This documentation is for the most recent version of Anthos clusters on Azure, released on August 4. See the Release notes for more information.

Connect and authenticate to your cluster

This page explains how to how to connect and authenticate to Anthos clusters on Azure .

You have multiple options to authenticate to Anthos clusters. The cluster generates a Kubernetes ClusterRole automatically for the user that created the cluster. To login using Connect gateway, use the
gcloud container azure clusters get-credentials CLUSTER_NAME

To connect to your cluster on Azure from a device with direct connectivity to the cluster VPC you can use the following command:

gcloud container azure clusters get-credentials CLUSTER_NAME --private-endpoint

command. For more information, see Configure cluster access for kubectl.

Additional users logging in this way would need additional clusterroles provisioned.

All of these options below assume that Connect gateway or the user is able to connect to your cluster's control plane:

  • Google identity: The default authentication option provided by Anthos clusters on Azure without additional configuration. By default, the identity that creates the cluster has administrator access. To configure additional users, pass the --admin-users flag when you create a cluster.

  • Open ID Connect (OIDC) : Supported by Anthos Identity Service

    For both authentication options, your cluster administrator needs to set up the cluster with their Google identity.

Google identity Authentication

You can authenticate to your cluster with your Google identity in the following ways:

Use kubectl with identity from the Google Cloud CLI

You can use the Google Cloud CLI to create a kubeconfig. This kubeconfig uses the identity of the user authenticated with gcloud login. You can then use kubectl to access the cluster.

For more information, see Configure cluster access for kubectl.

Use Google Cloud console

To set up access to the console using Google identity, see Setting up the Connect gateway.


For more information on authenticating to your cluster with OIDC, see Manage identity with Anthos Identity Service.

Connect to your cluster's control plane

All Anthos clusters on Azure are created in private subnets. All the underlying cluster infrastructure (for example, nodes and load balancer endpoints) is provisioned with private RFC 1918 IP addresses only.

To manage your cluster directly, you must be able to connect to the control plane load balancer of your cluster. If your cluster can't connect directly to your control plane but can make outbound connections, you can connect to the control plane through Connect gateway, a Google-hosted reverse proxy to your cluster. For more information, see Connect overview.

You can also connect through Azure's ExpressRoute service.