Azure/azure-workload-identity v1.6.0 on GitHub

v1.6.0 - 2026-06-11

⚠️ Breaking change: projected token path moved (#1720)

The projected service account token mount path changed:

	Before	After
Mount path	`/var/run/secrets/azure/tokens`	`/var/run/secrets/azure/wi/token`
Full token path	`/var/run/secrets/azure/tokens/azure-identity-token`	`/var/run/secrets/azure/wi/token/azure-identity-token`

Important

Never hardcode the token file path. Always read AZURE_FEDERATED_TOKEN_FILE — the webhook owns this path and it may change again in future releases.

AZURE_FEDERATED_TOKEN_FILE is updated by the webhook to point at the new path. Applications using DefaultAzureCredential / WorkloadIdentityCredential (or reading AZURE_FEDERATED_TOKEN_FILE directly) work without changes:

tokenFilePath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")

Workaround for apps that hardcode the old path — add an init container that symlinks old → new:

initContainers:
- name: symlink-token
  image: busybox:latest
  command: ["sh", "-c", "mkdir -p /var/run/secrets/azure/tokens && ln -sf /var/run/secrets/azure/wi/token/azure-identity-token /var/run/secrets/azure/tokens/azure-identity-token"]
  volumeMounts:
  - { name: azure-tokens-compat, mountPath: /var/run/secrets/azure/tokens }
containers:
- name: your-app
  image: your-image
  volumeMounts:
  - { name: azure-tokens-compat, mountPath: /var/run/secrets/azure/tokens, readOnly: true }
volumes:
- name: azure-tokens-compat
  emptyDir: {}

Changelog

Bug Fixes 🐞

806062f fix: update Go version, remove K8s version table, bump kind versions (#1722)

Build 🏭

a7bab3c build: run go builder on $BUILDPLATFORM for cross-arch images (#1734)

Code Refactoring 💎

89ee981 refactor: migrate proxy from MSAL to azidentity SDK with LRU credential cache (#1721)
bdb8258 refactor: use sets.Set instead of map[string]struct{} (#1616)

Continuous Integration 💜

a444192 ci: migrate az login to workload identity federation (#1733)
23314d0 ci: update macos runner to macos-latest (#1691)
2eaac6d ci: fix copa patch workflow (#1682)
6aafb45 ci: add @stlaz to CODEOWNERS (#1647)
69b7641 ci: rm dependsOn in nightly pipeline (#1630)
fabb122 ci: rm verify deploy yaml nightly job (#1627)

Documentation 📘

360876a docs: Update docs to reflect actual proxy sidecar behavior (#1643)
4716a8d docs: use azure storge static web serving rather than public access (#1635)

Features 🌈

3045cd0 feat: allow extraEnv/extraVolumes/extraVolumeMounts in webhook chart (#1732)
d878231 feat: support custom token endpoint injection for workload identity (#1720)
533d7f5 feat: add --version flag for webhook and proxy (#1629)

Maintenance 🔧

981e839 chore: remove dependsOn from upgrade pipeline (#1724)
2a577d5 chore: update to go 1.25.9, grpc v1.79.3 and fix dependabot config (#1719)
1ad3204 chore: update to go 1.25.8, bump otel sdk, and harden workflows (#1717)
10fd199 chore: update to go 1.25.6 and distroless-iptables to v0.8.7 (#1699)
c926cd0 chore: bump the k8s group with 3 updates (#1678)
5f5f3a4 chore: update distroless-iptables to v0.8.6 (#1690)
fc01ee3 chore: update to go 1.24.10 (#1683)
08df826 chore: bump golang.org/x/crypto from 0.37.0 to 0.45.0 in /test/e2e (#1681)
a29b978 chore: bump golang.org/x/crypto from 0.37.0 to 0.45.0 (#1680)
dab95df chore: bump the k8s group with 3 updates (#1666)
a687ba7 chore: update distroless-iptables to v0.8.2 (#1672)
489fd2b chore: bump the k8s group with 3 updates (#1631)
a49f8f9 chore: update controller-gen to v0.14.0 and kustomize to v4.2.0 (#1657)
44deb3d chore: update to go 1.24.6 (#1645)
cb2954e chore: bump github.com/spf13/pflag from 1.0.6 to 1.0.7 (#1641)
9e86054 chore: bump golang.org/x/oauth2 from 0.21.0 to 0.27.0 (#1639)