diff --git a/resource_container_cluster.go b/resource_container_cluster.go
index 91c99482..cdb2de03 100644
--- a/resource_container_cluster.go
+++ b/resource_container_cluster.go
@@ -25,8 +25,10 @@ func resourceContainerCluster() *schema.Resource {
 		Schema: map[string]*schema.Schema{
 			"master_auth": &schema.Schema{
 				Type:     schema.TypeList,
-				Required: true,
+				Optional: true,
 				ForceNew: true,
+				MaxItems: 1,
+				Computed: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"client_certificate": &schema.Schema{
@@ -342,21 +344,20 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 	zoneName := d.Get("zone").(string)
 	clusterName := d.Get("name").(string)
 
-	masterAuths := d.Get("master_auth").([]interface{})
-	if len(masterAuths) > 1 {
-		return fmt.Errorf("Cannot specify more than one master_auth.")
-	}
-	masterAuth := masterAuths[0].(map[string]interface{})
-
 	cluster := &container.Cluster{
-		MasterAuth: &container.MasterAuth{
-			Password: masterAuth["password"].(string),
-			Username: masterAuth["username"].(string),
-		},
 		Name:             clusterName,
 		InitialNodeCount: int64(d.Get("initial_node_count").(int)),
 	}
 
+	if v, ok := d.GetOk("master_auth"); ok {
+		masterAuths := v.([]interface{})
+		masterAuth := masterAuths[0].(map[string]interface{})
+		cluster.MasterAuth = &container.MasterAuth{
+			Password: masterAuth["password"].(string),
+			Username: masterAuth["username"].(string),
+		}
+	}
+
 	if v, ok := d.GetOk("node_version"); ok {
 		cluster.InitialClusterVersion = v.(string)
 	}
diff --git a/resource_container_cluster_test.go b/resource_container_cluster_test.go
index 549803f5..295dd4e5 100644
--- a/resource_container_cluster_test.go
+++ b/resource_container_cluster_test.go
@@ -28,6 +28,23 @@ func TestAccContainerCluster_basic(t *testing.T) {
 	})
 }
 
+func TestAccContainerCluster_withMasterAuth(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckContainerClusterDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccContainerCluster_withMasterAuth,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckContainerCluster(
+						"google_container_cluster.with_master_auth"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccContainerCluster_withAdditionalZones(t *testing.T) {
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -375,6 +392,13 @@ resource "google_container_cluster" "primary" {
 	name = "cluster-test-%s"
 	zone = "us-central1-a"
 	initial_node_count = 3
+}`, acctest.RandString(10))
+
+var testAccContainerCluster_withMasterAuth = fmt.Sprintf(`
+resource "google_container_cluster" "with_master_auth" {
+	name = "cluster-test-%s"
+	zone = "us-central1-a"
+	initial_node_count = 3
 
 	master_auth {
 		username = "mr.yoda"