Skip to main content
This guide explains how to configure Workload Identity Federation (WIF) using Microsoft Entra ID for Azure OpenAI and Azure AI Foundry models in TrueFoundry’s AI Gateway. Workload Identity Federation lets the gateway authenticate to Azure without any client secrets or certificates. The gateway’s Kubernetes service account token is exchanged for an Entra ID access token through a federated identity credential. The same authentication is supported for Azure AI Foundry-based guardrails: Azure PII, Azure Content Safety, and Azure Prompt Shield. If you prefer secret-based or certificate-based authentication instead, see Azure Entra ID Client Secret Based Authentication or Azure Entra ID Certificate Based Authentication.

Prerequisites

  • A Microsoft Entra ID application registered in your Azure tenant
  • Azure OpenAI or Azure AI Foundry resource deployed
  • The TrueFoundry AI Gateway running on a Kubernetes cluster with a configured OIDC issuer URL, and the namespace and service account name used by the gateway pod
  • The Kubernetes service account used by the gateway must have permission to issue TokenRequest resources for itself (the TrueFoundry-provided Helm chart configures this RBAC automatically)

Azure Configuration

1

Get Application Details from Entra ID

Navigate to Azure Portal > Microsoft Entra ID > App registrations and select your application.From the Overview page, note the following values:
  • Application (client) ID
  • Directory (tenant) ID
2

Add a Federated Identity Credential

In your app registration, navigate to Certificates & secrets > Federated credentials > Add credential.For the Federated credential scenario, select Kubernetes accessing Azure resources, then fill in:
Run these commands to look up the values before filling in the form:
# OIDC issuer URL
kubectl get --raw /.well-known/openid-configuration | jq -r .issuer

# Service account name: list pods to find the gateway pod, then inspect it
kubectl get pods -n <namespace>
kubectl get pod <gateway-pod-name> -n <namespace> -o jsonpath='{.spec.serviceAccountName}'
FieldDescription
Cluster issuer URLThe OIDC issuer URL of the cluster running the gateway
NamespaceThe Kubernetes namespace of the gateway pod
Service account nameThe Kubernetes service account name used by the gateway pod
NameA descriptive name for this federated credential
Azure automatically builds the Subject identifier as system:serviceaccount:<namespace>:<service-account-name> and uses the audience api://AzureADTokenExchange.
The namespace and service account name must match the gateway pod’s service account (the K8S_SERVICE_ACCOUNT_NAME the gateway is deployed with). If they don’t match, the token exchange will fail.
The Cluster issuer URL is your cluster’s OIDC issuer (on Amazon EKS it looks like https://oidc.eks.<region>.amazonaws.com/id/EXAMPLED0123456789ABCDEF0123456789). The Namespace is where the gateway pod runs (commonly truefoundry) and the Service account name is the K8S_SERVICE_ACCOUNT_NAME it is deployed with (defaults to default).
Azure app registration Add credential form showing the Kubernetes accessing Azure resources scenario with cluster issuer URL, namespace, service account name, and the auto-generated subject identifier
3

Assign RBAC Role to App Registration

Navigate to your Azure resource > Access control (IAM) > Add role assignment.
Assign Cognitive Services OpenAI User role to your app registration.Learn more about Azure OpenAI RBAC
Access control IAM page showing role assignment
Role assignments may take a few minutes to propagate.

TrueFoundry Configuration

1

Configure Workload Identity Authentication

Navigate to AI Gateway > Models > Azure OpenAI, then click Add Account and select Workload Identity Federation. Fill in the following:
FieldDescription
Tenant IDDirectory (tenant) ID from app registration overview
Client IDApplication (client) ID from app registration overview
No secret or certificate is required. The gateway exchanges its Kubernetes service account token for an Entra ID access token using the federated identity credential you configured above.
2

Add Models and Test

Add your models as described in the Azure OpenAI or Azure AI Foundry documentation.Test the connection using the Playground to verify authentication works.