Skip to main content

Configure authentication and permissions for GCP connectors

Before adding a GCP connector in DigiCert​​®​​ Trust Lifecycle Manager, prepare the required Google Cloud Platform (GCP) credentials to use for authentication.

The connector supports the following two authentication types:

  1. Service account credentials: Authenticate using GCP service account credentials configured within the connector in Trust Lifecycle Manager.

  2. Application default credentials: Authenticate using GCP application default credentials set up on the local sensor host on your network that manages the integration with Google Cloud.

The way you set up each authentication type depends on the scope of the connector:

  • Organization scope: Connect to a Google Cloud organization or folder and all of its child projects.

  • Project scope: Connect to a specific project within your Google Cloud organization.

To get started, choose an authentication type and scope to use. Prepare the GCP credentials for it as described below.

Option 1: Service account credentials

Choose this option if you want to authenticate using GCP service account credentials that you configure within the GCP unified connector in Trust Lifecycle Manager. For detailed setup instructions, select one of the following connector scopes:

Organization scope setup

When configured with organization scope, the connector provides access to a Google Cloud organization or folder and all of its child projects.

For organization scope, you need to create one main service account to authenticate the connector and additional service accounts to manage all the child projects.

In Google Cloud, prepare the required accounts and permissions as follows:

Project scope setup

When configured with project scope, the connector provides access to a specific project in your Google Cloud organization.

For project scope, you only need to create one main service account, used to authenticate the connector.

In Google Cloud, prepare the required account and permissions as follows:

Option 2: Application default credentials

Choose this option if you want to authenticate using GCP application default credentials that you set up on the local sensor host on your network that manages the integration with Google Cloud. You can use either of the following methods to set up access to the application default credentials on the sensor host.

Credentials access method

Description

Notes

Environment variable

Set up a service account in GCP and download the JSON key file for it to the sensor host. Set the file path for this JSON key file in the GOOGLE_APPLICATION_CREDENTIALS environment variable.

The credentials are persistent.

Credentials file

Use the gcloud auth application-default login command to generate a local credentials file and store it one of the following well-known locations on the sensor host:

  • Linux or Docker: $HOME/.config/gcloud/application_default_credentials.json

  • Windows: %APPDATA%\gcloud\application_default_credentials.json

The credentials time out after 1 hour. DigiCert recommends using a script or other automated method to rotate the credentials and store them in the expected location.

Belangrijk

The DigiCert sensor first checks the GOOGLE_APPLICATION_CREDENTIALS environment variable and, if not defined, will then look for a local credentials file in one of the well-known locations described above.

For detailed setup instructions, select one of the following connector scope and credentials access method combinations:

Organization scope / Environment variable setup

When configured with organization scope, the connector provides access to a Google Cloud organization or folder and all of its child projects.

For the environment variable access method, you need to create one main service account to authenticate the connector and additional service accounts to manage all the child projects. You will use the main service account as the application default credentials on the sensor host.

In Google Cloud, prepare the required accounts and permissions as follows:

Organization scope / Credentials file setup

When configured with organization scope, the connector provides access to a Google Cloud organization or folder and all of its child projects.

For the credentials file access method, you need to prepare the principal user ID in Google Cloud and create service accounts to manage all the child projects. You will use the gloud CLI to create the local credentials file on the sensor host.

In Google Cloud, prepare the required accounts and permissions as follows:

  1. Gather the credentials for the principal user ID tied to your organization email and used to log into the Google Cloud platform.

  2. Make sure the principal user ID has the Folder Viewer role in the parent organization or folder.

  3. Create a custom role in the parent organization or folder that contains the permissions in the Minimum permissions section below.

  4. Assign the custom role you created in step 3 to the principal user ID.

  5. Create service accounts in all the individual Google Cloud projects to manage, all with the same account name. These service accounts are used to access and manage the individual projects within the parent organization or folder.

    Belangrijk

    All the service accounts you create in this step must have the same name. You will provide this name in the Impersonate service account name field when configuring the connector in Trust Lifecycle Manager.

  6. For each service account you created in step 6:

    • Assign the custom role you created in step 3.

    • Assign the Service Account Token Creator role, mapping it to the principal user ID.

  7. Make sure each individual Google Cloud project that you will manage via the connector has the following API services enabled:

    • Certificate Manager API

    • Compute Engine API

    • Cloud Resource Manager API

Project scope / Environment variable setup

When configured with project scope, the connector provides access to a specific project in your Google Cloud organization.

For the environment variable access method, you need to create one main service account to authenticate the connector. You will use this service account as the application default credentials on the sensor host.

In Google Cloud, prepare the required account and permissions as follows:

Project scope / Credentials file setup

When configured with project scope, the connector provides access to a specific project in your Google Cloud organization.

