Support using `userAssignedIdentityID` when `usePodIdentity` is true

[jbearor]

Describe the solution you'd like When usePodIdentity is true, I would like to be able to use userAssignedIdentityID to chose the AzureIdentity I want to use in the csi driver (when multiple identities are configured). Looking through the code, this doesn't seem to be configured, is there another way this functionality is already in place?

Anything else you would like to add: I currently have two AzureIdentityBindings configured, following the aad-pod-identity docs, with one identity containing the keyvault access role assignments.

Environment:

• Secrets Store CSI Driver version: (use the image tag):
• Azure Key Vault provider version: (use the image tag):
• Kubernetes version: (use kubectl version):
• Cluster type: (e.g. AKS, aks-engine, etc): AKS

[srinathrangaramanujam]

eagerly waiting :)

[Xitric]

We are also interested in supporting this use case. Just took a brief look at the source code, and it seems like a rather trivial thing to support. It seems that the request for the token is made in this function:

https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/26b19f1b020d508a7b13146fc65fe7714d075fa8/pkg/auth/auth.go#L66

When using pod identity, it currently only specified the resource query parameter, but according to the NMI source code, an additional query parameter client_id is supported:

https://github.com/Azure/aad-pod-identity/blob/4f356255705af14293df1779541a86463f7d9179/pkg/nmi/server/server.go#L479

I have no prior history in either of these projects, @aramase. Does this seem like a probable fix to you? I would gladly spend some time opening a PR to get this pushed through, as it would be valuable to us.

[schwichti]

@jbearor Is there something new to this? Maybe https://github.com/Azure/secrets-store-csi-driver-provider-azure/discussions/771 is relevant.

[aramase]

AAD Pod Identity is deprecated, so this is not something that'll be supported. Closing this issue.