Create a client certificate

GKE on Azure authenticates to Azure with an AzureClient resource. When you create a client, Google generates a key pair. You upload the public key to Azure Active Directory (Azure AD). The GKE Multi-Cloud API uses the AzureClient to authenticate as the application's service principal.

You can use the same AzureClient to create multiple clusters in the same Google Cloud project. If you already have an AzureClient, skip to Create an SSH key pair.

To create an AzureClient, run the following commands:

  1. Set environment variables with your Azure tenant and application IDs:

    export SUBSCRIPTION_ID=$(az account show --query "id" --output tsv)
    export TENANT_ID=$(az account list \
      --query "[?id=='${SUBSCRIPTION_ID}'].{tenantId:tenantId}" --output tsv)
    export APPLICATION_ID=$(az ad app list --all \
      --query "[?displayName=='APPLICATION_NAME'].appId" --output tsv)

    Replace APPLICATION_NAME with the Azure AD application name that you used when completing the prerequisites.

  2. Create the client:

    gcloud container azure clients create CLIENT_NAME \
      --location=GOOGLE_CLOUD_LOCATION \
      --tenant-id="${TENANT_ID}" \

    Replace the following:

    • CLIENT_NAME: the name of your AzureClient
    • GOOGLE_CLOUD_LOCATION: the supported Google Cloud region that manages your cluster—for example, us-west1
  3. Get the certificate from an AzureClient and save it to an environment variable:

     CERT=$(gcloud container azure clients get-public-cert --location=GOOGLE_CLOUD_LOCATION \

    Replace the following:

  4. Upload the certificate to your application on Azure AD:

     az ad app credential reset --id "${APPLICATION_ID}" --cert "${CERT}" --append
  5. After the certificate uploads and before you create a cluster, wait at least one minute for the certificate to be ready to use. If the command fails, you can try again.

What's next