Skip to content

Commit e8a5e90

Browse files
andyrzhaoandyrzhao
authored
doc(AIP-4114): Add documentation for ECP and new env var default. (#1451)
1 parent 352bcc4 commit e8a5e90

1 file changed

Lines changed: 21 additions & 6 deletions

File tree

aip/auth/4114.md

Lines changed: 21 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ endpoint override is an mTLS url, since the url pattern may change at anytime.
6363
The default mTLS endpoint for a service **should** be read from the Discovery
6464
Document field **"mtlsRootUrl"** instead of generated via regex patterns.
6565

66-
### Obtaining the Default Device Certificate
66+
### Obtaining the Default Device Certificate via SecureConnect
6767

6868
The default device certificate **should** be procured using the
6969
[EndpointVerification][1] workflow, which fetches the certificate from a
@@ -100,6 +100,18 @@ the form of an X.509 cert followed immediately by the private key:
100100
...
101101
-----END PRIVATE KEY-----
102102

103+
### Obtaining the Default Device Certificate via ECP
104+
105+
The Enterprise Certificate Proxy (ECP) project is the newly recommended way to
106+
procure device certificates. It has two major advantages compared to the legacy
107+
SecureConnect mechanism:
108+
109+
1. Allows usage of enterprise certs and private keys stored in native keystores and TPMs
110+
instead of relying on self-signed certs.
111+
1. Delegates signing operations to keystores, so private keys never leave the security realm.
112+
113+
Please see [ECP Public Documentation][2] for details on ECP configuration.
114+
103115
### Environment Variables
104116

105117
There are situations where the ADC for DCA behavior needs to be modified, such
@@ -114,13 +126,16 @@ available. The default value of this environment variable will be "auto".
114126
**GOOGLE_API_USE_CLIENT_CERTIFICATE**: If **"true"**, device certificate
115127
authentication will be supported as described in the general guidance. If
116128
**"false"**, the device certificate **must** not be used, even if specified by
117-
the user. For now, the default value will be "false", since mTLS support is not
118-
yet fully adopted by all services. Users who wish to enable DCA feature **must**
119-
explicitly set this environment variable to "true". In the future, the default
120-
value will be "true' to allow a more secure connection to be established
121-
whenever possible.
129+
the user. The default value **should** be "true" as of May 3, 2024. Users who
130+
wish to disable DCA feature **must** explicitly set this environment variable
131+
to "false".
132+
133+
## Changelog
134+
135+
- **2024-11-25*: GOOGLE_API_USE_CLIENT_CERTIFICATE should default to "true" as of May 3, 2024.
122136

123137
<!-- prettier-ignore-start -->
124138
[0]: https://google.aip.dev/auth/4110
125139
[1]: https://cloud.google.com/endpoint-verification/docs/overview
140+
[2]: https://cloud.google.com/beyondcorp-enterprise/docs/enable-cba-enterprise-certificates
126141
<!-- prettier-ignore-end -->

0 commit comments

Comments
 (0)