From 8db36894d265e6f9839888634a8e65ddf6e6c92d Mon Sep 17 00:00:00 2001
From: Jorge Turrado Ferrero <Jorge_turrado@hotmail.es>
Date: Fri, 4 Nov 2022 16:06:56 +0100
Subject: [PATCH] feat: explain how to use pod identity for Azure Key Vault
 (#970)

Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com>
---
 .../docs/2.9/authentication-providers/azure-key-vault.md | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/content/docs/2.9/authentication-providers/azure-key-vault.md b/content/docs/2.9/authentication-providers/azure-key-vault.md
index eee27a637..41b6588fb 100644
--- a/content/docs/2.9/authentication-providers/azure-key-vault.md
+++ b/content/docs/2.9/authentication-providers/azure-key-vault.md
@@ -7,9 +7,9 @@ You can pull secrets from Azure Key Vault into the trigger by using the `azureKe
 
 The `secrets` list defines the mapping between the key vault secret and the authentication parameter.
 
-Currently pod identity providers are not supported for key vault.
+Currently, `azure` and `azure-workload` pod identity providers are supported for Azure Key Vault using `podIdentity` inside `azureKeyVault`.
 
-You need to register an [application](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with Azure Active Directory and specify its credentials. The `clientId` and `tenantId` for the application are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a kubernetes secret in the same namespace as the authentication resource.
+Service principal authentication is also supported, needing to register an [application](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with Azure Active Directory and specifying its credentials. The `clientId` and `tenantId` for the application are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a kubernetes secret in the same namespace as the authentication resource.
 
 Ensure that "read secret" permissions have been granted to the Azure AD application on the Azure Key Vault. Learn more in the Azure Key Vault [documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal).
 
@@ -19,7 +19,10 @@ The `cloud` parameter can be used to specify cloud environments besides `Azure P
 ```yaml
 azureKeyVault:                                          # Optional.
   vaultUri: {key-vault-address}                         # Required.
-  credentials:                                          # Required.
+  podIdentity:                                          # Optional.
+    provider: azure | azure-workload                    # Required.
+    identityId: <identity-id>                           # Optional
+  credentials:                                          # Optional.
     clientId: {azure-ad-client-id}                      # Required.
     clientSecret:                                       # Required.
       valueFrom:                                        # Required.