Set up certificate-based access

To set up certificate-based access (CBA), you must create a new CBA access level, enforce the CBA access level, and enable CBA in your client applications.

Before you begin

Ensure that the Endpoint Verification Chrome extension and the Endpoint Verification helper app are deployed on all of the devices that require access to Google Cloud resources. These become trusted devices to which you can grant access.

If you need to deploy Endpoint Verification, see Deploying Endpoint Verification to use with certificate-based access.

Set up CBA

To set up CBA, complete the following steps:

  1. Create a new CBA access level that requires certificates when determining access to resources.

  2. Enforce the CBA access level on a resource using one of the following methods:

    • Restrict access to VPC Service Controls-supported Google Cloud services by creating a VPC Service Controls perimeter with the CBA access level, and then adding services into the perimeter. For detailed instructions, see Enable certificate-based access with VPC Service Controls.
    • Restrict access to all Google Cloud services, including the Google Cloud console, by binding the CBA access level to a user group that you want to restrict access to. For detailed instructions, see Enable certificate-based access with user groups.
  3. After you enforce CBA, access to resources without client certificates is denied. To grant access to trusted devices, you must ensure that your clients are correctly sending certificates to the Google APIs through an mTLS connection. You can do that by enabling the CBA feature in your CBA compatible client using the procedure in Enable certificate-based access in client applications.

What's next