Is it valid to omit "azure.workload.identity/client-id" when using system-assigned managed identities?

[ofirc]

When using the Azure Workload Identity, what happens when you don't use the client-id annotation?

I created a Pod with a label azure.workload.identity/use: true but didn't use annotation azure.workload.identity/client-id and I didn't see the Azure env vars injected onto the Pod, as expected.

I looked at the docs (link1, link2) but they do not specify what is the expected behavior and I'm confused.

The omission of client-id is on purpose as I want to KISS and I'm using a system-assigned managed identity.

What is the expected behavior here? Is it (Azure Workload Identity) only supported with a user-assigned managed identity?

Also, what credentials providers CLI or Golang packages can be built on top of this?
I am assuming that there are credentials providers that either (1) Use the Azure SDK or (2) Can rely on the injected env vars and the projected service account token, and use that to access ACRs (or contact Azure AAD to obtain temporary tokens for the ACRs).