KB:How OIDC Connects AKS Service Accounts to Azure Managed Identities MI
OIDC (OpenID Connect) is the glue that binds the Kubernetes Service Account (SA) → Azure Managed Identity (MI) → Federated Credential chain. Here’s what’s really happening behind the scenes in AKS + Microsoft Entra ID (formerly Azure AD). 🔐 The Role of OIDC in the AKS–Azure Identity Chain 1. OIDC Issuer: The Cluster’s Identity Provider When you enable OIDC on your AKS cluster, Azure assigns it an OIDC issuer URL , like: https: //eastus.oic.prod-aks.azure.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/ This URL acts like a mini identity provider (IdP) for your cluster. Inside the cluster, Kubernetes Service Accounts can issue JWT tokens that are signed by this OIDC issuer. Each token includes claims like: iss → the OIDC issuer URL sub → system:serviceaccount:<namespace>:<serviceaccount> aud → the audience you request when you create the token Those claims prove “This token was issued by this AKS cluster for this Service Account.” 2. Federated Cr...