Secretless Azure access with managed identity: what changes for IAM?

TL;DR: Tokenless access is shown in a flow that exchanges external OIDC identity tokens for short-lived Azure credentials through federated identity and User-Assigned Managed Identity, eliminating stored secrets, disk persistence, and manual rotation in the example flow, according to Riptides. Secretless access reduces blast radius, but it also shifts the control problem to trust establishment, native authorization, and credential lifetime management.

NHIMG editorial — based on content published by Riptides: Secretless Azure access with tokenex and federated identity via User-Assigned Managed Identity

By the numbers:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

Questions worth separating out

Q: How should security teams replace long-lived cloud secrets for workload access?

A: Use federated workload identity so the workload proves its identity with an external token and receives a short-lived native cloud credential in return.

Q: Why do short-lived credentials reduce workload compromise risk?

A: Short-lived credentials reduce risk because they narrow the replay window and limit what an attacker can reuse after runtime access is obtained.

Q: What breaks when federated identity trust is misconfigured?

A: Authentication breaks first, because the cloud provider will not exchange the external token unless the issuer, subject, and audience bindings match exactly.

Practitioner guidance

• Inventory persistent credential paths Map where client secrets, access keys, and tokens still live in CI systems, container images, config files, and environment variables.
• Separate trust binding from role assignment Review federated identity configuration and Azure RBAC as two different controls.
• Shorten the useful life of every workload token Set token lifetimes and refresh behaviour so that compromised credentials expire before they can be reused broadly.

What's in the full article

Riptides' full article covers the operational detail this post intentionally leaves for the source:

• The complete Go example showing how the credentials provider is wired into the application
• The Azure setup sequence for federated credentials and User-Assigned Managed Identity binding
• The sample output for both successful access and 403 AuthorizationFailed failure conditions
• The credential refresh and resource-listing loop used in the demo application

👉 Read Riptides' guide to secretless Azure access with tokenex →

Secretless Azure access with managed identity: what changes for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →