Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to enable certificate-based access
(CBA)
for your Google Cloud VMs. You can use CBA to secure access from
trusted devices to Google Cloud VMs.
Overview
CBA for VMs uses the Google Cloud Context-Aware Access feature to secure
access using Mutual TLS (mTLS). Following are the main components that you work
with to enable and use CBA for VMs:
Access Context Manager: Lets you create access levels that require certificates when
determining access to web applications.
Identity-Aware Proxy (IAP): IAP TCP
forwarding lets you establish an encrypted
tunnel over which you can forward SSH, RDP, and other traffic to VM instances.
In addition, an IAP policy provides you with fine-grained
control over which users are allowed to establish tunnels to specific VM
instances and what access conditions the users must meet to use such
tunnels.
Chrome Enterprise Policy: Provides mutual authentication (mTLS) between users
and VMs when using the Chrome browser.
Google Cloud CLI: Provides mutual authentication (mTLS) between users and VMs
when using the gcloud CLI.
Grant roles for accessing VMs through IAP TCP forwarding
You must grant the appropriate Identity and Access Management (IAM) roles on a project to
let users or user groups use IAP TCP forwarding to access VMs.
The following table shows the predefined roles that you need to grant to trusted
administrators for TCP forwarding and related tasks.
Task
Roles
More information
TCP forwarding
IAP-secured Tunnel User (roles/iap.tunnelResourceAccessor)
Although IAP-TCP lets you grant access to all VM instances in a
project, you must configure certificate-based access for each individual VM instance.
To grant a user or user group certificate-based access to a VM, grant the
roles/iap.tunnelResourceAccessor role on the VM instance. The other roles
can be granted on the project.
Console
Open the IAP Admin page, and then select the SSH and TCP
Resources tab.
export IAP_BASE_URL=https://iap.googleapis.com/v1/projects/PROJECT_NUMBER/iap_tunnel
# Replace POLICY_FILE.JSON with the name of JSON file to use for setIamPolicy
export JSON_NEW_POLICY=POLICY_FILE.JSON
Get the IAM policy for the Compute Engine instance using
the getIamPolicy method. The empty data bit at the end turns the curl
request into POST instead of GET.
Grant the iap.tunnelResourceAccessor role and certificate-based access to
your principals by modifying the
IAM policy JSON file.
Following is an example of a policy.json file that grants the
iap.tunnelResourceAccessor role to a group of VM instance admins, giving
them certificate-based access to IAP-secured tunnel resources.
Note that if a principal has the Owner role, they have permission to use
IAP for TCP forwarding.
Use Endpoint Verification provisioned certificates:
Use this method if you don't have a PKI infrastructure. Endpoint Verification
automatically provisions and registers self-signed certificates with
Google Cloud for every device.
Use client certificates on the Chrome browser to access VMs
Configure the Chrome browser using one of the following options.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Enable certificate-based access for VMs\n\nThis page describes how to enable [certificate-based access\n(CBA)](/chrome-enterprise-premium/docs/securing-resources-with-certificate-based-access)\nfor your Google Cloud VMs. You can use CBA to secure access from\ntrusted devices to Google Cloud VMs.\n\nOverview\n--------\n\nCBA for VMs uses the Google Cloud context-aware access feature to secure\naccess using Mutual TLS (mTLS). Following are the main components that you work\nwith to enable and use CBA for VMs:\n\n- Access Context Manager: Lets you create access levels that require certificates when determining access to web applications.\n- Identity-Aware Proxy (IAP): [IAP TCP\n forwarding](/iap/docs/using-tcp-forwarding) lets you establish an encrypted tunnel over which you can forward SSH, RDP, and other traffic to VM instances. In addition, an IAP policy provides you with fine-grained control over which users are allowed to establish tunnels to specific VM instances and what access conditions the users must meet to use such tunnels.\n- Chrome Enterprise Policy: Provides mutual authentication (mTLS) between users and VMs when using the Chrome browser.\n- Google Cloud CLI: Provides mutual authentication (mTLS) between users and VMs when using the gcloud CLI.\n\nBefore you begin\n----------------\n\nEnsure that you [created CBA access levels](/chrome-enterprise-premium/docs/create-cba-access-levels)\nfor your Google Cloud project.\n\nGrant roles for accessing VMs through IAP TCP forwarding\n--------------------------------------------------------\n\nYou must grant the appropriate Identity and Access Management (IAM) roles on a project to\nlet users or user groups use IAP TCP forwarding to access VMs.\n\nThe following table shows the predefined roles that you need to grant to trusted\nadministrators for TCP forwarding and related tasks.\n\nFor more information about granting roles for IAP TCP forwarding,\nsee [Grant roles for IAP TCP forwarding](/iap/docs/using-tcp-forwarding#grant-permission).\n\nConfigure certificate-based access to a VM\n------------------------------------------\n\nAlthough IAP-TCP lets you grant access to all VM instances in a\nproject, you must configure certificate-based access for each individual VM instance.