Set up certificate-based access

Set up CBA

To set up CBA, complete the following steps:

1. Create a new CBA access level that requires certificates when determining access to resources.

2. Enforce the CBA access level on a resource by using one of the following methods:

   • Restrict access to VPC Service Controls-supported Google Cloud services by creating a VPC Service Controls perimeter with the CBA access level and then adding services into the perimeter. For detailed instructions, see Enable certificate-based access with VPC Service Controls.

   • Restrict access to all of your Google Cloud services, including the Google Cloud console by binding the CBA access level to a user group that you want to restrict access to. For detailed instructions, see Enable certificate-based access with user groups.

   • Restrict access to your VM. For detailed instructions, see Enable certificate-based access for VMs.

   • Restrict access to your web applications. For detailed instructions, see Enable certificate-based access for web applications.

   • Restrict access to all of your Google Cloud services from workloads. For detailed instructions, see Configure certificate-based access for Workload Identity Federation.

3. After you enforce CBA, access to resources without client certificates is denied. To grant access to trusted devices, you must ensure that your clients are correctly sending certificates to the Google APIs through an mTLS connection. You can do that by enabling the CBA feature in your CBA compatible client using the procedure in Enable certificate-based access in client applications.