- {{ description }}
The certificate store type set up for the GCP Load Balancer Orchestrator should have the following options set:
Name: A descriptive name for the certificate store type
Short Name: Must be GCP
Needs Server: Unchecked
Blueprint Allowed: Unchecked
Requires Store Password: Unchecked
Supports Entry Password: Unchecked
Supports Custom Alias: Optional (If unselected, a random alias will be generated by the GCP LB Orchestrator)
**Uses PowerShell: ** Unchecked
Store Path Type: FreeForm
**Private Keys: ** Required (Adding a certificate to a GCP Load Balancer certificate store without the private key is not a valid use case)
PFX Password Style: Default
Job Types: Check Inventory, Add, and Remove. Leave Create, Discovery, and Reenrollment unchecked
Parameters: Add 1 custom parameter if authenticating to the GCP API library by passing the GCP service account key from Keyfactor Command (see Authentication):
- Name: Must be jsonKey
- Display Name: Desired custom display name
- Type: Secret
- Change Default Value: Unchecked
- Default Value: Leave blank
When creating a GCP certificate store in Keyfactor, the various options should be set up a follows:
Category: Must be GCP
Container: Optional container name if using this feature. Please consult the Keyfactor Command Reference Guide for more information on this feature.
Client Machine: The name or IP address of the Orchestrator server that will be handling GCP jobs.
Store Path: This should be your Google Cloud project ID. This will work against GCP Global resources. Optionally, you can append "/" with the region you wish to process against. Please refer to the following page for a list of valid region codes (GCP code column): https://gist.github.com/rpkim/084046e02fd8c452ba6ddef3a61d5d59.
Service Account Key: If you will be authenticating via passing credentials from Keyfactor Command, you must add this value as follows:
- No Service Account Key: Unchecked
- Secret Source: "Keyfactor Secrets" if you wish to store the GCP service account key in the Keyfactor secrets engine or "Load From PAM Provider" if you have set up a PAM provider integration within Keyfactor Command and wish to store this value there.
- Enter and Confirm Service Account Key: The JSON-based service account key you acquired from GCP (See Authentication).
Inventory Schedule: Set whether to schedule Inventory jobs for this certificate store, and if so, the frequency here.
A service account is necessary for authentication to GCP. The following are the required permissions:
- compute.sslCertificates.create
- compute.sslCertificates.delete
- compute.sslCertificates.list
The agent supports having credentials provided by the environment, environment variable, or passed manually from Keyfactor Command.
You can read more about the first two options here.
To pass credentials from Keyfactor Command you need to first create a service account and then download a service account key.
Instructions are here.
Remember to assign the appropriate role/permissions for the service account.
Afterwards inside Keyfactor Command copy and paste the contents of the service account key in the password field for the GCP Certificate Store Type.
- Inventory
- Management-Add (including re-binding of existing bindings for certificate renewals, no binding functionality available for new certificate adds)
- Management-Remove
- Discovery
- Management-Create
- Reenrollment