Feature request
Add support for Azure Workload Identity Federation (STS/keyless/federated credentials) for OpenShift/ARO clusters in ocpctl. Currently, the platform uses service principal credentials for Azure authentication. Many enterprises require short-lived, keyless auth using federation/OIDC (similar to AWS STS or GCP WIF), especially in least-privilege or cloud-native automation environments.
Current behavior
- Azure authentication for OpenShift/ARO clusters relies on static client secret/service principal.
- No automated workflow for Azure AD Workload Identity Federation/federated OIDC.
Desired behavior
- Enable creating OpenShift/ARO clusters using Azure Workload Identity Federation (OIDC/federated credentials) instead of service principal client secrets.
- Support relevant install-config.yaml/cluster API fields for federated auth.
- Document the required Azure AD application setup, federated credential configuration, and cluster bootstrap flow.
- Provide parity with AWS (STS, IRSA) and planned GCP WIF.
References
Impact
This enables more secure, keyless automation, easier credential rotation, and a consistent experience with AWS/GCP clusters.
Feature request
Add support for Azure Workload Identity Federation (STS/keyless/federated credentials) for OpenShift/ARO clusters in ocpctl. Currently, the platform uses service principal credentials for Azure authentication. Many enterprises require short-lived, keyless auth using federation/OIDC (similar to AWS STS or GCP WIF), especially in least-privilege or cloud-native automation environments.
Current behavior
Desired behavior
References
Impact
This enables more secure, keyless automation, easier credential rotation, and a consistent experience with AWS/GCP clusters.