Enabling AKS Azure Policy Addon when workload identity is enabled. Pods start showing error "Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request"

[atedsimple]

A second identity is created and attached to each node when enabling Azure Policy on an AKS cluster that uses workload identity. Any pod that then tries to authenticate to Azure starts showing the error:-

"Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request"

Is it possible to configure Azure Policy to use the same identity that is used by workload identity? I see that you can view the identity but don't see a way to change it

[anlandu]

To follow best security practices, namely maintaining separation of concerns and permissions, every addon uses its own UAMI. You should update your application auth code to explicitly specify what UAMI you would like to use. This is best practice in general--relying on the default UAMI is extremely brittle as anyone could assign another UAMI to your VMSS and break you in the same way.

https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/managed-identities-azure-resources/managed-identities-faq.md#what-identity-will-imds-default-to-if-i-dont-specify-the-identity-in-the-request