Skip to content

Feature: Support Azure Workload Identity Federation (STS/keyless) for OpenShift/ARO clusters #44

Description

@kaovilai

Feature request

Add support for Azure Workload Identity Federation (STS/keyless/federated credentials) for OpenShift/ARO clusters in ocpctl. Currently, the platform uses service principal credentials for Azure authentication. Many enterprises require short-lived, keyless auth using federation/OIDC (similar to AWS STS or GCP WIF), especially in least-privilege or cloud-native automation environments.

Current behavior

  • Azure authentication for OpenShift/ARO clusters relies on static client secret/service principal.
  • No automated workflow for Azure AD Workload Identity Federation/federated OIDC.

Desired behavior

  • Enable creating OpenShift/ARO clusters using Azure Workload Identity Federation (OIDC/federated credentials) instead of service principal client secrets.
  • Support relevant install-config.yaml/cluster API fields for federated auth.
  • Document the required Azure AD application setup, federated credential configuration, and cluster bootstrap flow.
  • Provide parity with AWS (STS, IRSA) and planned GCP WIF.

References

Impact

This enables more secure, keyless automation, easier credential rotation, and a consistent experience with AWS/GCP clusters.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions