Add a GCP unified connector

With a GCP unified connector, you can use DigiCert® Trust Lifecycle Manager to discover and automate certificates for both Google Certificate Manager and GCP load balancers, issuing certificates from any of the CAs available in your Trust Lifecycle Manager account.

The connector uses an on-premises DigiCert sensor within your network to help securely manage the integration with Google Cloud Platform (GCP), for one of the following scopes:

Organization scope: Connect to multiple projects within a GCP organization.
Project scope: Connect to a specific GCP project.

When you add the connector, Trust Lifecycle Manager discovers existing certificates on your GCP load balancers, plus you can enable imports from Google Certificate Manager in the connected GCP project(s). From there, you can use the Inventory functions in Trust Lifecycle Manager to manage and automate certificate lifecycles to ensure you always have valid certificates installed for your GCP projects.

Before you begin

You need at least one active DigiCert sensor on your network to establish and manage the connection to the Google Cloud Platform (GCP). To learn more, see Deploy and manage sensors.
Set up the required Google Cloud credentials for authenticating the connector. To learn more, see Configure authentication and permissions for GCP connectors.

Add the GCP unified connector

To add the GCP unified connector in Trust Lifecycle Manager:

From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
Under Cloud services, select the option for GCP unified.
Complete the Add connector form as described in the following steps.
Configure general properties for the connector in the top section:
- Name: Enter a friendly name for the connector to help identify it.
- Business unit: Select a business unit for this connector for administrative purposes. Only users assigned to this business unit can manage the connector.
- Managing sensor: Select an active DigiCert sensor on your network to establish and manage the connection to Google Cloud Platform (GCP).
Select a GCP scope:
- Organization scope: Connect to multiple projects within a GCP organization.
- Project scope: Connect to a specific GCP project.
Select an Authentication type:
- Google service account credentials: Authenticate using Google service account credentials that you will add directly to the connector configuration. Make sure you have the service account JSON key file on hand to use to configure the connector.
- Application default credentials: Authenticate using the Google application default credentials configured locally on the managing sensor that you selected above.
Enter the required fields, based on the GCP scope and Authentication type you selected:
侧栏. Organization scope + Google service account credentials
Folder / Organization ID: Enter the ID of the parent Google Cloud organization or folder with all the projects to manage.
Get the values for the following fields from the service account key JSON file you downloaded from Google Cloud:
Project ID: Enter the value of the project_id property.
Private key ID: Enter the value of the private_key_id property.
Private key: Enter the value of the private_key property including the "BEGIN" and "END" tags.
Client email: Enter the value of the client_email property.
Client ID: Enter the value of the client_id property.
Impersonate service account name: Enter the common name for a GCP service account present in all of the child projects to manage through the connector. For details, see Organization scope setup.
侧栏. Organization scope + Application default credentials
Folder / Organization ID: Enter the ID of the parent Google Cloud organization or folder with all the projects to manage.
Project ID: Enter the project ID value, based on how you set up the application default credentials on the managing sensor:
Environment variable: Enter the value of the project_id property in the service account key JSON file specified in the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Credentials file: Enter the value of the quota_project_id property in the application default credentials JSON file created via the gcloud CLI.
Impersonate service account name: Enter the common name for a GCP service account present in all of the child projects to manage through the connector. For details, see Organization scope setup.
侧栏. Project scope + Google service account credentials
Get the values for the following fields from the service account key JSON file you downloaded from Google Cloud:
Project ID: Enter the value of the project_id property.
Private key ID: Enter the value of the private_key_id property.
Private key: Enter the value of the private_key property including the "BEGIN" and "END" tags.
Client email: Enter the value of the client_email property.
Client ID: Enter the value of the client_id property.
侧栏. Project scope + Application default credentials
Project ID: Enter the project ID value, based on how you set up the application default credentials on the managing sensor:
Environment variable: Enter the value of the project_id property in the service account key JSON file specified in the GOOGLE_APPLICATION_CREDENTIALS environment variable.
Credentials file: Enter the value of the quota_project_id property in the application default credentials JSON file created via the gcloud CLI.
To import certificates from Google Certificate Manager in the connected GCP project(s), toggle on Import attributes and configure the following:
- Import certificates: All valid certificates get imported by default. Select whether to also import expired certificates and select a date range to import.
- Business unit (optional): Assign the imported certificates to a business unit in Trust Lifecycle Manager. Only admins for this business unit can manage the certificates.
- Tags (optional): Assign tags to the imported certificates to help identify and manage them in Trust Lifecycle Manager.
- Import frequency: Select a schedule for how often to check for new certificates to import from GCP (every 24 hours by default).
Select Add to create the GCP unified connector with the configured settings.

What's next

Discovery

Trust Lifecycle Manager discovers any existing certificates it finds for supported GCP load balancer types in the connected project(s).
If you enabled Import attributes, Trust Lifecycle Manager also looks for existing certificates to import from Google Certificate Manager in the connected GCP project(s).
On the Integrations > Connectors page, select the connector by name to view the connector details and see the number of assets Trust Lifecycle Manager found on it. You can use the links in the Assets found section to view those assets in your inventory.
For Organization scope connectors, select the View details link in the account section of the connector details page to see the complete hierarchy of GCP folders and projects that Trust Lifecycle Manager discovered in your GCP organization.

Automation

Set up certificate lifecycle automation to automate management of certificates for your GCP projects and load balancers.

For connected GCP load balancers:

Select the DigiCert sensor enrollment method in your certificate automation profiles for managing certificates on GCP load balancers.
To learn more, see View and manage GCP load balancer assets.

For connected Google Certificate Manager instances:

Select the Admin web request enrollment method in your certificate automation profiles for delivering certificates to Google Certificate Manager.
Use the Admin web request function whenever you need to issue a new certificate from Trust Lifecycle Manager and deliver it to the connected GCP project(s).

本节内容如下: