The gdcloud CLI authentication

This page details how to authenticate with your configured identity provider and get a kubeconfig file for your user identity and cluster.

Before you begin

Before you can authenticate with your identity provider and generate a kubeconfig file, ensure you have completed the following:

Run the gdcloud init command. For more information, see the Initialize gdcloud CLI default configuration section.
Install the authentication plugin, which is required to use a generated kubeconfig file:
```
gdcloud components install gdcloud-k8s-auth-plugin
```

gdcloud auth login

Follow the instructions to authenticate with your identity provider.

Consider the following when using the gdcloud auth login command:

It authenticates with the current organization. Run the gdcloud auth login command after switching organizations.
It requires that the certificate authority (CA) certificate for the login config is installed in the system's trusted certificates store. If the CA certificate is not installed, use the --login-config-cert flag to specify the path to find the CA certificate. For more information, see Web TLS certificate configuration.
It requires a browser to exist on the device. Use the --no-browser flag to log in with a second device.

After authenticating with the identity provider, get a kubeconfig file with your user identity:

gdcloud clusters get-credentials CLUSTER_NAME

This creates or updates the kubeconfig file in the default path ${HOME}/.kube/config with the authenticated user and cluster.

Consider the following when generating or updating your kubeconfig file:

Specify the desired path in the KUBECONFIG environment path to save it to a different path.
The kubeconfig is a long-lived file, however the token authenticating the user is short-lived. If a kubeconfig file stops working, run the gdcloud auth login command to authenticate again.