Version 1.14. This version is no longer supported. For information about how to upgrade to version 1.15, seeUpgrading Anthos on bare metalin the 1.15 documentation. For more information about supported and unsupported versions, see theVersion historypage in the latest documentation.
You can update existing cluster credentials in Google Distributed Cloud with thebmctlcommand. When you update cluster credentials, the new information is passed to
admin or hybrid clusters, or automatically routed to affected user clusters
managed by an admin cluster.
Cluster credentials that can be updated
Google Distributed Cloud clusters require multiple credentials when they are created.
You set the credentials in the cluster config when you create an admin, standalone, or hybrid
cluster. User clusters, as noted above, are managed by an admin cluster (or a hybrid cluster acting as admin), and will reuse the same credentials from the admin cluster.
You can update the following credentials, and their corresponding secrets,
in Google Distributed Cloud clusters with thebmctlcommand:
SSH private key-- used for node access.
Container Registry key-- service account key used to
authenticate with Container Registry for image pulling.
Connect agent service account key-- service account key used
by Connect agent pods.
Connect registry service account key-- service account key
used to authenticate with Hub when registering or unregistering
a cluster.
Cloud operations service account key-- service account key to authenticate
with Cloud Operations (logging & monitoring) APIs.
Update credentials withbmctl
Prepare the new values for the credentials you want to update:
You can generate new Google service account keys through thegcloudcommand
or through the Google Cloud UI.
Generate new SSH private key credentials in the machines that make up the
Google Distributed Cloud clusters.
Update the secrets with thebmctlcommand, adding the appropriate flags
described below.
For example, herebmctlupdates the credentials for a new
SSH private key, whereADMIN_KUBECONFIGspecifies the path to the kubeconfig of the admin, hybrid, or standalone
cluster,SSH_KEY_PATHspecifies the path to the new SSH private
key, andCLUSTER_NAMEspecifies the name of the cluster:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe \u003ccode\u003ebmctl\u003c/code\u003e command is used to update existing cluster credentials in Google Distributed Cloud, which then distributes the new information to admin, hybrid, or user clusters.\u003c/p\u003e\n"],["\u003cp\u003eYou can update several types of credentials including SSH private keys, Container Registry keys, Connect agent service account keys, Connect registry service account keys, and Cloud Operations service account keys.\u003c/p\u003e\n"],["\u003cp\u003eUpdating credentials involves preparing new values for the credentials, such as generating new service account keys or SSH keys, then utilizing the \u003ccode\u003ebmctl update credentials\u003c/code\u003e command with appropriate flags.\u003c/p\u003e\n"],["\u003cp\u003eWhen using \u003ccode\u003ebmctl\u003c/code\u003e to update credentials, you must use the \u003ccode\u003e--kubeconfig\u003c/code\u003e flag to specify the path to the cluster's kubeconfig file and the \u003ccode\u003e--cluster\u003c/code\u003e flag to name the targeted cluster.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003ebmctl\u003c/code\u003e command supports specific flags for updating each type of credential, such as \u003ccode\u003e--ssh-private-key-path\u003c/code\u003e, \u003ccode\u003e--gcr-key-path\u003c/code\u003e, and others for the various service account keys.\u003c/p\u003e\n"]]],[],null,["# Update cluster credentials and secrets\n\n\u003cbr /\u003e\n\nYou can update existing cluster credentials in Google Distributed Cloud with the `bmctl`\ncommand. When you update cluster credentials, the new information is passed to\nadmin or hybrid clusters, or automatically routed to affected user clusters\nmanaged by an admin cluster.\n\nCluster credentials that can be updated\n---------------------------------------\n\nGoogle Distributed Cloud clusters require multiple credentials when they are created.\nYou set the credentials in the cluster config when you create an admin, standalone, or hybrid\ncluster. User clusters, as noted above, are managed by an admin cluster (or a hybrid cluster acting as admin), and will reuse the same credentials from the admin cluster.\n\nFor more information about creating clusters and different cluster types,\nsee [Installation overview: choosing a deployment model](/anthos/clusters/docs/bare-metal/1.14/installing/install-prep).\n\nYou can update the following credentials, and their corresponding secrets,\nin Google Distributed Cloud clusters with the `bmctl` command:\n\n- `SSH private key` -- used for node access.\n- `Container Registry key` -- service account key used to authenticate with Container Registry for image pulling.\n- `Connect agent service account key` -- service account key used by Connect agent pods.\n- `Connect registry service account key` -- service account key used to authenticate with Hub when registering or unregistering a cluster.\n- `Cloud operations service account key` -- service account key to authenticate with Cloud Operations (logging \\& monitoring) APIs.\n\nUpdate credentials with `bmctl`\n-------------------------------\n\n1. Prepare the new values for the credentials you want to update:\n\n - You can generate new Google service account keys through the `gcloud` command or through the Google Cloud UI.\n - Generate new SSH private key credentials in the machines that make up the Google Distributed Cloud clusters.\n2. Update the secrets with the `bmctl` command, adding the appropriate flags\n described below.\n\n For example, here `bmctl` updates the credentials for a new\n SSH private key, where \u003cvar translate=\"no\"\u003eADMIN_KUBECONFIG\u003c/var\u003e\n specifies the path to the kubeconfig of the admin, hybrid, or standalone\n cluster, \u003cvar translate=\"no\"\u003eSSH_KEY_PATH\u003c/var\u003e specifies the path to the new SSH private\n key, and \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e specifies the name of the cluster: \n\n ```\n bmctl update credentials --kubeconfig ADMIN_KUBECONFIG --ssh-private-key-path\n SSH_KEY_PATH --cluster CLUSTER_NAME\n ```\n\n \u003cbr /\u003e\n\nYou can specify the following flags with `bmtctl` to update credentials:"]]
