To secure your resources with certificate-based access, create an access level that requires certificates when determining access to resources. To create access levels, see Creating a custom access level .
The values you use when creating a custom access level can be whatever makes sense for you, but the expression for the custom access level must be:
certificateBindingState (
origin,
device )
==
CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE
For example, you can use the gcloud CLI to create your custom access level by running the following command:
gcloud
access-context-manager
levels
create
LEVEL_NAME
\
--title =
TITLE
\
--custom-level-spec =
FILE
\
--description =
DESCRIPTION
\
--policy =
POLICY_NAME
The content of the .yaml file referenced by FILE
is the
following custom expression:
expression: "certificateBindingState(origin, device) == CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE"
