Initial workload identity configuration for AWS and GCP required a publicly accessible https endpoint from which the OIDC discovery document could be obtained by the identity provider (AWS or GCP).

Customers using AWS have expressed issue with the S3 bucket being publicly accessible. There has been a recent effort to document restricting access using CloudFront Distribution to expose the endpoint served from a private S3 bucket via Origin Access Identity (OAI) [1].

For Azure, we will create an Azure blob storage container per the Azure workload identity docs [2]. Can we restrict access to the Azure blob storage container such that only Azure Active Directory (AAD) can access the metadata endpoint? Is there a solution similar to the AWS CloudFront + private S3 bucket that we could leverage for Azure?

[1] https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts-private-bucket.md

[2] https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters/oidc-issuer/discovery-document.html