\n\nTo grant a user or user group certificate-based access to a VM, grant the\n`roles/iap.tunnelResourceAccessor` role on the VM instance. The [other roles](#tcp-fwd-roles)\ncan be granted on the project. \n\n### Console\n\n1. Open the IAP Admin page, and then select the **SSH and TCP\n Resources** tab.\n\n\n [Go to the IAP page](https://console.cloud.google.com/security/iap)\n2. Select the VM instances that you want to configure. Click **Show info\n panel** if the info panel is not visible.\n\n3. Click **Add principal** and configure the following:\n\n - **New principals**: Specify the user or user group that you want to grant access to.\n - **Select a role** : Select **Cloud IAP \\\u003e IAP-Secured Tunnel User**.\n4. Click **Add IAM condition** and configure a condition:\n\n - **Title**: Enter a name for the condition.\n - **Condition Builder** : Select **Access level** from the **Condition Type** drop-down, and then select the certificate-based access level created [earlier](#create-cba-accesslevel).\n5. Click **Save**.\n\n### API\n\nTo configure certificate-based access to a VM, modify your application's\n`policy.json` file.\n\nSee [Managing access to IAP-secured resources](/iap/docs/managing-access#managing_access_with_the_api)\nfor more information about using the IAM API to manage access policies.\n\n1. Export the following variables.\n\n export IAP_BASE_URL=https://iap.googleapis.com/v1/projects/PROJECT_NUMBER/iap_tunnel\n # Replace POLICY_FILE.JSON with the name of JSON file to use for setIamPolicy\n export JSON_NEW_POLICY=POLICY_FILE.JSON\n\n2. Get the IAM policy for the Compute Engine instance using\n the `getIamPolicy` method. The empty data bit at the end turns the curl\n request into `POST` instead of `GET`.\n\n curl -i -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n ${IAP_BASE_URL}/zones/ZONE_NAME/instances/INSTANCE_ID or INSTANCE_NAME:getIamPolicy \\\n -d ''\n\n3. Grant the `iap.tunnelResourceAccessor` role and certificate-based access to\n your principals by modifying the\n [IAM policy JSON file](/iam/docs/granting-changing-revoking-access#modify_policy).\n\n Following is an example of a `policy.json` file that grants the\n `iap.tunnelResourceAccessor` role to a group of VM instance admins, giving\n them certificate-based access to IAP-secured tunnel resources.\n\n Note that if a principal has the Owner role, they have permission to use\n IAP for TCP forwarding. \n\n {\n \"policy\": {\n \"bindings\": [\n {\n \"role\": \"roles/iap.tunnelResourceAccessor\",\n \"members\": [\"group:instance-admins@example.com\"],\n \"condition\": {\n \"expression\": \"\\\"accessPolicies/POLICY_NAME/accessLevels/CERTIFICATE_BASED_ACCESS_LEVEL_NAME\\\" in request.auth.access_levels,\n \"title\": \"CERTIFICATE_BASED_CONDITION_NAME\"\n }\n }\n ]\n }\n }\n\n To find a [policy name](/access-context-manager/docs/manage-access-policy#get_the_name_of_an_access_policy),\n call the [`accessPolicies.list`](/access-context-manager/docs/reference/rest/v1/accessPolicies/list)\n method. \n\n GET https://accesscontextmanager.googleapis.com/v1/accessPolicies\n\n4. Set your new `policy.json` file using the `setIamPolicy` method.\n\n curl -i -H \"Content-Type:application/json\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n ${IAP_BASE_URL}/zones/ZONE_NAME/instances/INSTANCE_ID or INSTANCE_NAME:setIamPolicy \\\n -d @${JSON_NEW_POLICY}\n\nAccess VMs using client certificates\n------------------------------------\n\nTo access VMs using client certificates, use one of the following methods.\n\n- [Use enterprise certificates](/chrome-enterprise-premium/docs/enable-cba-enterprise-certificates): Use this method if you have a PKI infrastructure.\n- [Use Endpoint Verification provisioned certificates](/chrome-enterprise-premium/docs/cba-endpoint-verification-certs): Use this method if you don't have a PKI infrastructure. Endpoint Verification automatically provisions and registers self-signed certificates with Google Cloud for every device.\n\nUse client certificates on the Chrome browser to access VMs\n-----------------------------------------------------------\n\n1. Configure the Chrome browser using one of the following options.\n - [Configure the Chrome browser to use enterprise certificates](/chrome-enterprise-premium/docs/enable-cba-enterprise-certificates).\n - [Configure the Chrome browser to use Endpoint Verification provisioned certificates](/chrome-enterprise-premium/docs/cba-endpoint-verification-certs).\n2. In the Chrome browser, enter the following domain to access the Google Cloud console: `console-secure.cloud.google.com`.\n3. Access Google Cloud VMs using [IAP tunneling](/iap/docs/using-tcp-forwarding#tunneling_ssh_connections).\n\nUse client certificates on the gcloud CLI to access VMs\n-------------------------------------------------------\n\n1. Configure the gcloud CLI using one of the following methods.\n\n - [Configure the gcloud CLI to use enterprise certificates](/chrome-enterprise-premium/docs/enable-cba-enterprise-certificates#configure_command-line_tools_to_use_your_enterprise_certificate)\n - [Configure the gcloud CLI to use endpoint verification provisioned certificates](/chrome-enterprise-premium/docs/cba-endpoint-verification-certs#configure-cli-ev-certs)\n2. Access Google Cloud VMs using [IAP tunneling](/iap/docs/using-tcp-forwarding#tunneling_ssh_connections)."]]
