Enable certificate-based access in client applications

This page describes how to enable certificate-based access (CBA) in your client applications for calling the Google APIs using compatible libraries or tools.

To enable CBA and allow the Google APIs to identify a device, the caller client must establish mTLS connections with the Google APIs, and then discover the TLS certificates on the device. This process is illustrated in the following diagram:

Client connection flow

CBA compatible clients

You can use CBA with the following clients:

  • Google Cloud console (Chrome)
  • Google Cloud CLI Version 264.0.0 or later
  • Terraform CLI Version 1.3.6 or later
  • Google API Client Libraries
    • Python
    • Golang

Enable CBA for the gcloud CLI

  1. Have your users install or update the gcloud CLI to ensure they have a version that works with CBA, Version 264.0.0 or later.

    Users who have the Google Cloud CLI installed can confirm they have Version 264.0.0 or later using the following command:

    gcloud --version
    

    If needed, users can update their Google Cloud CLI version using the following command:

    gcloud components
    
  2. To begin using CBA, users must run the following command:

    gcloud config set context_aware/use_client_certificate true
    

Enable CBA for the Terraform CLI and Google API Client Libraries

  1. To enable CBA for the Terraform CLI and Google API Client Libraries, users must set the following environment variable:

    export GOOGLE_API_USE_CLIENT_CERTIFICATE=1
    

Enable CBA for IAP Desktop

To enable certificate-based access in IAP Desktop, do the following:

  1. In the application, select Tools > Options.
  2. Select Secure connections to Google Cloud by using certificate-based access.
  3. Click OK.
  4. Close IAP Desktop and launch it again.

If you're using Active Directory, you can also configure a group policy object to automatically enable certificate-based access for your users.