Enable certificate-based access in client applications
Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to enable certificate-based access (CBA) in your client
applications for calling the Google APIs using compatible
libraries or tools.
To enable CBA and allow the Google APIs to identify a device, the caller client
must establish mTLS connections with the Google APIs, and then discover
the TLS certificates on the device. This process is illustrated in the following
diagram:
CBA compatible clients
You can use CBA with the following clients:
Google Cloud console (Chrome)
Google Cloud CLI Version 264.0.0 or later
Terraform CLI Version 1.3.6 or later
Google API Client Libraries
Python
Golang
Enable CBA for the gcloud CLI
Have your users
install or update the
gcloud CLI to ensure they have a version that works with CBA, Version
264.0.0 or later.
Users who have the Google Cloud CLI installed can confirm they have Version
264.0.0 or later using the following command:
gcloud --version
If needed, users can update their Google Cloud CLI version using the following
command:
gcloud components
To begin using CBA, users must run the following command:
gcloud config set context_aware/use_client_certificate true
Enable CBA for the Terraform CLI and Google API Client Libraries
To enable CBA for the Terraform CLI and Google API Client Libraries,
users must set the following environment variable:
exportGOOGLE_API_USE_CLIENT_CERTIFICATE=1
Enable CBA for IAP Desktop
To enable certificate-based access in IAP Desktop, do the following:
In the application, select Tools > Options.
Select Secure connections to Google Cloud by using certificate-based access.
Click OK.
Close IAP Desktop and launch it again.
If you're using Active Directory, you can also configure a group policy object
to automatically enable certificate-based access for your users.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Enable certificate-based access in client applications\n\nThis page describes how to enable certificate-based access (CBA) in your client\napplications for calling the Google APIs using compatible\nlibraries or tools.\n\nTo enable CBA and allow the Google APIs to identify a device, the caller client\nmust establish mTLS connections with the Google APIs, and then discover\nthe TLS certificates on the device. This process is illustrated in the following\ndiagram:\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n### CBA compatible clients\n\nYou can use CBA with the following clients:\n\n- Google Cloud console (Chrome)\n- Google Cloud CLI Version 264.0.0 or later\n- Terraform CLI Version 1.3.6 or later\n- Google API Client Libraries\n - Python\n - Golang\n\nEnable CBA for the gcloud CLI\n-----------------------------\n\n1. Have your users\n [install](/sdk/docs/install) or update the\n gcloud CLI to ensure they have a version that works with CBA, Version\n 264.0.0 or later.\n\n Users who have the Google Cloud CLI installed can confirm they have Version\n 264.0.0 or later using the following command: \n\n gcloud --version\n\n If needed, users can update their Google Cloud CLI version using the following\n command: \n\n gcloud components\n\n2. To begin using CBA, users must run the following command:\n\n gcloud config set context_aware/use_client_certificate true\n\nEnable CBA for the Terraform CLI and Google API Client Libraries\n----------------------------------------------------------------\n\n1. To enable CBA for the Terraform CLI and Google API Client Libraries,\n users must set the following environment variable:\n\n export GOOGLE_API_USE_CLIENT_CERTIFICATE=1\n\nEnable CBA for IAP Desktop\n--------------------------\n\nTo enable certificate-based access in IAP Desktop, do the following:\n\n1. In the application, select **Tools** \\\u003e **Options**.\n2. Select **Secure connections to Google Cloud by using certificate-based access**.\n3. Click **OK**.\n4. Close IAP Desktop and launch it again.\n\nIf you're using Active Directory, you can also [configure a group policy object](https://github.com/GoogleCloudPlatform/iap-desktop/wiki/Managing-IAP-Desktop-using-group-policies#customizing-iap-desktop)\nto automatically enable certificate-based access for your users."]]
