To secure your resources with certificate-based access, create an access level that requires certificates when determining access to resources. To create access levels, see Creating a custom access level.
The values you use when creating a custom access level can be whatever makes sense for you, but the expression for the custom access level must be:
certificateBindingState(origin, device) == CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE For example, you can use the gcloud CLI to create your custom access level by running the following command:
gcloud access-context-manager levels create LEVEL_NAME \ --title=TITLE \ --custom-level-spec=FILE \ --description=DESCRIPTION \ --policy=POLICY_NAME The content of the .yaml file referenced by FILE is the following custom expression:
expression: "certificateBindingState(origin, device) == CertificateBindingState.CERT_MATCHES_EXISTING_DEVICE"