What is the canonical format of the OIDC Issuer URL for AKS Workload Identity (Preview)?

Question

Hi,

I have an AKS Cluster using the workload identity feature, and I was wondering if there is any documentation or information on the canonical format for the OIDC Issuer URL?

Context is that I am trying to use cosign with keyless signing (via fulcio) which depends on knowing the issuer format. Currently it is expecting an issuer of the format https://oidc.prod-aks.azure.com/*, but my AKS cluster is reporting an issuer of the format https://eastus.oic.prod-aks.azure.com/****.

I have made a pull request to update the format, but it would be great to have some documentation to point to so that we aren't shooting in the dark about which format to expect.

Many thanks!

Answer 1

Hello @Yoriyasu Yano ,

Thank you for reaching out & I hope you are doing well.

Based on the information that you have provided; I understand that you are looking for a documented format for the OIDC Issuer URL.

Checking our official Microsoft documentation, I couldn't find any specific OIDC Issuer URL format that we should use. What is documented though is the CLI to retrieve your OIDC Issuer URL:

[https://learn.microsoft.com/en-us/azure/aks/cluster-configuration#show-the-oidc-issuer-url

For my AKS Cluster, the OIDC URL format is the same as yours:

https://westus.oic.prod-aks.azure.com/***

So, I suspect that the official format includes the Azure Region (westus in my case) and then the rest of the URL is standard.

My recommendation for this particular scenario is using the Feedback section at the bottom of our link and posting the question there, some of our contributors should provide a more definitive answer through GitHub.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well. Feel free to reply with any other questions or concerns.

Hope this helps!