An Azure virtual machine runs a single application that must read secrets from Azure Key Vault without any credentials stored on the host. The identity team requires that the application's identity be created when the virtual machine is created and removed automatically when the virtual machine is deleted, with no separate object to clean up. Which workload identity should be configured on the virtual machine?
- AA system-assigned managed identity enabled directly on the virtual machine so its lifecycle is tied to the virtual machine resource. Correct
- BA user-assigned managed identity created in a resource group, then attached to the virtual machine so the application can request tokens for Key Vault.
- CAn app registration with a client secret stored in Key Vault, with the secret read by the application at start-up to authenticate.
- DA service principal created manually with a certificate credential, then referenced by the application running on the virtual machine.
Why A is correct: A system-assigned managed identity is created with the virtual machine and deleted automatically when the virtual machine is deleted, giving credential-free token access bound to that one resource's lifecycle.
Why B is wrong: A user-assigned managed identity has an independent lifecycle and is not deleted with the virtual machine, so it leaves a standalone object to clean up, which the requirement forbids.
Why C is wrong: An app registration relies on a client secret the team must manage and rotate, which contradicts the no-stored-credentials requirement and is not tied to the virtual machine lifecycle.
Why D is wrong: A manually created service principal with a certificate is an independent object whose credential and lifecycle must be maintained separately, so it is neither credential-free nor automatically removed with the virtual machine.