Azure Kubernetes now seems to offer two ways to access other Azure resources. 1. AKS managed identity - https://docs.microsoft.com/en-us/azure/aks/use-managed-identity 2. AAD pod identity - https://github.com/Azure/aad-pod-identity
As an application running within the AKS, how can I request token for AKS cluster managed identity or AAD pod identity? When I call the IMDS endpoint for token, how will it know for which identity to generate token?
The AKS managed identity you mention in option 1 (https://docs.microsoft.com/en-us/azure/aks/use-managed-identity) is meant for the cluster internal use only. You cannot use that identity to access azure resources from your pods.
You can use Pod identity to achieve your needs. You need to create an Identity Binding (https://github.com/Azure/aad-pod-identity#5-deploy-azureidentitybinding) for the managed identity you want to use, and specify that identity binding in your pod spec (https://github.com/Azure/aad-pod-identity#6-deployment-and-validation).
When the pod requests a token from the IMDS endpoint, it does not need to specify the identity: that is figured out automatically by the NMI based on the identity binding in the pod spec for the pod making the request.
Similarly, a host can make an authorization request to fetch Service Principal Token for a resource directly from the NMI host endpoint (http://127.0.0.1:2579/host/token/). The request must include the pod namespace podns and the pod name podname in the request header and the resource endpoint of the resource requesting the token. The NMI server identifies the pod based on the podns and podname in the request header and then queries k8s (through MIC) for a matching azure identity. Then NMI makes an ADAL request to get a token for the resource in the request, returning the token and the clientid as a response.
https://github.com/Azure/aad-pod-identity#node-managed-identity
