gcloud beta topic client-certificate - client certificate authorization supplementary help

Device Certificate Authorization (DCA) enables Context-aware access to identifydevices by their X.509 certificates. DCA for Google Cloud APIs is the second ina series of releases that provides administrators the capability to protectaccess to their Google Cloud resources with device certificates. This featurebuilds on top of the existing Context-aware access suite (Endpoint Verification,Access Context Manager, and VPC Service Controls) and ensures that only users ontrusted devices with a Google-generated certificate are able to access GoogleCloud APIs. This provides a stronger signal of device identity (devicecertificate verification), and protects users from credential theft toaccidental loss by only granting access when credentials and the original devicecertificate are presented.

To use this feature, organizations can follow the instructions below to installan endpoint verification agent to devices:

• Automatically deploy endpoint verification(https://support.google.com/a/answer/9007320#)
  • Via Chrome Policy for the extension
  • 3rd party image/software distribution tools for the Native Helper on macOS andWindows
• Let users install endpoint verification themselves from the Chrome Webstore(https://support.google.com/a/users/answer/9018161#install)
  • Users would also be prompted to install the Native Helper as well

enterprise-certificate-proxy can be installed by running$gcloud components installenterprise-certificate-proxy.

In order to use enterprise-certificate-proxy it must first be configured. Bydefault the configuration should be written to~/.config/gcloud/certificate_config.json.

The enterprise-certificate-proxy schema is documented on theGitHubproject page. Each operating system that gcloud supports uses a differentkey store. The certificate_config may contain multiple OS configurations.

Provisioning the key stores is not in scope for this document.

Run$gcloud configset context_aware/use_client_certificate True so thatthe gcloud CLI will load the certificate and send it to services.

Seehttps://cloud.google.com/sdk/gcloud/reference/topic/client-certificatefor the support list for the latest version of the gcloud CLI. Please upgradethe gcloud command-line tool if necessary.

Note: iap_tunnel is a special service gcloud CLI uses to create the IAP tunnel.For example,gcloud computestart-iap-tunnel can start a tunnel to Cloud Identity-AwareProxy through which another process can create a connection (e.g. SSH, RDP) to aGoogle Compute Engine instance. Client certificate authorization is supported intunnel creation.