For the credentials file access method, you need to prepare the principal user ID in Google Cloud. You will use the gloud CLI to create the local credentials file on the sensor host.

In Google Cloud, prepare the required account and permissions as follows:

  1. Gather the credentials for the principal user ID tied to your organization email and used to log into the Google Cloud platform.

  2. Select the specific Google Cloud project to manage via the Trust Lifecycle Manager connector.

  3. Create a custom role in the selected project that contains the permissions in the Minimum permissions section below.

  4. Assign the custom role you created in step 3 to the principal user ID.

  5. Make sure the selected Google Cloud project has the following API services enabled:

    • Certificate Manager API

    • Compute Engine API

    • Cloud Resource Manager API

Example service account key JSON file

The service account key JSON file that you create and download in Google Cloud should resemble the example shown below.

{  
  "type": "my-service-account",  
  "project_id": "my-gcp-project-1",  
  "private_key_id": "0888c80dd415874d2247ab55555b7ac0ee99963b",  
  "private_key": "-----BEGIN PRIVATE KEY-----\n{private key value}\n-----END PRIVATE KEY-----\n",  
  "client_email": "my-service-account@my-org.iam.gserviceaccount.com",  
  "client_id": "111446787751705551234",  
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",  
  "token_uri": "https://oauth2.googleapis.com/token",  
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",  
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-service-account.iam.gserviceaccount.com",  
  "universe_domain": "googleapis.com"
} 

Minimum permissions

Required permissions

GCP unified connectors in Trust Lifecycle Manager require the following Google Cloud permissions at minimum.

certificatemanager.certmapentries.create
certificatemanager.certmapentries.get
certificatemanager.certmapentries.list
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.get
certificatemanager.certmaps.list
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.list
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
cloudasset.assets.listComputeSslCertificates
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.forwardingRules.create
compute.forwardingRules.createTagBinding
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.setTarget
compute.forwardingRules.update
compute.forwardingRules.use
compute.globalAddresses.get
compute.globalAddresses.list
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalForwardingRules.delete
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.globalForwardingRules.setTarget
compute.globalForwardingRules.update
compute.globalOperations.get
compute.regionOperations.get
compute.regionSslCertificates.create
compute.regionSslCertificates.get
compute.regionSslCertificates.list
compute.regionTargetHttpProxies.create
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpProxies.setUrlMap
compute.regionTargetHttpProxies.use
compute.regionTargetHttpsProxies.create
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.regionTargetHttpsProxies.setSslCertificates
compute.regionTargetHttpsProxies.setUrlMap
compute.regionTargetHttpsProxies.update
compute.regionTargetHttpsProxies.use
compute.regionTargetTcpProxies.get
compute.regionTargetTcpProxies.list
compute.regionUrlMaps.create
compute.regionUrlMaps.get
compute.regionUrlMaps.use
compute.regions.list
compute.sslCertificates.create
compute.sslCertificates.delete
compute.sslCertificates.get
compute.sslCertificates.list
compute.targetHttpProxies.create
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpProxies.setUrlMap
compute.targetHttpProxies.update
compute.targetHttpProxies.use
compute.targetHttpsProxies.create
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.targetHttpsProxies.setCertificateMap
compute.targetHttpsProxies.setSslCertificates
compute.targetHttpsProxies.update
compute.targetHttpsProxies.use
compute.targetSslProxies.create
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetSslProxies.setCertificateMap
compute.targetSslProxies.setSslCertificates
compute.targetSslProxies.update
compute.targetSslProxies.use
compute.urlMaps.create
compute.urlMaps.get
compute.urlMaps.list
compute.urlMaps.use

(Optional) Secret Manager permissions

To use GCP Secret Manager for temporary storage of private keys, add the permissions below. Note that:

  • These permissions are optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of GCP Secret Manager.

  • Temporary keys get automatically deleted once certificates are issued and delivered to the Google Cloud along with their private keys.

secretmanager.locations.get
secretmanager.locations.list
secretmanager.secrets.create
secretmanager.secrets.delete
secretmanager.secrets.get
secretmanager.secrets.list
secretmanager.secrets.update
secretmanager.versions.access
secretmanager.versions.add
secretmanager.versions.destroy
secretmanager.versions.get

Belangrijk

Make sure the Secret Manager service is enabled in the correct project in your GCP organization, depending on the connector scope:

  • Organization scope: Enable Secret Manager in the project with the main service account or principal user ID for authentication.

  • Project scope: Enable Secret Manager in the specific project you will manage with the connector.

What's next

After setting up the required credentials in Google Cloud Platform (GCP), you are ready to add a GCP unified connector in Trust Lifecycle Manager.

In deze sectie: