Stay organized with collectionsSave and categorize content based on your preferences.
Create a client certificate
Note:The legacyAzureClientmethod of
authenticating to Azure requires you to manage secrets and upload them
manually. We recommend that you useworkload identity federationinstead.
GKE on Azure authenticates to Azure with anAzureClientresource. When you create a client, Google generates a key pair. You upload the
public key to Azure Active Directory (Azure AD). The GKE Multi-Cloud API uses the
AzureClient to authenticate as the application's service principal.
You can use the same AzureClient to create multiple clusters in the same
Google Cloud project. If you already have an AzureClient, skip toCreate an SSH key pair.
To create an AzureClient, run the following commands:
Set environment variables with your Azure tenant and application IDs:
After the certificate uploads and before you create a cluster, wait at least
one minute for the certificate to be ready to use. If the command fails, you
can try again.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Create a client certificate\n===========================\n\n\u003cbr /\u003e\n\n| **Note:** The legacy *AzureClient* method of\n| authenticating to Azure requires you to manage secrets and upload them\n| manually. We recommend that you use [workload identity federation](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-ad-application#workload-identity-federation)\n| instead.\n\n\u003cbr /\u003e\n\nGKE on Azure authenticates to Azure with an *AzureClient*\nresource. When you create a client, Google generates a key pair. You upload the\npublic key to Azure Active Directory (Azure AD). The GKE Multi-Cloud API uses the\nAzureClient to authenticate as the application's service principal.\n\nYou can use the same AzureClient to create multiple clusters in the same\nGoogle Cloud project. If you already have an AzureClient, skip to\n[Create an SSH key pair](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-ssh-keypair).\n\nTo create an AzureClient, run the following commands:\n\n1. Set environment variables with your Azure tenant and application IDs:\n\n export SUBSCRIPTION_ID=$(az account show --query \"id\" --output tsv)\n export TENANT_ID=$(az account list \\\n --query \"[?id=='${SUBSCRIPTION_ID}'].{tenantId:tenantId}\" --output tsv)\n export APPLICATION_ID=$(az ad app list --all \\\n --query \"[?displayName=='\u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e'].appId\" --output tsv)\n\n Replace \u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e with the Azure AD\n application name that you used when completing the\n [prerequisites](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-azure-ad-application).\n2. Create the client:\n\n gcloud container azure clients create \u003cvar translate=\"no\"\u003eCLIENT_NAME\u003c/var\u003e \\\n --location=\u003cvar translate=\"no\"\u003eGOOGLE_CLOUD_LOCATION\u003c/var\u003e \\\n --tenant-id=\"${TENANT_ID}\" \\\n --application-id=\"${APPLICATION_ID}\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLIENT_NAME\u003c/var\u003e: the name of your AzureClient\n - \u003cvar translate=\"no\"\u003eGOOGLE_CLOUD_LOCATION\u003c/var\u003e: the [supported Google Cloud region](/kubernetes-engine/multi-cloud/docs/azure/reference/supported-regions) that manages your cluster---for example, `us-west1`\n3. Get the certificate from an AzureClient and save it to an environment\n variable:\n\n CERT=$(gcloud container azure clients get-public-cert --location=\u003cvar translate=\"no\"\u003eGOOGLE_CLOUD_LOCATION\u003c/var\u003e \\\n \u003cvar translate=\"no\"\u003eCLIENT_NAME\u003c/var\u003e)\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eGOOGLE_CLOUD_LOCATION\u003c/var\u003e\n - \u003cvar translate=\"no\"\u003eCLIENT_NAME\u003c/var\u003e\n4. Upload the certificate to your application on Azure AD:\n\n az ad app credential reset --id \"${APPLICATION_ID}\" --cert \"${CERT}\" --append\n\n5. After the certificate uploads and before you create a cluster, wait at least\n one minute for the certificate to be ready to use. If the command fails, you\n can try again.\n\n | **Note:** If the preceding command fails with the\n | following message, save the certificate to a file and upload it to your\n | application's page on the Azure portal: \n |\n | ```\n | Update to existing credential with KeyId 'XXXXXXX-XXXXX-XXX-XXXX-XXXXXXXXXXXX' is not allowed.\n | ```\n |\n |\n | To get a link to your application's page, replace\n | \u003cvar translate=\"no\"\u003eAPPLICATION_ID\u003c/var\u003e in the following URL with your application's ID: \n |\n | ```\n | https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Credentials/appId/APPLICATION_ID\n | ```\n\nWhat's next\n-----------\n\n- [Create an SSH key pair](/kubernetes-engine/multi-cloud/docs/azure/how-to/create-ssh-keypair)"]]
