azure: support system-assigned managed identity

patrickdillon · patrickdillon · commit 01cae4f061b6 · 2026-03-06T15:43:53.000-05:00
System-assigned managed identities can be used in the same manner
as user-assigned managed identities, simply by leaving the ID
unset.
diff --git a/azure/scope/identity.go b/azure/scope/identity.go
@@ -154,7 +154,9 @@ func (p *AzureCredentialsProvider) GetTokenCredential(ctx context.Context, resou
 			ClientOptions: azcore.ClientOptions{
 				TracingProvider: tracingProvider,
 			},
-			ID: azidentity.ClientID(p.Identity.Spec.ClientID),
+		}
+		if p.Identity.Spec.ClientID != "" {
+			options.ID = azidentity.ClientID(p.Identity.Spec.ClientID)
 		}
 		cred, authErr = p.cache.GetOrStoreManagedIdentity(&options)
 
diff --git a/azure/scope/identity_test.go b/azure/scope/identity_test.go
@@ -420,6 +420,28 @@ func TestGetTokenCredential(t *testing.T) {
 				}))
 			},
 		},
+		{
+			name: "system-assigned identity",
+			cluster: &infrav1.AzureCluster{
+				Spec: infrav1.AzureClusterSpec{
+					AzureClusterClassSpec: infrav1.AzureClusterClassSpec{
+						IdentityRef: &corev1.ObjectReference{
+							Kind: infrav1.AzureClusterIdentityKind,
+						},
+					},
+				},
+			},
+			identity: &infrav1.AzureClusterIdentity{
+				Spec: infrav1.AzureClusterIdentitySpec{
+					Type: infrav1.UserAssignedMSI,
+				},
+			},
+			cacheExpect: func(cache *mock_azure.MockCredentialCache) {
+				cache.EXPECT().GetOrStoreManagedIdentity(gomock.Cond(func(opts *azidentity.ManagedIdentityCredentialOptions) bool {
+					return opts.ID == nil
+				}))
+			},
+		},
 		{
 			name: "UserAssignedIdentityCredential",
 			cluster: &infrav1.AzureCluster{
