Can UMI federated credentials allow tokens from multiple issuers?

Question

Is it possible to create a single federatedIdentityCredentials resource that allows tokens from multiple OIDC providers?

I am asking about Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials.

I see that the 'issuer' property is a string. This leads me to assume that there may only be one issuer per fed creds. Is that assumption correct?

{
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
  "apiVersion": "2023-01-31",
  "name": "string",
  "properties": {
    "audiences": [ "string" ],
    "issuer": "string",
    "subject": "string"
  }
}

This relates to my use case here: Using ARM templates to create multiple federated credentials for UMIs

Answer 1

Can UMI federated credentials allow tokens from multiple issuers?

Firstly, to achieve your requirement, you need to look into the way that each federatedIdentityCredentials resource is meant to be linked to a specific issuer.

Create more than one of federatedIdentityCredentials resources, one for each to accept tokens from different issuers.

Refer SO worked by me on the same issue with detailed code.

Sample code format looks like below:

"resources":[
{
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
      "apiVersion": "2022-01-31-preview",
      "name": "xxxx",
      "properties": {
        "issuer": "1xxx",
        "subject": "xxx",
        "audiences": [ ]
      }
    },
 {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
      "apiVersion": "2022-01-31-preview",
      "name": "xxxx",
      "properties": {
        "issuer": "2xxx",
        "subject": "xxx",
        "audiences": [ ]
      }
    }
  ]