Skip to content

Configure GCP connection using Workload Identity Federation - Built-In Identity Provider authentication

Step 1: Enable Google APIs

Performed in GCP

Enable the IAM API, Cloud Resource Manager API, and the Certificate Manager API.

  1. In the GCP console, go to APIs & services for your project.
  2. On the Library page, select Private APIs. If you don't see the API listed, that means you haven't been granted access to enable the API.
  3. Select the API you want to enable. If you need help finding the API, use the search field.
  4. On the page that displays information about the API, select Enable.

See Enabling an API in your Google Cloud project for more details.

Step 2: Create a custom role for service account permissions

Performed in GCP

You have the option to create a custom role via the console or gcloud CLI. Choose one of the below methods to create a custom role.

  • Console - See Create and manage custom roles to create an Identity and Access Management (IAM) custom role.

  • gcloud CLI - Alternatively, if you would like to use gcloud CLI to create a custom role, create the following YAML file with the included permissions.

permissions.yaml file
 title: Certificate Manager - SaaS Integration
 description: Permissions granted to Certificate Manager - SaaS
 stage: GA
 includedPermissions:
    - certificatemanager.certs.create
    - certificatemanager.certs.get
    - certificatemanager.certs.list
    - certificatemanager.certs.update
    - certificatemanager.locations.list
    - certificatemanager.operations.get
    - resourcemanager.projects.get
Then run the following command to create the custom role. Note that you will need to use this custom role in the next step.

gcloud iam roles create <tlspcIntegrationRole> --project=<PROJECT-ID> --file=permissions.yaml

Note

The custom role tlspcIntegrationRole is an example. You can name this role anything you like, but choose a name that reflects its purpose.

Step 3: Create a Google service account

Performed in GCP

Use the Workload Identity Federation authentication permissions when setting up a service account.

  1. Follow the steps to create a Google service account at Create service accounts. This page explains how to create service accounts using the Identity and Access Management (IAM) API, the GCP console, and the gcloud command- line tool.

  2. Once complete, you will be presented with your Google service account email. Make sure to copy and save this for later use.

    Note

    In this step, you will associate the custom role created in Step 2 with your Google service account.

Step 4: Create a workload identity pool

Performed in GCP

Note

  • The Google Cloud CLI must be installed and authenticated with Google Cloud.
  • You must have the permissions to manage Workload Identity Federation in Google Cloud.
  • Be sure to save the identity pool ID value you create in this step—you’ll need it when you get to Step 6.

Tip

  • If you have already created a workload identity pool in GCP, it is located in the GCP Workload Identity Federation section.

Create a workload identity pool running the following command, if one does not already exist. Replace the placeholders as described:

  • Replace your-identity-pool-id with a unique ID for the pool, consisting of 4 to 32 lowercase letters, digits, or hyphens. To avoid conflicts, use a unique ID. We recommend choosing a meaningful name that relates to this specific cloud provider (such as venafi-workload-pool).
  • Add desired description and display-name. Note, the display name must be less than or equal to 32 characters. 
gcloud iam workload-identity-pools create <your-identity-pool-id> \
        --location="global" \
        --description="<Venafi Workload Identity Pool for Federated Identities>" \
        --display-name="Venafi WIF Pool"

See Manage workload identity pools and providers for more details.

Step 5: Create a Cloud Provider

Performed in Certificate Manager - SaaS

  1. Sign in to Certificate Manager - SaaS.
  2. Click Integrations > Cloud Providers.
  3. Click New and select Google.
  4. Enter a Name for the new cloud provider. This name will help Certificate Manager - SaaS users to identify this cloud provider.
  5. Enter your Google Service Account Email you copied from Step 3.
  6. Select the Workload Identity Federation - Built-in Identity authorization method.

  7. You will now see the three fields listed below that you will need to populate:

    • Project Number (Located in GCP dashboard)
    • Workload Identity Pool ID (Located in the GCP Workload Identity Federation section)
    • Workload Identity Pool Provider ID (Create the Workload Identity Pool Provider ID by entering a unique, meaningful name related to this specific cloud provider, such as venafi-provider. The ID must be 4 to 32 lowercase letters, digits, or hyphens). Note, this ID does not already exist in the GCP console—it is being created here.

