external-secrets/docs/snippets/azkv-workload-identity-secretref.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  # this service account was created by azwi
  name: workload-identity-sa
  annotations: {}
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-store
spec:
  provider:
    azurekv:
      # tenantId spec option #1
      tenantId: "5a02a20e-xxxx-xxxx-xxxx-0ad5b634c5d8"
      authType: WorkloadIdentity
      vaultUrl: "https://xx-xxxx-xx.vault.azure.net"
      serviceAccountRef:
        name: workload-identity-sa
      authSecretRef:
        clientId:
          name: umi-secret
          key: clientId
        # tenantId spec option #2
        tenantId:
          name: umi-secret
          key: tenantId