Dynamic Istio token generation for VM workloads

I’m able to get virtual machine installation working with Istio 1.8, however there is still the practical issue of how new Istio tokens should be generated for dynamic workloads. Istio / Virtual Machine Installation

The guide does not mention VM must have a unique Istio token. This creates a problem for VMs that are deployed in an auto-scaling group. While the root certificate, mesh.yaml, hosts, and cluster.env files can be prepared ahead of time, the Istio token must be generated as the VM boots.

Naively, one way to accomplish this would be to supply Kubernetes credentials to each VM to allow it to run istioctl x workload entry configure -f workloadgroup.yaml -o "${WORK_DIR}" --clusterID "${CLUSTER}". Has anyone implemented this?

Is anyone aware of another option? Although this topic is referenced in SPIRE documentation, I haven’t seen it discussed with Istio.