To secure your resources with certificate-based access, create an access level that requires certificates when determining access to resources. To create access levels, see Creating a custom access level.
The values you use when creating a custom access level can be whatever makes sense for you, but the expression for the custom access level must be:
certificateBindingState(origin, device) == CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE
For example, you can use the gcloud CLI to create your custom access level by running the following command:
gcloud access-context-manager levels create LEVEL_NAME \
--title=TITLE \
--custom-level-spec=FILE \
--description=DESCRIPTION \
--policy=POLICY_NAME
The content of the .yaml file referenced by FILE is the
following custom expression:
expression: "certificateBindingState(origin, device) == CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE"