When configuring Azure storage for Mendix on Kubernetes, the configuration parameter storage-azure-use-default-azure-credential can be set to true to use Azure identity-based authentication instead of static credentials.

However, the following error may appear during startup if Azure Workload Identity is not configured:

{"level":"error","msg":"failed to load config failed to load storage config some required storage fields are missing: [storage-azure-account-name storage-azure-account-key]","time":"2025-10-23T09:23:41Z"}

This occurs because the m2ee-sidecar container checks whether identity-based authentication can be used by verifying the presence of the environment variable:

AZURE_FEDERATED_TOKEN_FILE

If this environment variable is not present or empty, the runtime assumes that identity-based authentication is not available and falls back to static credentials. In this scenario, the configuration still expects the following parameters:

• storage-azure-account-name

• storage-azure-account-key

To enable identity-based authentication successfully, Azure Workload Identity must be configured.

The application pod must include the following label:

azure.workload.identity/use: "true"

This label allows the container to access the federated token required for Azure identity authentication.

In Azure Kubernetes Service (AKS), Azure Workload Identity must be enabled at the cluster level. For non-AKS Kubernetes clusters, the Azure Workload Identity add-on must be installed and configured.

Once the label is applied and workload identity is configured, the application can use the default Azure credential without requiring storage-azure-account-name and storage-azure-account-key.