opensourceprojects.dev

A broadsheet for software that doesn't ask for your email

The official OpenAI Python SDK now supports workload identity auth for Kubernete...
GitHub RepoImpressions12

Project Description

View on GitHub

OpenAI SDK Now Supports Workload Identity Auth for Kubernetes, Azure, and GCP

If you've been running OpenAI API calls from inside a Kubernetes pod or on a cloud VM, you've probably had to juggle API keys, env vars, and secret management. That's a pain. It's also a security footgun waiting to happen.

The official OpenAI Python SDK just dropped support for workload identity authentication across Kubernetes, Azure, and GCP. That means you can now authenticate to OpenAI using the identity of your compute resource directly, without ever touching a static API key.

What It Does

This update adds native support for workload identity federation to the openai Python SDK. Instead of passing an API key, you can configure the SDK to use the identity of your Kubernetes service account, Azure managed identity, or GCP service account. The SDK handles token exchange and authentication transparently.

Behind the scenes, it uses OpenID Connect (OIDC) token exchange. Your workload presents its own identity token, the SDK swaps that for an OpenAI access token, and you're good to go. No API keys stored in ConfigMaps, no secrets in environment variables, no manual token rotation.

Why It's Cool

The big win here is security. No more API keys sitting in plaintext in your deployment YAMLs or CI/CD pipelines. Workload identity means the compute resource itself gets a scoped, short-lived credential. If a pod gets compromised, there's no long-lived API key to steal.

It's also way more convenient for cloud native setups. If you're running on GKE with Workload Identity enabled, or AKS with Azure AD pod identity, or even EKS with IRSA, you can now just set up the right IAM bindings and the SDK works. No extra secret syncing, no vault plugins, no custom init containers to inject keys.

This is especially useful if you're building AI agents or batch inference jobs that run on ephemeral infrastructure. Spin up a pod, it authenticates automatically, does its work, and disappears. Zero manual key management.

How to Try It

Make sure you're on the latest version of the SDK:

pip install --upgrade openai

Then, depending on your platform, configure the client like this:

For Azure (with managed identity):

from openai import AzureOpenAI

client = AzureOpenAI(
    azure_endpoint="https://your-resource.openai.azure.com",
    api_version="2024-02-15-preview",
    azure_ad_token_provider=...  # use DefaultAzureCredential
)

For GCP (with workload identity):

from openai import OpenAI

# Set up your GCP service account with proper permissions
# The SDK will use the default application credentials
client = OpenAI()

For Kubernetes (with GKE Workload Identity or similar): Same as GCP, but you'll need to bind your Kubernetes service account to a GCP service account first. Once that's configured, the SDK picks up the identity automatically.

Check the SDK repo's README for full platform-specific setup guides and parameter details.

Final Thoughts

This is one of those updates that quietly makes life better for platform engineers and ML engineers alike. No hype, just practical: fewer secrets to manage, fewer things to break, and a cleaner path to running OpenAI in production on cloud native infrastructure.

If you're already using workload identity for other services (like accessing Google Cloud Storage or Azure SQL), you can now treat OpenAI the same way. One less secret, one less thing to rotate, one less way to accidentally leak an API key in a log.

Worth upgrading your SDK for.


Found this useful? Follow @githubprojects for more developer tooling updates.

Back to Projects
Project ID: ba8ad510-71be-4c56-bd0b-dcb26f9bb5abLast updated: July 10, 2026 at 06:26 AM