Support Azure Workload Identity out of the box

[mlushpenko]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I've followed this tutorial to setup workload identity on GKE to communicate with Azure, and it is working well, I see the following variables automatically propagated inside my pods on GKE cluster:

AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
AZURE_CLIENT_ID=XXXXXXXX
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token
AZURE_TENANT_ID=XXXXX

But Pulumi is asking for different variables like ARM_USE_OIDC, ARM_CLIENT_ID , ARM_OIDC_TOKEN , etc. It would be great if Pulumi supported such setup out of the box without additional configuration.

According to docs, you only need to use DefaultAzureCredential method and it will try all available options one by one, including workload identity.

I hope this is helpful.