Create an Azure Active Directory application
In this section, you create an Azure Active Directory (Azure AD) application and service principal objects. GKE on Azure uses these objects to store configuration information on Azure.
To create the Azure AD application, run the following command:
az ad app create --display-name APPLICATION_NAME
Replace
APPLICATION_NAME
with a name for your application—for example,anthos-clusters
.To save the application's ID to an environment variable for later use, run the following command:
APPLICATION_ID=$(az ad app list --all \ --query "[?displayName=='APPLICATION_NAME'].appId" \ --output tsv)
Replace
APPLICATION_NAME
with the name of your application.To create a service principal for the application, run the following command:
az ad sp create --id "${APPLICATION_ID}"
Set up Workload identity federation
Workload identity federation allows GKE on Azure to authenticate to Azure using a Google service account. This method of authenticating to Azure is simpler than the legacy AzureClient authentication method, which requires you to manage certificates and manually upload them to Azure Active Directory (AD).
To configure a federated identity credential on your Azure AD application, run the following commands. Note that you can add up to twenty credentials to each Azure AD application.
Create a JSON file named
credential.json
.{ "name": "CREDENTIAL_NAME", "issuer": "https://accounts.google.com", "subject": "service-PROJECT_NUMBER@gcp-sa-gkemulticloud.iam.gserviceaccount.com", "audiences": ["api://AzureADTokenExchange"], "description": "Allow GKE on Azure to authenticate to the Azure AD application using a Google service account." }
CREDENTIAL_NAME
: the credential name.PROJECT_NUMBER
: the number of the Google Cloud project that hosts the cluster.
Create a federated identity credential on the Azure AD application:
az ad app federated-credential create --id "${APPLICATION_ID}" --parameters credential.json
For more details, see the Azure documentation Azure AD workload identity federation with Google Cloud.
You can also provision the Azure federated identity credential using Terraform. For details, see azuread_application_federated_identity_credential.