The product described by this documentation, GKE on Azure, is now in maintenance mode and will be shut down on March 17, 2027.

Create an Azure Active Directory application

In this section, you create an Azure Active Directory (Azure AD) application and service principal objects. GKE on Azure uses these objects to store configuration information on Azure.

To create the Azure AD application, run the following command:
```
 az  
ad  
app  
create  
--display-name  
 APPLICATION_NAME 
 
```
Replace APPLICATION_NAME with a name for your application—for example, anthos-clusters .

To save the application's ID to an environment variable for later use, run the following command:

  APPLICATION_ID 
 = 
 $( 
az  
ad  
app  
list  
--all  
 \ 
  
--query  
 "[?displayName==' APPLICATION_NAME 
'].appId" 
  
 \ 
  
--output  
tsv )

Replace APPLICATION_NAME with the name of your application.

To create a service principal for the application, run the following command:

 az  
ad  
sp  
create  
--id  
 " 
 ${ 
 APPLICATION_ID 
 } 
 "

Set up Workload identity federation

Note: GKE on Azure provides two methods of authenticating to Azure: workload identity federation authentication and AzureClient authentication. We recommend that you use the workload identity federation method described in this document, because it's simpler and more secure.

Workload identity federation allows GKE on Azure to authenticate to Azure using a Google service account. This method of authenticating to Azure is simpler than the legacy AzureClient authentication method, which requires you to manage certificates and manually upload them to Azure Active Directory (AD).

To configure a federated identity credential on your Azure AD application, run the following commands. Note that you can add up to twenty credentials to each Azure AD application.

Create a JSON file named credential.json .

{
  "name": " CREDENTIAL_NAME 
",
  "issuer": "https://accounts.google.com",
  "subject": "service- PROJECT_NUMBER 
@gcp-sa-gkemulticloud.iam.gserviceaccount.com",
  "audiences": ["api://AzureADTokenExchange"],
  "description": "Allow GKE on Azure to authenticate to the Azure AD application using a Google service account."
}

CREDENTIAL_NAME : the credential name.
PROJECT_NUMBER : the number of the Google Cloud project that hosts the cluster.

Create a federated identity credential on the Azure AD application:

 az  
ad  
app  
federated-credential  
create  
--id  
 " 
 ${ 
 APPLICATION_ID 
 } 
 " 
  
--parameters  
credential.json

For more details, see the Azure documentation Azure AD workload identity federation with Google Cloud .

You can also provision the Azure federated identity credential using Terraform. For details, see azuread_application_federated_identity_credential .

What's next

Create Azure role assignments