external-dns on Azure AKS with managed identity using AKS Kubelet identity does not work if there are additional node pool identities

[thesse1]

What happened: I have configured external-dns on Azure AKS (with one system node pool and one user node pool) for an Azure DNS zone as per this description with Managed identity using AKS Kubelet identity. It is working fine as long as the node pool VMSSs have only one user-assigned managed identity, the kubelet identity. But when I add another user-assigned managed identity (for example for an Application Gateway Ingress Controller add-on, or for Azure Policies), the external-dns pod does not know anymore which identity to use:

time="2023-12-11T17:10:44Z" level=fatal msg="ManagedIdentityCredential: no default identity is assigned to this resource"

What you expected to happen: The external-dns pod should continue to use the kubelet identity for accessing the DNS zone. Is it somehow possible to mark the kubelet identity as the "default identity"?

How to reproduce it (as minimally and precisely as possible):

• AKS cluster with external-dns with managed identity using AKS Kubelet identity as per https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/azure.md#managed-identity-using-aks-kubelet-identity
• Enable Azure Policies or AGIC
• Check external-dns pod log

Anything else we need to know?: No

Environment:

• External-DNS version (use external-dns --version): docker.io/bitnami/external-dns:0.14.0-debian-11-r2
• DNS provider: Azure DNS zone
• Others: AKS with Kubernetes version 1.27.7

Many thanks!

Best regards,
Thomas