Context-Aware Access agent security

This document describes how Context-Aware Access supports end-to-end security within Gemini Enterprise Agent Platform by enforcing mutual TLS (mTLS) and Demonstrating Proof of Possession (DPoP) authentication and authorization within Gemini Enterprise Agent Platform.

In Gemini Enterprise Agent Platform, Agent Gateway ( Preview ) can govern inline access control for all agent-to-agent and agent-to-anywhere interactions.

On by default, Context-Aware Access enforces that agents that are governed by Agent Gateway use the following methods for authentication (authn) and authorization (authz) security:

• Mutual TLS (mTLS): To help secure agents accessing the Agent Gateway, Context-Aware Access and IAP enforce that agents use mTLS by verifying certificate-based token binding.

• Demonstrating Proof of Possession (DPoP): To help secure agents that access services beyond the Agent Gateway, Context-Aware Access enforces that agent identities are valid by using DPoP .

When Agent Gateway is disabled, agents can directly access Google Cloud APIs through mTLS. When Agent Gateway is enabled, however, the gateway terminates mTLS, so DPoP must be used.

By enforcing mTLS and DPoP, Context-Aware Access provides baseline, end-to-end security and helps to protect against credential theft and account takeover (ATO). Context-Aware Access policy enforcement helps ensure that compromised tokens are useless outside of their intended, trusted runtimes. Context-Aware Access enforcement of credential binding helps ensure isolation of credentials between distinct Gemini Enterprise Agent Platform Runtime tenants.

Key concepts

The following concepts are key to understanding how Context-Aware Access enforces security for agent interactions with resources using mTLS and DPoP.

• Agent identity pool: A grouping of resources and configuration that manages the security credentials and keys for a specific set of agents.

• Authorization DPoP proof: A cryptographic proof that's generated by Agent Identity when an agent is initially assigned an identity.

• Certificate-bound workload access token: A token that's cryptographically bound to the agent's X.509 certificate. This token is used to authenticate the agent for mTLS access to resources through Google Cloud APIs, including the Agent Gateway. Context-Aware Access (CAA) policies enforce the use of mutual TLS (mTLS) by validating this binding. Validation ensures that the token is only usable by the agent running in its provisioned environment, for example, a Cloud Run container.

• Demonstrating Proof-of-Possession (DPoP): The protocol that agents must use after passing through Agent Gateway to authenticate to and access resources through Google Cloud APIs. Compare with mutual TLS. DPoP is based on RFC 9449 .

• DPoP key management: The underlying agent identity pools are provisioned with the necessary public/private key pairs to support DPoP operations.

• DPoP-bound authorization token: The platform also binds an authorization token to the agent. This token supports DPoP by being tied to the agent's certificate and signed using a key pair that's managed by Agent Identity. Context-Aware Access enforces the presence and validity of this DPoP token, confirming that the caller possesses the associated private key.

• Mutual TLS: The authentication protocol that agent identities use to access Google Cloud APIs, including accessing the Agent Gateway. Compare with DPoP.

• Resource DPoP proof: A cryptographic proof that's generated by Agent Gateway and provided to Google Cloud APIs.

• SPIFFE identity: Upon deployment, each agent is automatically provisioned with a unique, cryptographically verifiable identity that follows the SPIFFE (Secure Production Identity Framework For Everyone) framework . SPIFFE provides a framework for federated service identity in cloud-native environments.

• X.509 certificate: The agent's container receives an X.509 certificate, issued by a Google-managed trust domain, representing its SPIFFE identity. This certificate is used to help establish secure communication channels.

Context-Aware Access enforcement through Agent Gateway

Agent Platform uses Context-Aware Access to enforce inline security from an agent identity to Agent Gateway and from Agent Gateway to the resource. Context-Aware Access is part of the following workflows.

Agent deployment

1. An agent is deployed on a Gemini Enterprise Agent Platform Runtime.

2. Agent Identity automatically provisions the following:

   • An agent identity pool that contains a key pair

   • An agent workload within the pool that has the following:

     • A unique SPIFFE identity

     • A unique, signed, certificate-bound workload access token that contains an encrypted authorization DPoP proof

Agent-to-Agent Gateway access by using mTLS

1. When the agent uses mTLS to access Google Cloud APIs, the agent must pass through Agent Gateway. mTLS provides a secure channel between two parties, the agent and Agent Gateway, in this case.

2. Context-Aware Access verifies that the agent is provisioned with certificate-bound tokens and is using mTLS.

3. Agent Gateway checks that the agent is allowed to access the resource.

   Agent Gateway uses IAP to check the agent's IAM allow policy. If the agent's access attempt is allowed by the IAM allow policy on the target resource, the Agent Gateway lets the agent call Google Cloud APIs.

   However, because mTLS terminates at the Agent Gateway, DPoP must be used to reauthenticate the agent when it attempts to access Google Cloud APIs.

Agent Gateway-to-resource access by using DPoP

1. To enable DPoP, Agent Gateway uses IAP to generate a resource DPoP proof. Agent Gateway passes the resource DPoP proof to Google Cloud APIs.

2. The agent attempts to access Google Cloud APIs.

3. Context-Aware Access cryptographically verifies that the authorization DPoP proof and the resource DPoP proof were generated using the same private key in the agent identity pool.

4. If Context-Aware Access verifies both of the DPoP proofs, then the agent is allowed to access the resource through Google Cloud APIs.

Disable CAA policy enforcement

In some situations, you might want to opt out of Context-Aware Access policy enforcement. For example, you might have specific requirements for sharing tokens between agents.

To disable CAA policy enforcement, set the following environment variable:

  GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES 
 = 
False 

What's next

• Learn about Demonstrating Proof of Possession (DPoP) RFC 9449 .

• Learn about Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC 8705 .