Support for Azure AD workload identity federation #34
Description
Hi there,
First of all thanks for the tool, the article and the approach. This allowed us to have a fancy setup where our Crossplane deployment on GKE was able to manage AWS resources without the hassle of static keys (Since we already use WIM for GCP resources)
We are now in the position to replicate the same thing for accessing and managing Azure resources.
Since Azure provides the same OIDC based workload identity federation, I was able to make it work basically without any change on the gtoken side. My only concern is that the code is AWS centric although the concept is generic enough.
With some adjustments we can make it generic to other workload identity management supported platforms.
I would rather submit a PR if you want to go this route of making it more generic and also document the Azure part rather than fork the project and change the AZure bits:
- Have the audience customizable, so it does not display as
defaultAud = "gtoken/sts/assume-role-with-web-identity"when it's not about AWS. - Have paths that reflect the provider rather than
/var/run/secrets/aws/token - Have a a different annotation for the service account rather than
amazonaws.com/role-arn
WDYT ?