Stay organized with collectionsSave and categorize content based on your preferences.
To secure your resources with certificate-based access, create an access level that requires certificates when
determining access to resources. To create access levels, seeCreating a custom access level.
The values you use when creating a custom access level can be whatever makes
sense for you, but the expression for the custom access level must be:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Create access levels for certificate-based access\n\nTo secure your resources with certificate-based access, create an access level that requires certificates when\ndetermining access to resources. To create access levels, see\n[Creating a custom access level](/access-context-manager/docs/create-custom-access-level).\n\nThe values you use when creating a custom access level can be whatever makes\nsense for you, but the expression for the custom access level must be: \n\n certificateBindingState(origin, device) == CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE\n\nFor example, you can use the gcloud CLI to create your custom\naccess level by running the following command: \n\n gcloud access-context-manager levels create \u003cvar translate=\"no\"\u003eLEVEL_NAME\u003c/var\u003e \\\n --title=\u003cvar translate=\"no\"\u003eTITLE\u003c/var\u003e \\\n --custom-level-spec=\u003cvar translate=\"no\"\u003eFILE\u003c/var\u003e \\\n --description=\u003cvar translate=\"no\"\u003eDESCRIPTION\u003c/var\u003e \\\n --policy=\u003cvar translate=\"no\"\u003ePOLICY_NAME\u003c/var\u003e\n\nThe content of the .yaml file referenced by \u003cvar translate=\"no\"\u003eFILE\u003c/var\u003e is the\nfollowing custom expression: \n\n expression: \"certificateBindingState(origin, device) == CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE\"\n\nWhat's next\n-----------\n\n- [Enable CBA with VPC Service Controls](/chrome-enterprise-premium/docs/enable-cba-vpcsc)\n- [Enable CBA with user groups](/chrome-enterprise-premium/docs/enable-cba-user-groups)"]]
