microsoft-identity-web icon indicating copy to clipboard operation
microsoft-identity-web copied to clipboard
verified publisher icon AzureAD

Documentation: Clarify managed identity credential types for containerized vs. VM/App Service deployments

Open Copilot opened this issue 4 months ago • 0 comments

Documentation: Clarify managed identity credential types for containerized vs. VM/App Service deployments

  • [x] You've read the Contributor Guide and Code of Conduct.
  • [x] You've included unit or integration tests for your change, where applicable.
  • [x] You've included inline docs for your change, where applicable.
  • [x] There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Correct managed identity credential configuration for containerized deployments

Description

Documentation incorrectly showed SignedAssertionFromManagedIdentity as the credential type for managed identity scenarios without distinguishing deployment contexts. This led to misconfiguration in containerized environments (Kubernetes, AKS, Docker) using Azure AD Workload Identity.

Container environments must use SignedAssertionFilePath:

{
  "ClientCredentials": [{
    "SourceType": "SignedAssertionFilePath",
    "SignedAssertionFilePath": "/var/run/secrets/azure/tokens/azure-identity-token"
  }]
}

Classic MSI (VMs, App Services) uses SignedAssertionFromManagedIdentity:

{
  "ClientCredentials": [{
    "SourceType": "SignedAssertionFromManagedIdentity",
    "ManagedIdentityClientId": "managed-identity-client-id"
  }]
}

Changes

README.AgentIdentities.md:

  • Split credential examples by deployment scenario (client certificate, containerized workload identity, classic MSI)
  • Added notes clarifying when to use each credential type
  • Linked to CredentialDescription and Azure AD Workload Identity documentation
  • Cleaned up JSON formatting by removing unnecessary blank lines

README.Sidecar.md:

  • Enhanced Containers section with Kubernetes YAML examples
  • Demonstrated environment variable configuration for both deployment patterns
  • Added CredentialDescription reference

Fixes #3584

Original prompt

This section details on the original issue you should resolve

<issue_title>Documentation: Managed Identity client credentials (containerized usage) must use SignedAssertionFilePath, not SignedAssertionFromManagedIdentity</issue_title> <issue_description>### Documentation related to component Sidecar, Managed Identity, Workload Identity, AgentID, Managed Identity for containers (AKS, Kubernetes, Docker)

Please check all that apply

  • [x] documentation needs clarification
  • [x] error(s) in the example
  • [x] needs an example

Description of the issue

Current documentation and usage guidelines for managed identity in containerized environments describe using:

- name: AzureAd__ClientCredentials__0__SourceType
  value: "SignedAssertionFromManagedIdentity"

This is not correct for containers (Kubernetes, AKS, Docker, etc.) using Azure AD Workload Identity.

Per CredentialDescription specification, and latest guidance, client credentials in this scenario should use:

- name: AzureAd__ClientCredentials__0__SourceType
  value: "SignedAssertionFilePath"
- name: AzureAd__ClientCredentials__0__SignedAssertionFilePath
  value: "/var/run/secrets/azure/tokens/azure-identity-token"

Please update the following:

  • Replace or deprecate documented patterns using SignedAssertionFromManagedIdentity for container workload identity scenarios with SignedAssertionFilePath.
  • For managed identity in AKS/containers, document SignedAssertionFilePath as the required parameter, with an example of the projected token file path.
  • Retain SignedAssertionFromManagedIdentity only for classic MSI scenarios (VMs, App Services).
  • Cross-reference the correct CredentialDescription usage: AzureAD/microsoft-identity-abstractions-for-dotnet/docs/credentialdescription.md
  • Confirm and clarify in sidecar/configuration.md, sidecar/scenarios/managed-identity.md, and any scenario or security documentation referencing AKS, Kubernetes, or container deployment.
Context

A repo-wide scrub found that all container-managed identity documentation either leaves out the correct pattern or references SignedAssertionFromManagedIdentity, which is not supported for containers. Correct support requires SignedAssertionFilePath.</issue_description>

Comments on the Issue (you are @copilot in this section)

  • Fixes AzureAD/microsoft-identity-web#3584

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot avatar Nov 10 '25 19:11 Copilot