volume.
+		// when using Azure AD Pod Identity (deprecated), the following environment variables are typically used:	
+		// AZURE_POD_IDENTITY_AUTHORITY_HOST: The Azure Active Directory endpoint (default is https://login.microsoftonline.com/).
+		// AZURE_POD_IDENTITY_CLIENT_ID: The client ID of the Azure AD application linked to the pod's service account.
+		// AZURE_POD_IDENTITY_TENANT_ID: The tenant ID of the Azure Active Directory where the Azure AD application resides.
+		// AZURE_POD_IDENTITY_TOKEN_FILE: The path to the file containing the token issued by Kubernetes, usually mounted as a volume.
+		// AZURE_POD_IDENTITY_RESOURCE_ID: The resource ID of the Azure resource to access.
+		// AZURE_POD_IDENTITY_USE_MSI: Set to "true" to use Managed Service Identity (MSI) for authentication.
+		// AZURE_POD_IDENTITY_USER_ASSIGNED_ID
+
 		tokenCredential, err := azidentity.NewDefaultAzureCredential(nil)
 		if err != nil {
 			scopedLog.Error(err, "Failed to create DefaultAzureCredential")

pkg/splunk/client/gcpbucketclient.go

@@ -116,6 +116,18 @@ func InitGCSClient(ctx context.Context, gcpCredentials string) (GCSClientInterfa
 	var err error
 
 	if len(gcpCredentials) == 0 {
+		// The storage.NewClient(ctx) internally uses Application Default Credentials (ADC) to authenticate, 
+		// and ADC works with Workload Identity when the required environment variables and setup are correctly configured.
+		// If the environment variables are not set, the client will use the default service account credentials.
+		// To use Google Workload Identity with storage.NewClient(ctx), ensure the following environment variables are properly set in your pod:
+		// 	GOOGLE_APPLICATION_CREDENTIALS (Optional):
+		// 		If you're not using the default workload identity path (/var/run/secrets/google.cloud/com.google.cloudsecrets/metadata/token), 
+		//		you can set GOOGLE_APPLICATION_CREDENTIALS to point to the federated token file manually.
+		// 		Otherwise, this can be left unset when Workload Identity is configured correctly.
+		// 	GOOGLE_CLOUD_PROJECT (Optional):
+		// 		Set this to your Google Cloud project ID if the SDK is not detecting it automatically.
+		// Additional Kubernetes Setup for Workload Identity:
+		// The Workload Identity configuration on your cluster ensures that the necessary tokens are automatically mounted for the pod and available without needing GOOGLE_APPLICATION_CREDENTIALS.
 		client, err = storage.NewClient(ctx)
 	} else {
 		client, err = storage.NewClient(ctx, option.WithCredentialsJSON([]byte(gcpCredentials)))