Google Cloud Platform (GCP unified) connectors in DigiCert® Trust Lifecycle Manager support authentication via a Google Cloud service account.
The way you set up the integration depends on the scope of the connector (organization scope or project scope).
When configured with organization scope, the connector provides access to a Google Cloud organization or folder and all of its child projects.
For organization scope, you need to create one main service account to authenticate the connector and additional service accounts to manage all the child projects.
In Google Cloud, prepare the required accounts and permissions as follows:
Select any project within the parent Google Cloud organization or folder to create the main service account in.
Create a service account in the selected project. This will be the main service account used to authenticate the connector.
Assign the new service account the Folder Viewer role in the parent organization or folder.
Create a custom role in the parent organization or folder that contains all the permissions in the Minimum required permissions section below.
Assign the custom role you created in step 4 to the main service account you created in step 2.
Create and download a JSON key for the main service account you created in step 2:
In the Google Cloud console, select the project where the service account is set up.
Select the service account by its email address.
Select the Keys tab for the service account.
Open the Add key dropdown and select Create new key.
Select JSON as the Key type and select Create.
Important
The JSON key file gets downloaded to your computer and looks like the example shown in the Example service account key JSON file section below. Save this JSON file in a secure location so you can use it when configuring the connector in Trust Lifecycle Manager.
Create additional service accounts in all the individual Google Cloud projects to manage, all with the same account name. These service accounts are used to access and manage the individual projects within the parent organization or folder.
Important
All the service accounts you create in this step must have the same name. You will provide this name in the Impersonate service account name field when configuring the connector in Trust Lifecycle Manager.
For each additional service account you created in step 6:
Assign the custom role you created in step 4.
Assign the
Service Account Token Creatorrole, mapping it to the main authentication service account you created in step 2.
Make sure each individual Google Cloud project that you will manage via the connector has the following API services enabled:
Certificate Manager API
Compute Engine API
Cloud Resource Manager API
When configuring the organization-scoped GCP unified connector in Trust Lifecycle Manager, provide values for the following fields in the Configuration settings section:
GCP scope: Select Organization.
Folder / Organization ID: Enter the ID of the parent Google Cloud organization or folder with all the projects to manage.
Get the values for the following fields from the service account key JSON file you created in step 6 above:
Project ID: Enter the value of the
project_idproperty.Private key ID: Enter the value of the
private_key_idproperty.Private key: Enter the value of the
private_keyproperty including the "BEGIN" and "END" tags.Client email: Enter the value of the
client_emailproperty.Client ID: Enter the value of the
client_idproperty.
Impersonate service account name: Enter the common name of the additional service accounts you created in all of the child projects in step 7 above.
When configured with project scope, the connector provides access to a specific project in your Google Cloud organization.
For project scope, you only need to create one main service account, used to authenticate the connector.
In Google Cloud, prepare the required account and permissions as follows:
Select the specific Google Cloud project to manage via the Trust Lifecycle Manager connector.
Create a service account in the selected project.
Create a custom role in the selected project that contains all the permissions in the Minimum required permissions section below.
Assign the custom role you created in step 3 to the service account you created in step 2.
Create and download a JSON key for the service account:
In the Google Cloud console, select the project where the service account is set up.
Select the service account by its email address.
Select the Keys tab for the service account.
Open the Add key dropdown and select Create new key.
Select JSON as the Key type and select Create.
Important
The JSON key file gets downloaded to your computer and looks like the example shown in the Example service account key JSON file section below. Save this JSON file in a secure location so you can use it when configuring the connector in Trust Lifecycle Manager.
Make sure the selected Google Cloud project has the following API services enabled:
Certificate Manager API
Compute Engine API
Cloud Resource Manager API
When configuring the project-scoped GCP unified connector in Trust Lifecycle Manager, provide values for the following fields in the Configuration settings section:
GCP scope: Select Project.
Get the values for the following fields from the service account key JSON file you created in step 5 above:
Project ID: Enter the value of the
project_idproperty.Private key ID: Enter the value of the
private_key_idproperty.Private key: Enter the value of the
private_keyproperty including the "BEGIN" and "END" tags.Client email: Enter the value of the
client_emailproperty.Client ID: Enter the value of the
client_idproperty.
The service account key JSON file that you create and download in Google Cloud should resemble the example shown below. Use the values in the downloaded JSON file to fill out the Configuration settings section for the GCP unified connector in Trust Lifecycle Manager.
{
"type": "my-service-account",
"project_id": "my-gcp-project-1",
"private_key_id": "0888c80dd415874d2247ab55555b7ac0ee99963b",
"private_key": "-----BEGIN PRIVATE KEY-----\n{private key value}\n-----END PRIVATE KEY-----\n",
"client_email": "my-service-account@my-org.iam.gserviceaccount.com",
"client_id": "111446787751705551234",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-service-account.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
} GCP unified connectors in Trust Lifecycle Manager require the following Google Cloud permissions at minimum.
certificatemanager.certmapentries.create certificatemanager.certmapentries.get certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.get certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.delete certificatemanager.certs.get certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.locations.get certificatemanager.locations.list certificatemanager.operations.cancel certificatemanager.operations.delete certificatemanager.operations.get certificatemanager.operations.list cloudasset.assets.listComputeSslCertificates compute.addresses.get compute.addresses.list compute.forwardingRules.create compute.forwardingRules.createTagBinding compute.forwardingRules.get compute.forwardingRules.list compute.forwardingRules.setTarget compute.forwardingRules.update compute.forwardingRules.use compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.create compute.globalForwardingRules.delete compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.setTarget compute.globalForwardingRules.update compute.globalOperations.get compute.regionOperations.get compute.regionSslCertificates.create compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.create compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpProxies.setUrlMap compute.regionTargetHttpProxies.use compute.regionTargetHttpsProxies.create compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionTargetHttpsProxies.setSslCertificates compute.regionTargetHttpsProxies.setUrlMap compute.regionTargetHttpsProxies.update compute.regionTargetHttpsProxies.use compute.regionTargetTcpProxies.get compute.regionTargetTcpProxies.list compute.regions.list compute.sslCertificates.create compute.sslCertificates.delete compute.sslCertificates.get compute.sslCertificates.list compute.targetHttpProxies.create compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpProxies.setUrlMap compute.targetHttpProxies.update compute.targetHttpProxies.use compute.targetHttpsProxies.create compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetHttpsProxies.setCertificateMap compute.targetHttpsProxies.setSslCertificates compute.targetHttpsProxies.update compute.targetHttpsProxies.use compute.targetSslProxies.create compute.targetSslProxies.get compute.targetSslProxies.list compute.targetSslProxies.setCertificateMap compute.targetSslProxies.setSslCertificates compute.targetSslProxies.update compute.targetSslProxies.use secretmanager.locations.get secretmanager.locations.list secretmanager.secrets.create secretmanager.secrets.delete secretmanager.secrets.get secretmanager.secrets.list secretmanager.secrets.update secretmanager.versions.access secretmanager.versions.add secretmanager.versions.get