Configure Google Cloud Platform (GCP) connection¶
The following guide illustrates connecting Certificate Manager - SaaS with Google Cloud Platform (GCP).
Enable Certificate Manager - SaaS to provision new certificates in Google Certificate Manager (GCM) for use with Google services. This guide walks you through the integration process.
Before you begin¶
You're going to need a few things to complete this procedure:
- A Google service account that has Venafi permissions for GCP: You must specify Venafi these permissions when creating a service account.
- Azure Tenant ID (Workload Identity Federation - Azure Identity Provider authentication only)
- Azure App ID (Workload Identity Federation - Azure Identity Provider authentication only)
- Azure App Secret (Workload Identity Federation - Azure Identity Provider authentication only)
- GCP Project Number: This is located in the GCP dashboard. Please note, this your GCP project number (numeric), not the GCP project ID. (Workload Identity Federation for Built-In Identity Provider and Azure Identity Provider authentication only)
- GCP Project ID - This is located in the GCP dashboard. (Workload Identity Federation authentication only)
- GCO Service Account (Workload Identity Federation - Azure Identity Provider authentication only)
- GCP Workload Identity Pool ID: This is located in the GCP Workload Identity Federation section. (Workload Identity Federation for Built-In Identity Provider and Azure Identity Provider authentication only)
- GCP Workload Identity Pool Provider ID: This is located in the GCP Workload Identity Federation section. (Workload Identity Federation for Built-In Identity Provider and Azure Identity Provider authentication only)
- Access to enable the following GCP APIs:
- IAM API
- Cloud Resource Manager API
- Certificate Manager API.
- The Google Cloud CLI must be installed and authenticated with Google Cloud.
- At least one active VSatellite to provision certificates to GCP.
Note
- (Conditional) Only Certificate Manager - SaaS-generated and user-imported certificates with private keys can be provisioned. To learn more, see Importing a private key via API (PKCS #8) and Importing a private key via API (PKCS #12).
- Only one certificate can be provisioned at a time.
Overview¶
The following diagram illustrates the high-level steps for integrating Certificate Manager - SaaS with Google Cloud Platform (GCP). In the subsequent sections, we dive into each of these steps, providing you with a guided walkthrough.
What are my options for authentication methods?¶
There are three authorization methods available: - Workload Identity Federation - Built-In Identity Provider - Workload Identity Federation - Azure Identity Provider - Service Account Key. Choose the option that best suits your requirements. It is recommended to use Workload Identity Federation as it is more secure by using short-lived tokens, while Service Account Key relies on long-term credentials.
What is the difference between Workload Identity Federation and Service Account Key authentication?¶
-
Workload Identity Federation - Built-In Identity Provider (recommended) - Workload Identity Federation allows workloads outside Google Cloud to securely access Google Cloud resources without using long-term credentials. It relies on external identity providers like AWS, Azure AD, or OIDC-compliant systems to exchange external credentials for short-lived Google Cloud tokens, reducing the risk of credential exposure.
This method is ideal for multi-cloud or on-premises environments, integrating with existing identity systems to simplify access management. Using short-lived tokens instead of static service account keys improves security and reduces the need for manual credential management.
-
Workload Identity Federation – Azure Identity Provider – This method uses Azure Active Directory (Azure AD) as an external identity provider to federate access to Google Cloud. With this approach, applications authenticate to Azure AD and exchange tokens for short-lived Google credentials via Workload Identity Federation.
This is ideal for organizations already using Azure AD for identity management and seeking to integrate GCP without managing long-lived service account keys. It enables secure, token-based access and simplifies centralized identity governance across cloud platforms.
-
Service Account Key - A method where an external application or service uses a service account's private key (usually stored in a JSON file) to authenticate and access GCP resources.