Set up a credential that allows VMware Tanzu Mission Control to connect to your Azure subscription and manage resources in your Azure account.

An account credential is required for managing the lifecycle of Azure AKS clusters. A single credential can contain multiple subscriptions. You can create clusters in any of the subscriptions from that credential. You specify which subscription to use when creating AKS clusters.

Subscriptions are added at credential creation and can not be edited.


There is a five (5) minute sync period between the Azure account and Tanzu Mission Control, so resources created (such as a subnet) may not appear as available in Tanzu Mission Control immediately. The syncing must be complete before you try to create another resource.


Log in to the Tanzu Mission Control console, as described in Log In to the Tanzu Mission Control Console.

Make sure that you are logged in to your Azure account.

Make sure you have the appropriate permissions to create Azure AKS credentials.
  • To create a credential for Azure AKS, you must be associated with the cluster.admin role.

For more information about roles and permissions in Tanzu Mission Control, see Access Control and Users and Groups in VMware Tanzu Mission Control Concepts.


  1. In the Tanzu Mission Control console, click Administration in the left navigation pane.
  2. Click the Accounts tab.
  3. Click Create Credential and select Azure AKS from the dropdown list.
  4. Enter a name for the credential, and optionally a description and one or more labels.
  5. Click Next.
  6. Select the type of service principal to use.
    Tanzu Mission Control uses a service principal to connect to your Azure subscriptions.
    • Select Existing Service Principal and enter the IDs and certificate.
    • Select New Service Principal and create a service principal with contributor role on each Azure subscription it has access to. Select either Azure CLI or Azure Portal UI and follow the instructions for the selected method.
  7. Enter one or more subscription IDs to associate them with the credential.
  8. Click Next.
  9. You can optionally change the region in which to place the Tanzu Mission Control management plane resources.
  10. Click Create.


Tanzu Mission Control creates the credential and makes it available for use. This process typically takes a few minutes. After about 15 minutes, the credential should be ready for cluster management.

What to do next

After the credential is created and available, you can use it to create Azure AKS clusters.