WorkloadIdentityCredential class

Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs) to access other Azure resources without the need for a service principal or managed identity. With Workload Identity authentication, applications authenticate themselves using their own identity, rather than using a shared service principal or managed identity. Under the hood, Workload Identity authentication uses the concept of Service Account Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using Workload Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't need to worry about storing and securing sensitive credentials themselves. The WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Azure Kubernetes and acquires a token using the SACs available in the Azure Kubernetes environment. Refer to Microsoft Entra Workload ID for more information.

Constructors

WorkloadIdentityCredential(WorkloadIdentityCredentialOptions)

WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.

Methods

getToken(string | string[], GetTokenOptions)

Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

Constructor Details

WorkloadIdentityCredential(WorkloadIdentityCredentialOptions)

WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.

new WorkloadIdentityCredential(options?: WorkloadIdentityCredentialOptions)

Parameters

options
WorkloadIdentityCredentialOptions

The identity client options to use for authentication.

Method Details

getToken(string | string[], GetTokenOptions)

Authenticates with Microsoft Entra ID and returns an access token if successful. If authentication fails, a CredentialUnavailableError will be thrown with the details of the failure.

function getToken(scopes: string | string[], options?: GetTokenOptions): Promise<null | AccessToken>

Parameters

scopes

string | string[]

The list of scopes for which the token will have access.

options
GetTokenOptions

The options used to configure any requests this TokenCredential implementation might make.

Returns

Promise<null | AccessToken>