Configure Google Cloud Platform (GCP) connection¶
The following guide illustrates connecting TLS Protect Cloud with Google Cloud Platform (GCP).
Enable TLS Protect Cloud to provision new certificates in Google Certificate Manager (GCM) for use with Google services. This guide walks you through the integration process.
Before you begin¶
You're going to need a few things to complete this procedure:
- A Google service account that has Venafi permissions for GCP: You must specify Venafi these permissions when creating a service account.
- GCP Project Number: This is located in the GCP dashboard. Please note, this your GCP project number (numeric), not the GCP project ID. (Workload Identity Federation authentication only)
- GCP Project ID - This is located in the GCP dashboard. (Workload Identity Federation authentication only)
- GCP Workload Identity Pool ID: This is located in the GCP Workload Identity Federation section. (Workload Identity Federation authentication only)
- GCP Workload Identity Pool Provider ID: This is located in the GCP Workload Identity Federation section. (Workload Identity Federation authentication only)
- Access to enable the following GCP APIs:
- IAM API
- Cloud Resource Manager API
- Certificate Manager API).
- The Google Cloud CLI must be installed and authenticated with Google Cloud.
- At least one active VSatellite to provision certificates to GCP.
Note
- (Conditional) Only TLS Protect Cloud-generated and user-imported certificates with private keys can be provisioned. To learn more, see Importing a private key via API (PKCS #8) and Importing a private key via API (PKCS #12).
- Only one certificate can be provisioned at a time.
Overview¶
The following diagram illustrates the high-level steps for integrating TLS Protect Cloud with Google Cloud Platform (GCP). In the subsequent sections, we dive into each of these steps, providing you with a guided walkthrough.
What are my options for authentication methods?¶
There are two authorization methods available: Workload Identity Federation and Service Account Key. Choose the option that best suits your requirements. It is recommended to use Workload Identity Federation as it is more secure by using short-lived tokens, while Service Account Key relies on long-term credentials.
What is the difference between Workload Identity Federation and Service Account Key authentication?¶
-
Workload Identity Federation (recommended) - Workload Identity Federation allows workloads outside Google Cloud to securely access Google Cloud resources without using long-term credentials. It relies on external identity providers like AWS, Azure AD, or OIDC-compliant systems to exchange external credentials for short-lived Google Cloud tokens, reducing the risk of credential exposure.
This method is ideal for multi-cloud or on-premises environments, integrating with existing identity systems to simplify access management. Using short-lived tokens instead of static service account keys improves security and reduces the need for manual credential management.
-
Service Account Key - A method where an external application or service uses a service account's private key (usually stored in a JSON file) to authenticate and access GCP resources.