diff --git a/aks/cluster_data/outputs.tf b/aks/cluster_data/outputs.tf
index 82b8892..079c8cf 100644
--- a/aks/cluster_data/outputs.tf
+++ b/aks/cluster_data/outputs.tf
@@ -31,7 +31,15 @@ output "ingress_domain" {
 }
 
 output "kubelogin_args" {
-  value = local.spn_authentication ? local.kubelogin_args_map["spn"] : local.kubelogin_args_map["azurecli"]
+  description = "Kubelogin arguments to use configure the kubernetes provider. Allows workload identity, service principal secret and azure cli"
+  # If running in github actions, use either spn secret authentication or workload identity. If not, use azure cli.
+  value = (local.running_in_github_actions ? (
+    local.spn_secret_authentication ?
+    local.kubelogin_args_map["spn"] :
+    local.kubelogin_args_map["workloadidentity"]
+    ) :
+    local.kubelogin_args_map["azurecli"]
+  )
 }
 output "azure_RBAC_enabled" {
   value = local.azure_RBAC_enabled
diff --git a/aks/cluster_data/tfdocs.md b/aks/cluster_data/tfdocs.md
index 65de583..e60dd2e 100644
--- a/aks/cluster_data/tfdocs.md
+++ b/aks/cluster_data/tfdocs.md
@@ -36,7 +36,7 @@ No modules.
 | <a name="output_azure_RBAC_enabled"></a> [azure\_RBAC\_enabled](#output\_azure\_RBAC\_enabled) | n/a |
 | <a name="output_configuration_map"></a> [configuration\_map](#output\_configuration\_map) | n/a |
 | <a name="output_ingress_domain"></a> [ingress\_domain](#output\_ingress\_domain) | n/a |
-| <a name="output_kubelogin_args"></a> [kubelogin\_args](#output\_kubelogin\_args) | n/a |
+| <a name="output_kubelogin_args"></a> [kubelogin\_args](#output\_kubelogin\_args) | Kubelogin arguments to use configure the kubernetes provider. Allows workload identity, service principal secret and azure cli |
 | <a name="output_kubernetes_client_certificate"></a> [kubernetes\_client\_certificate](#output\_kubernetes\_client\_certificate) | n/a |
 | <a name="output_kubernetes_client_key"></a> [kubernetes\_client\_key](#output\_kubernetes\_client\_key) | n/a |
 | <a name="output_kubernetes_cluster_ca_certificate"></a> [kubernetes\_cluster\_ca\_certificate](#output\_kubernetes\_cluster\_ca\_certificate) | n/a |
diff --git a/aks/cluster_data/variables.tf b/aks/cluster_data/variables.tf
index 8c5b3e8..e7323ba 100644
--- a/aks/cluster_data/variables.tf
+++ b/aks/cluster_data/variables.tf
@@ -90,10 +90,18 @@ locals {
       "azurecli",
       "--server-id",
       "6dae42f8-4368-4678-94ff-3960e28e3630"
+    ],
+    workloadidentity = [
+      "get-token",
+      "--login",
+      "workloadidentity",
+      "--server-id",
+      "6dae42f8-4368-4678-94ff-3960e28e3630"
     ]
   }
 
   azure_RBAC_enabled = length(data.azurerm_kubernetes_cluster.main.azure_active_directory_role_based_access_control) > 0
 
-  spn_authentication = contains(keys(data.environment_variables.github_actions.items), "GITHUB_ACTIONS")
+  running_in_github_actions = contains(keys(data.environment_variables.github_actions.items), "GITHUB_ACTIONS")
+  spn_secret_authentication = contains(keys(data.environment_variables.github_actions.items), "AAD_SERVICE_PRINCIPAL_CLIENT_SECRET")
 }