diff --git a/google/config.go b/google/config.go
index 78935c9f..ccf0e0d9 100644
--- a/google/config.go
+++ b/google/config.go
@@ -52,6 +52,8 @@ type Config struct {
 	client    *http.Client
 	userAgent string
 
+	tokenSource oauth2.TokenSource
+
 	clientBilling                *cloudbilling.Service
 	clientCompute                *compute.Service
 	clientComputeBeta            *computeBeta.Service
@@ -135,6 +137,8 @@ func (c *Config) loadAndValidate() error {
 		}
 	}
 
+	c.tokenSource = tokenSource
+
 	client.Transport = logging.NewTransport("Google", client.Transport)
 
 	versionString := terraform.VersionString()
diff --git a/google/data_source_google_client_config.go b/google/data_source_google_client_config.go
index ed9ec530..90f01aca 100644
--- a/google/data_source_google_client_config.go
+++ b/google/data_source_google_client_config.go
@@ -19,6 +19,12 @@ func dataSourceGoogleClientConfig() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+
+			"access_token": {
+				Type:      schema.TypeString,
+				Computed:  true,
+				Sensitive: true,
+			},
 		},
 	}
 }
@@ -30,5 +36,11 @@ func dataSourceClientConfigRead(d *schema.ResourceData, meta interface{}) error
 	d.Set("project", config.Project)
 	d.Set("region", config.Region)
 
+	token, err := config.tokenSource.Token()
+	if err != nil {
+		return err
+	}
+	d.Set("access_token", token.AccessToken)
+
 	return nil
 }
diff --git a/google/data_source_google_client_config_test.go b/google/data_source_google_client_config_test.go
index 506d09f7..b6b355e5 100644
--- a/google/data_source_google_client_config_test.go
+++ b/google/data_source_google_client_config_test.go
@@ -20,6 +20,7 @@ func TestAccDataSourceGoogleClientConfig_basic(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttrSet(resourceName, "project"),
 					resource.TestCheckResourceAttrSet(resourceName, "region"),
+					resource.TestCheckResourceAttrSet(resourceName, "access_token"),
 				),
 			},
 		},
diff --git a/website/docs/d/datasource_client_config.html.markdown b/website/docs/d/datasource_client_config.html.markdown
index 8b330f14..989185e7 100644
--- a/website/docs/d/datasource_client_config.html.markdown
+++ b/website/docs/d/datasource_client_config.html.markdown
@@ -20,6 +20,25 @@ output "project" {
 }
 ```
 
+## Example Usage: Configure Kubernetes provider with OAuth2 access token
+
+```tf
+data "google_client_config" "default" {}
+
+data "google_container_cluster" "my_cluster" {
+  name   = "my-cluster"
+  zone   = "us-east1-a"
+}
+
+provider "kubernetes" {
+  load_config_file = false
+
+  host = "https://${google_container_cluster.my_cluster.endpoint}"
+  token = "${data.google_client_config.default.access_token}"
+  cluster_ca_certificate = "${base64decode(google_container_cluster.my_cluster.master_auth.0.cluster_ca_certificate)}"
+}
+```
+
 ## Argument Reference
 
 There are no arguments available for this data source.
@@ -31,3 +50,5 @@ In addition to the arguments listed above, the following attributes are exported
 * `project` - The ID of the project to apply any resources to.
 
 * `region` - The region to operate under.
+
+* `access_token` - The OAuth2 access token used by the client to authenticate against the Google Cloud API.