Skip to content

[azidentity] Allow Identity Binding mode to be set via configuration options instead of env vars #25663

New issue
New issue
Open
Feature
#25664
Open
[azidentity] Allow Identity Binding mode to be set via configuration options instead of env vars#25663
Feature
#25664
Assignees
chlowell
Labels
Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.feature-requestThis issue requires a new behavior in the product in order be resolved.
Milestone
2026-02
@clnv

Description

@clnv
clnv
opened on Nov 24, 2025

Feature Request

Follow-up to: #25056

Background

Tody the identity binding mode in workload identity is controlled only via environment variables defined in:

azure-sdk-for-go/sdk/azidentity/internal/customtokenproxy/transport.go

Lines 20 to 26 in 4620071

const (
AzureKubernetesCAData = "AZURE_KUBERNETES_CA_DATA"
AzureKubernetesCAFile = "AZURE_KUBERNETES_CA_FILE"
AzureKubernetesSNIName = "AZURE_KUBERNETES_SNI_NAME"
AzureKubernetesTokenProxy = "AZURE_KUBERNETES_TOKEN_PROXY"
)

In addition, the Azure Federated Token for workload identity is currently only read from a file on disk:

azure-sdk-for-go/sdk/azidentity/workload_identity.go

Lines 70 to 72 in 4620071

// TokenFilePath is the path of a file containing a Kubernetes service account token. Defaults to the value of the
// environment variable AZURE_FEDERATED_TOKEN_FILE.
TokenFilePath string

This makes the behavior hard to configure from code and hard to integrate into libiraries that already have their own configuration and/or use non-file token sources.

Request

  1. Add a configuration option to set the identity binding proxy from code with explicit options taking precedence over env vars.
  2. Keep env-var behavior as the default when the option is not set.
  3. For workload identity, allow callers to provide a GetFederatedToken style override so that the token can come from non-file sources (e.g., token from request in csi scenario), while preserving the current file-based behavior as the default.

Metadata

Metadata

Assignees

Labels

Azure.IdentityClientThis issue points to a problem in the data-plane of the library.customer-reportedIssues that are reported by GitHub users external to the Azure organization.feature-requestThis issue requires a new behavior in the product in order be resolved.

Type

Feature

Projects

Azure Identity SDK Improvements

Status

Untriaged

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions