設定受管理工作負載的生命週期管理機制

本文說明如何使用 Certificate Manager (第 2 代),為 Compute Engine 和 Google Kubernetes Engine (GKE) 等受管理的工作負載設定憑證生命週期管理。您可以透過憑證核發設定,將代管 workload identity pool 連結至憑證授權單位服務集區,自動核發及續訂憑證。這有助於防止憑證過期導致服務中斷。

事前準備

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  4. Verify that billing is enabled for your Google Cloud project.

  5. Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

  6. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  7. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  8. Verify that billing is enabled for your Google Cloud project.

  9. Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the APIs

    10.

必要的角色

如要取得設定生命週期管理所需的權限,請要求管理員授予您專案的下列 IAM 角色:

如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和組織的存取權」。

您或許也能透過自訂角色或其他預先定義的角色,取得必要權限。

設定受管理工作負載的生命週期

設定受管理的工作負載身分集區,指定相關聯的工作負載如何從現有的 CA 服務集區接收及續約憑證。

  1. 前往 Google Cloud 控制台的「Certificate Manager (2nd gen)」(憑證管理員 (第 2 代)) 頁面。

    前往 Certificate Manager (第 2 代)

  2. 在導覽窗格中,按一下「管理生命週期」
  3. 選取「受管理的工作負載身分」分頁標籤。
  4. 找出要設定的 workload identity pool,然後按一下「設定生命週期管理」
  5. 選取區域和該區域的「CA 集區」
  6. 在「憑證效期」欄位中,指定核發憑證的效期。值必須介於 21 至 30 天之間。
  7. 將「Rotation window」(輪播時間範圍) 設為介於 50 至 80 之間的值。這是觸發憑證更新的效期百分比。
  8. 在「金鑰演算法」欄位中,選取要用來產生私密金鑰的加密演算法。
  9. 按一下「Update」

後續步驟