    Note

    You are only creating the Workload Identity Pool Provider ID in this step. You will use this ID in Step 6 to create the Workload Identity Pool Provider resource.

  8. Select an Owning Team and one of the Authorized Teams. If you need to create a new team see, create a new team.

    Note

    • Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
    • Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.

  9. Click Create.

  10. In the following screen, you will be presented with an Issuer URI. Copy the URI to use in the next step.

Important!

Make sure to copy and save this Issuer URI for use later on.

Step 6: Add an OIDC provider to the workload identity pool

Performed in GCP

Add an OIDC provider to the workload identity pool running the following command. Replace the following placeholders:

  • Replace your-identity-provider-id with the Workload Identity Pool Provider ID you created for Certificate Manager - SaaS in Step 5.
  • Replace your-identity-pool-id with the ID of the workload identity pool you created in Step 4.
  • Replace your_issuer_uri with your identity provider issuer URI you copied and saved from Step 5.
  1. Sign in to Certificate Manager - SaaS.
  2. Click Installations > Cloud Keystores.
  3. Click New and select Google.
  4. Enter a Name for the new cloud keystore.
  5. Select an Owning Team. If you need to create a new team, see create a new team.

  6. Select an Authorized Team.

    Note

    • Owning Team - The Owning Team is responsible for the administration, management, and control of a designated cloud provider, with the authority to update, modify, and delete cloud provider resources.
    • Authorized Team - The Authorize Team is granted permission to use specific resources of a cloud provider. Although team members can perform tasks like creating a keystore, their permissions may be limited regarding broader modifications to the provider's configuration. Unlike the Owning Team, users may not have the authority to update and delete Cloud Providers.

  7. Select a GCP Cloud Provider.

  8. Enter a Project Name.
  9. Enter a GCM Region.
  10. (Optional) To begin discovery once the keystore is created, an option to discover certificates on your keystore, select the toggle switches to turn on toggle "Start discovery immediately" and "Include expired certificates". After creating the keystore, refer to Set up GCP Discovery Schedule to create your schedule.
  11. Click Save. At this point you should see your saved new cloud keystore in the Cloud Keystore list.

Step 11: Provision a certificate

Performed in Certificate Manager - SaaS

At this point you should now have the ability to provision certificates.

  1. Click the more-options button to the right of the new cloud keystore you just created and select Provision.

    Tip

    Here you also have the option to delete certificates if needed.

  2. From the dropdown, search for the certificate you want, select it, and click Provision. This creates a new certificate (new installation on the keystore).

  3. (Optional) Here, you also can re-provision, replace, or delete a certificate. These options modify an existing machine installation.

    • Select your Cloud Keystore, and a details panel will appear on the right.
    • Click on the ellipsis button to the right of your certificate.
    • Choose the appropriate action: Re-provision, Replace, or Delete, and proceed through the user interface steps until the process is complete.

    Info

    • Re-provision - This action re-provisions your current certificate.
    • Replace - Choose this option to substitute your current certificate with a different one.
    • Delete - This action removes the selected certificate from the table.

    Note

    If using Google Cloud Platform, go to your Google service account, under Certificate Manager, and select Certificates. Click the Refresh button. You should now see your certificate in the list with an active status.

At this point you have successfully connected Certificate Manager - SaaS to your cloud provider and successfully provisioned a certificate.

Set up GCP Discovery Schedule

  1. In the Certificate Manager - SaaS toolbar, click Installations and select Cloud Keystores from the drop-down menu.
  2. Select the Cloud Keystore name that you want to perform a discovery on.
  3. From the pane that opens on the right of the screen, select Discovery configuration. Select the toggle toggle switches to turn on "Enable scheduled discovery" and "Include expired certificates".
  4. Under Repeat, select your desired Daily, Weekly, or Advanced schedule. Then, choose your desired time.
  5. Click Save.