Skip to content

Create a Google Cloud Classic Load Balancer machine

Creating a new machine is the initial step in enabling Certificate Manager - SaaS to connect directly to Google Cloud Classic Load Balancers for certificate management. Once you have created machines, you can move on to provisioning certificates to those machines.

Before you begin

  • GCP Project ID: This is located in the GCP dashboard.
  • At least one active VSatellite to connect to GCP.
  • A Google service account configured with the required permissions:
    • compute.sslCertificates.create
    • compute.sslCertificates.delete
    • compute.sslCertificates.get
    • compute.sslCertificates.list
    • compute.targetHttpsProxies.get
    • compute.targetHttpsProxies.list
    • compute.targetHttpsProxies.setSslCertificates
    • compute.targetSslProxies.get
    • compute.targetSslProxies.list
    • compute.targetSslProxies.setSslCertificates
    • compute.regionSslCertificates.create
    • compute.regionSslCertificates.delete
    • compute.regionSslCertificates.get
    • compute.regionSslCertificates.list
    • compute.regionTargetHttpsProxies.get
    • compute.regionTargetHttpsProxies.list
    • compute.regionTargetHttpsProxies.setSslCertificates
  • GCP API access enabled for:
    • Compute Engine API
  • Choose an authentication method:
    • Service Account JSON Key: A JSON file containing the service account credentials
    • Default Credentials (VM Service Account): For machines running on GCP compute instances
    • OAuth2 Access Token: A short-lived access token for GCP API access

Note

  • Only Certificate Manager - SaaS-generated and user-imported certificates with private keys can be provisioned.
  • Modern certificates (Certificate Manager certificates and Certificate Map attachment methods) are not supported. Only classic SSL certificates are supported.
  • Discovery and provisioning are available for Global Target HTTPS Proxies, Global Target SSL Proxies, and Regional Target HTTPS Proxies.
  1. In the GCP Project ID field, enter your Google Cloud project ID.
  2. From the Authentication Method drop-down, select your preferred authentication method:

    • In the Service Account JSON Key field, paste the contents of your service account JSON key file.
    • No additional configuration is required. The machine uses the service account attached to the VM where the VSatellite is running.
    • In the OAuth2 Access Token field, enter your OAuth2 access token.

    Important

    OAuth2 access tokens expire after a short period (typically 1 hour). You must update the token regularly to maintain connectivity.

  3. Click Test Access to verify the connection.

  4. When the test is successful, click Create.

What's next?

Refer back to Create a new machine to finish setting up your new machine by configuring discovery and provisioning scheduling.

For existing machines: