Before adding a GCP unified connector in DigiCert® Trust Lifecycle Manager, prepare the required service account(s) in Google Cloud to use for authentication.
The way you configure authentication depends on the scope of the connector:
Organization scope setup: Used to connect to a Google Cloud organization or folder and all of its child projects.
Project scope setup: Used to connect to a specific project within your Google Cloud organization
When configured with organization scope, the connector provides access to a Google Cloud organization or folder and all of its child projects.
For organization scope, you need to create one main service account to authenticate the connector and additional service accounts to manage all the child projects.
In Google Cloud, prepare the required accounts and permissions as follows:
Select any project within the parent Google Cloud organization or folder to create the main service account in.
Create a service account in the selected project. This will be the main service account used to authenticate the connector.
Assign the new service account the Folder Viewer role in the parent organization or folder.
Create a custom role in the parent organization or folder that contains all the permissions in the Minimum required permissions section below.
Assign the custom role you created in step 4 to the main service account you created in step 2.
Create and download a JSON key for the main service account you created in step 2:
In the Google Cloud console, select the project where the service account is set up.
Select the service account by its email address.
Select the Keys tab for the service account.
Open the Add key dropdown and select Create new key.
Select JSON as the Key type and select Create.
重要
The JSON key file gets downloaded to your computer and looks like the example shown in the Example service account key JSON file section below. Save this JSON file in a secure location so you can use it when adding the GCP unified connector in Trust Lifecycle Manager.
Create additional service accounts in all the individual Google Cloud projects to manage, all with the same account name. These service accounts are used to access and manage the individual projects within the parent organization or folder.
重要
All the service accounts you create in this step must have the same name. You will provide this name in the Impersonate service account name field when adding the GCP unified connector in Trust Lifecycle Manager.
For each additional service account you created in step 6:
Assign the custom role you created in step 4.
Assign the
Service Account Token Creatorrole, mapping it to the main authentication service account you created in step 2.
Make sure each individual Google Cloud project that you will manage via the connector has the following API services enabled:
Certificate Manager API
Compute Engine API
Cloud Resource Manager API
When configured with project scope, the connector provides access to a specific project in your Google Cloud organization.
For project scope, you only need to create one main service account, used to authenticate the connector.
In Google Cloud, prepare the required account and permissions as follows:
Select the specific Google Cloud project to manage via the Trust Lifecycle Manager connector.
Create a service account in the selected project.
Create a custom role in the selected project that contains all the permissions in the Minimum required permissions section below.
Assign the custom role you created in step 3 to the service account you created in step 2.
Create and download a JSON key for the service account:
In the Google Cloud console, select the project where the service account is set up.
Select the service account by its email address.
Select the Keys tab for the service account.
Open the Add key dropdown and select Create new key.
Select JSON as the Key type and select Create.
重要
The JSON key file gets downloaded to your computer and looks like the example shown in the Example service account key JSON file section below. Save this JSON file in a secure location so you can use it when configuring the connector in Trust Lifecycle Manager.
Make sure the selected Google Cloud project has the following API services enabled:
Certificate Manager API
Compute Engine API
Cloud Resource Manager API
The service account key JSON file that you create and download in Google Cloud should resemble the example shown below. Use the values in the downloaded JSON file to fill out the Configuration settings section for the GCP unified connector in Trust Lifecycle Manager.
{
"type": "my-service-account",
"project_id": "my-gcp-project-1",
"private_key_id": "0888c80dd415874d2247ab55555b7ac0ee99963b",
"private_key": "-----BEGIN PRIVATE KEY-----\n{private key value}\n-----END PRIVATE KEY-----\n",
"client_email": "my-service-account@my-org.iam.gserviceaccount.com",
"client_id": "111446787751705551234",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-service-account.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
} GCP unified connectors in Trust Lifecycle Manager require the following Google Cloud permissions at minimum.
certificatemanager.certmapentries.create certificatemanager.certmapentries.get certificatemanager.certmapentries.list certificatemanager.certmapentries.update certificatemanager.certmaps.create certificatemanager.certmaps.get certificatemanager.certmaps.list certificatemanager.certmaps.update certificatemanager.certmaps.use certificatemanager.certs.create certificatemanager.certs.delete certificatemanager.certs.get certificatemanager.certs.list certificatemanager.certs.update certificatemanager.certs.use certificatemanager.locations.get certificatemanager.locations.list certificatemanager.operations.cancel certificatemanager.operations.delete certificatemanager.operations.get certificatemanager.operations.list cloudasset.assets.listComputeSslCertificates compute.addresses.get compute.addresses.list compute.addresses.use compute.forwardingRules.create compute.forwardingRules.createTagBinding compute.forwardingRules.get compute.forwardingRules.list compute.forwardingRules.setTarget compute.forwardingRules.update compute.forwardingRules.use compute.globalAddresses.get compute.globalAddresses.list compute.globalAddresses.use compute.globalForwardingRules.create compute.globalForwardingRules.delete compute.globalForwardingRules.get compute.globalForwardingRules.list compute.globalForwardingRules.setTarget compute.globalForwardingRules.update compute.globalOperations.get compute.regionOperations.get compute.regionSslCertificates.create compute.regionSslCertificates.get compute.regionSslCertificates.list compute.regionTargetHttpProxies.create compute.regionTargetHttpProxies.get compute.regionTargetHttpProxies.list compute.regionTargetHttpProxies.setUrlMap compute.regionTargetHttpProxies.use compute.regionTargetHttpsProxies.create compute.regionTargetHttpsProxies.get compute.regionTargetHttpsProxies.list compute.regionTargetHttpsProxies.setSslCertificates compute.regionTargetHttpsProxies.setUrlMap compute.regionTargetHttpsProxies.update compute.regionTargetHttpsProxies.use compute.regionTargetTcpProxies.get compute.regionTargetTcpProxies.list compute.regionUrlMaps.create compute.regionUrlMaps.get compute.regionUrlMaps.use compute.regions.list compute.sslCertificates.create compute.sslCertificates.delete compute.sslCertificates.get compute.sslCertificates.list compute.targetHttpProxies.create compute.targetHttpProxies.get compute.targetHttpProxies.list compute.targetHttpProxies.setUrlMap compute.targetHttpProxies.update compute.targetHttpProxies.use compute.targetHttpsProxies.create compute.targetHttpsProxies.get compute.targetHttpsProxies.list compute.targetHttpsProxies.setCertificateMap compute.targetHttpsProxies.setSslCertificates compute.targetHttpsProxies.update compute.targetHttpsProxies.use compute.targetSslProxies.create compute.targetSslProxies.get compute.targetSslProxies.list compute.targetSslProxies.setCertificateMap compute.targetSslProxies.setSslCertificates compute.targetSslProxies.update compute.targetSslProxies.use compute.urlMaps.create compute.urlMaps.get compute.urlMaps.list compute.urlMaps.use secretmanager.locations.get secretmanager.locations.list secretmanager.secrets.create secretmanager.secrets.delete secretmanager.secrets.get secretmanager.secrets.list secretmanager.secrets.update secretmanager.versions.access secretmanager.versions.add secretmanager.versions.destroy secretmanager.versions.get