Method of distributing client certificates to machines with shared cloud account access

The invention claimed is: 1. A method for providing an authentication resource to a particular virtual private cloud that is deployed in a set of datacenters that host a plurality of virtual private clouds, the method comprising: at a resource issuer, receiving an authentication resource request from a particular machine deployed in the particular virtual private cloud, the authentication resource request comprising a first set of cloud-specific data; obtaining a cloud identifier for the particular machine from a registry service of the particular virtual private cloud that interacts with a datacenter-set cloud service that deploys machines in the datacenter set for different virtual private clouds, said cloud identifier identifying the particular machine from a plurality of other machines that are identified by other cloud identifiers from the registry service; using the obtained cloud identifier to obtain a second set of cloud-specific data for the particular machine from the datacenter-set cloud service; and upon determining that the first and second sets of cloud-specific data match, authenticating the particular machine and issuing the authentication resource for the particular machine. 2. The method of claim 1 , wherein the first set of cloud-specific data comprises at least a network address of the particular machine, and the second set of cloud-specific data comprises at least a network address currently associated with the cloud identifier. 3. The method of claim 2 , wherein obtaining the cloud identifier from the registry service comprises verifying that the particular machine is one of the machines deployed by the datacenter-set cloud service. 4. The method of claim 3 , wherein determining that the first and second sets of cloud-specific data match further comprises determining that the network address of the particular machine from the authentication resource request matches the network address currently associated with the cloud identifier for the particular machine. 5. The method of claim 1 , wherein the authentication resource request is a first authentication resource request, the particular machine is a first machine, and the particular virtual private cloud is a first virtual private cloud, the method further comprising: at the resource issuer, receiving a second authentication resource request from a second machine deployed in a second virtual private cloud, the second authentication resource request comprising a third set of cloud-specific data; obtaining a cloud identifier for the second machine from a registry service of the second virtual private cloud that interacts with the datacenter-set cloud service; using the obtained cloud identifier to obtain a fourth set of cloud-specific data for the second machine from the datacenter-set cloud service; and upon determining that the third and fourth sets of cloud-specific data do not match, denying the authentication resource request from the second machine. 6. The method of claim 1 , wherein the authentication resource request is a first authentication resource request, the particular machine is a first machine, and the particular virtual private cloud is a first virtual private cloud, the method further comprising: at the resource issuer, receiving a second authentication resource request from a second machine deployed in a second virtual private cloud, the second authentication resource request comprising a third set of cloud-specific data; determining that the second machine is not registered with the registry service; and denying the authentication resource request from the second machine. 7. The method of claim 1 , wherein the authentication resource issuer comprises a public key infrastructure. 8. The method of claim 1 , wherein the registry service comprises a controller that communicates with the datacenter-set cloud service to instruct the datacenter-set cloud service to create machines to be deployed in the datacenter set. 9. The method of claim 1 , wherein the particular machine comprises a forwarding element. 10. The method of claim 1 , wherein the particular machine comprises a virtual machine (VM) or a container. 11. The method of claim 1 , wherein: a first provider of the particular virtual private cloud is different from a second provider of the datacenter-set cloud service that deploys machines in the datacenter set for different virtual private clouds including the particular virtual private cloud; and the first provider of the particular virtual private cloud grants permission the second provider of the datacenter-set cloud service to allow to the datacenter-set cloud service to deploy machines including the particular machine in the datacenter set for the particular virtual private cloud. 12. The method of claim 1 , wherein the authentication resource issued to the particular machine is a unique authentication resource. 13. The method of claim 12 , wherein the unique authentication resource comprises a unique certificate or a unique Java token. 14. The method of claim 12 , wherein the unique authentication resource is used by the particular machine to indicate that the particular machine is a trusted machine. 15. A non-transitory machine readable medium storing a program for execution by a set of processing units, the program for providing an authentication resource to a particular virtual private cloud that is deployed in a set of datacenters that host a plurality of virtual private clouds, the program comprising sets of instructions for: at a resource issuer, receiving an authentication resource request from a particular machine deployed in the particular virtual private cloud, the authentication resource request comprising a first set of cloud-specific data; obtaining a cloud identifier for the particular machine from a registry service of the particular virtual private cloud that interacts with a datacenter-set cloud service that deploys machines in the datacenter set for different virtual private clouds, said cloud identifier identifying the particular machine from a plurality of other machines that are identified by other cloud identifiers from the registry service; using the obtained cloud identifier to obtain a second set of cloud-specific data for the particular machine from the datacenter-set cloud service; and upon determining that the first and second sets of cloud-specific data match, authenticating the particular machine and issuing the authentication resource for the particular machine. 16. The non-transitory machine readable medium of claim 15 , wherein the first set of cloud-specific data comprises at least a network address of the particular machine, and the second set of cloud-specific data comprises at least a network address currently associated with the cloud identifier. 17. The non-transitory machine readable medium of claim 16 , wherein the set of instructions for obtaining the cloud identifier from the registry service further comprises a set of instructions for verifying that the particular machine is one of the machines deployed by the datacenter-set cloud service. 18. The non-transitory machine readable medium of claim 17 , wherein the set of instructions for determining that the first and second sets of cloud-specific data match further comprises a set of instructions for determining that the network address of the particular machine from the authentication resource request matches the network address currently associated with the cloud identifier for the particular machine. 19. The non-transitory mac