Workload Identity Federation - Azure

  • Published on Apr 8, 2026
Prev Next

DDOE supports secure, keyless access to Microsoft Azure resources using Workload Identity Federation (WIF) — a modern alternative to embedding long-lived credentials such as access keys or client secrets.

With WIF, DDOE services like pipelines, automations, and serverless functions can authenticate against Azure Active Directory (AAD) and access Azure services (e.g., Blob Storage, Azure ML) using federated identity — without directly storing credentials on the platform.

To set up a WIF integration between Azure and DDOE, you must configure identity federation on Azure AD and link the credentials through the DDOE Integration settings.

⚙️ Part 1: Configure Workload Identity Federation in Azure

1️⃣ Register a New Application in Azure AD

  1. Go to the Azure Portal → Azure Active Directory → App registrations.

  2. Click “New Registration”:

    • Name: e.g., DDOE WIF App

    • Supported account types: Choose as per your org (usually "Single tenant")

    • Redirect URI: Leave blank for now (not required for federation)

  3. Click Register.

2️⃣ Configure Federated Credentials

  1. After registration, go to your new app → Certificates & SecretsFederated credentials tab.

  2. Click “Add Credential”:

    • Name: e.g., DDOE-federation

    • Issuer: https://DDOE.ai/oauth2 (confirm with DDOE support)

    • Subject Identifier: e.g., system:serviceaccount:DDOE:<service-name> (match DDOE's identity format or use assertion.sub)

    • Audience: Match the value passed by DDOE (typically "api://AzureADTokenExchange")

    • Click Add.

This establishes trust between Azure and DDOE’s identity provider.

3️⃣ Assign Roles to the Application

  1. Go to the Azure resource you want DDOE to access (e.g., Blob Storage container).

  2. Navigate to Access control (IAM)Add Role Assignment.

  3. Assign a relevant role (e.g., Storage Blob Data Contributor) to the DDOE WIF App you registered earlier.

🔐 Part 2: Prepare Credentials for DDOE

You will need:

1️⃣ Client ID and Tenant ID

From the Overview page of the registered application, copy:

  • Application (client) ID

  • Directory (tenant) ID

These are required when setting up the Azure integration in DDOE.

2️⃣ Federation Credential JSON (Manual Preparation)

Create a JSON credential file with the following format (you can generate or manually write it):

{
  "clientId": "<APPLICATION_CLIENT_ID>",
  "tenantId": "<TENANT_ID>",
  "federatedTokenIssuer": "https://dataloop.ai/oauth2",
  "subject": "system:serviceaccount:dataloop:<service-name>",
  "audience": "api://AzureADTokenExchange"
}

🔗 Part 3: Create the Azure Integration in DDOE

  1. Log in to the DDOE platform.

  2. Go to Integrations from the left-side panel.

  3. Click Create Integration → Create Storage Integration.

  4. Fill in the form:

    • Integration Name: e.g., Azure WIF Integration

    • Provider: Azure

    • Integration Type: Workload Identity Federation

    • Client ID: From Azure App Registration

    • Tenant ID: From Azure AD

    • Import JSON File: Upload your azure_credentials.json

  5. Click Create Integration. A confirmation will appear.

🧪 Test Access

After the integration is set up:

  • Create an Azure Blob driver in DDOE using the integration

  • Use it in pipelines or services that access Azure storage