Google Cloud
Configuration for Google Cloud.
- Code:
gcloud - Since: v0.3.0
Here is an example bash command using the Google Cloud provider:
# Using a service account file
GCE_PROJECT="gc-project-id" \
GCE_SERVICE_ACCOUNT_FILE="/path/to/svc/account/file.json" \
lego --email you@example.com --dns gcloud -d '*.example.com' -d example.com run
# Using default credentials with impersonation
GCE_PROJECT="gc-project-id" \
GCE_IMPERSONATE_SERVICE_ACCOUNT="target-sa@gc-project-id.iam.gserviceaccount.com" \
lego --email you@example.com --dns gcloud -d '*.example.com' -d example.com run
# Using service account key with impersonation
GCE_PROJECT="gc-project-id" \
GCE_SERVICE_ACCOUNT_FILE="/path/to/svc/account/file.json" \
GCE_IMPERSONATE_SERVICE_ACCOUNT="target-sa@gc-project-id.iam.gserviceaccount.com" \
lego --email you@example.com --dns gcloud -d '*.example.com' -d example.com runCredentials
| Environment Variable Name | Description |
|---|---|
Application Default Credentials |
Documentation |
GCE_PROJECT |
Project name (by default, the project name is auto-detected by using the metadata service) |
GCE_SERVICE_ACCOUNT |
Account |
GCE_SERVICE_ACCOUNT_FILE |
Account file path |
The environment variable names can be suffixed by _FILE to reference a file instead of a value.
More information here.
Additional Configuration
| Environment Variable Name | Description |
|---|---|
GCE_ALLOW_PRIVATE_ZONE |
Allows requested domain to be in private DNS zone, works only with a private ACME server (by default: false) |
GCE_IMPERSONATE_SERVICE_ACCOUNT |
Service account email to impersonate |
GCE_POLLING_INTERVAL |
Time between DNS propagation check in seconds (Default: 5) |
GCE_PROPAGATION_TIMEOUT |
Maximum waiting time for DNS propagation in seconds (Default: 180) |
GCE_TTL |
The TTL of the TXT record used for the DNS challenge in seconds (Default: 120) |
GCE_ZONE_ID |
Allows to skip the automatic detection of the zone |
The environment variable names can be suffixed by _FILE to reference a file instead of a value.
More information here.
Supports service account impersonation to access Google Cloud DNS resources across different projects or with restricted permissions.
When using impersonation, the source service account must have:
- The “Service Account Token Creator” role on the source service account
- The “https://www.googleapis.com/auth/cloud-platform" scope