Stay organized with collections
Save and categorize content based on your preferences.
You can use certificate-based access (CBA) to require verified X.509 certificates for
access to Google Cloud resources. The additional credential provides a stronger
signal of device identity and helps protect your organization from credential
theft or accidental loss by requiring that both the user credentials and the
original device certificate are present before granting access.
Relying only on credentials, like bearer tokens, to grant access to the Google Cloud
APIs and resources can put you at risk. Those credentials can be exposed by user
error or become prime targets for attackers. If attackers obtain the
credentials, they can replay the credentials to access resources.
By using CBA, you enhance the security of your resources by requiring an
additional authorization factor, a device certificate. Device certificates are
validated and verified using a mutual TLS handshake. This requires users to
prove possession of the private key associated with the certificate, thereby
providing a strong signal of device identity.
Following is a high-level illustration of the CBA access flow:
The benefits of using Google CBA
Following are some of the benefits of using CBA.
Comprehensive Security
Protects your important resources by preventing access using stolen
credentials from untrusted devices, such as cookie theft.
Protects all Google Cloud API requests regardless of access points,
including on-premises or Google networks, and web browsers or desktops applications.
Fine-grained Policy Control
Works seamlessly with VPC Service Controls service perimeters and lets you to specify
fine-grained access control over your resources.
Works seamlessly with user groups and lets you apply CBA to a group of users.
Good Developer Experience
Automated CBA support in common libraries and tools, such as the
gcloud CLI, which reduces the programming cost of using CBA.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Certificate-based access overview\n\nYou can use certificate-based access (CBA) to require verified X.509 certificates for\naccess to Google Cloud resources. The additional credential provides a stronger\nsignal of device identity and helps protect your organization from credential\ntheft or accidental loss by requiring that both the user credentials and the\noriginal device certificate are present before granting access.\n\nRelying only on credentials, like bearer tokens, to grant access to the Google Cloud\nAPIs and resources can put you at risk. Those credentials can be exposed by user\nerror or become prime targets for attackers. If attackers obtain the\ncredentials, they can replay the credentials to access resources.\n\nBy using CBA, you enhance the security of your resources by requiring an\nadditional authorization factor, a device certificate. Device certificates are\nvalidated and verified using a mutual TLS handshake. This requires users to\nprove possession of the private key associated with the certificate, thereby\nproviding a strong signal of device identity.\n\nFollowing is a high-level illustration of the CBA access flow:\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n### The benefits of using Google CBA\n\nFollowing are some of the benefits of using CBA.\n\nComprehensive Security\n: Protects your important resources by preventing access using stolen\n credentials from untrusted devices, such as cookie theft.\n: Protects all Google Cloud API requests regardless of access points,\n including on-premises or Google networks, and web browsers or desktops applications.\n\nFine-grained Policy Control\n: Works seamlessly with VPC Service Controls service perimeters and lets you to specify\n fine-grained access control over your resources.\n: Works seamlessly with user groups and lets you apply CBA to a group of users.\n\nGood Developer Experience\n: Automated CBA support in common libraries and tools, such as the\n gcloud CLI, which reduces the programming cost of using CBA.\n\nWhat's next\n-----------\n\n- [Understand mutual TLS at Google Cloud](/chrome-enterprise-premium/docs/understand-mtls)\n- [Set up certificate-based access](/chrome-enterprise-premium/docs/set-up-cba)"]]
