Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project
: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles .
-
If you're using an existing project for this guide, verify that you have the permissions required to complete this guide . If you created a new project, then you already have the required permissions.
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles . -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project : Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project
: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles .
-
If you're using an existing project for this guide, verify that you have the permissions required to complete this guide . If you created a new project, then you already have the required permissions.
-
Verify that billing is enabled for your Google Cloud project .
-
Enable the Compute Engine, Certificate Manager, Certificate Authority Service APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles .
Required roles
To get the permissions that you need to configure lifecycle management, ask your administrator to grant you the following IAM roles on your project:
- Certificate Manager Editor
(
roles/certificatemanager.editor) - CA Service Certificate Manager
(
roles/privateca.certificateManager) - Workload Identity Pool Admin
(
roles/iam.workloadIdentityPoolAdmin)
For more information about granting roles, see Manage access to projects, folders, and organizations .
You might also be able to get the required permissions through custom roles or other predefined roles .
Configure lifecycle for managed workloads
Configure a managed workload identity pool to specify how associated workloads receive and renew certificates from your existing CA Service pool.
- In the Google Cloud console, go to the Certificate Manager (2nd gen)page.
- In the navigation pane, click Manage Lifecycle.
- Select the Managed Workload Identitytab.
- Locate the workload identity pool that you want to configure, and then click Configure lifecycle management.
- Select the Regionand the CA poolfor the region.
- In the Certificate lifetimefield, specify the validity of the issued certificate. The value must be between 21 and 30 days.
- Set the Rotation windowto a value between 50 and 80. This is the percentage of the certificate's lifetime that triggers a renewal.
- In the Key algorithmfield, select the encryption algorithm to use to generate the private key.
- Click Update.
