From 55dbbd9986533849fbf8f3893f2c32d8b2c29d6c Mon Sep 17 00:00:00 2001 From: jiangtaoli2016 Date: Mon, 22 Jun 2020 21:50:22 -0700 Subject: [PATCH] Split ALTS.md into two pages. --- content/docs/guides/auth/ALTS.md | 25 +++++------------------ content/docs/guides/auth/ALTS_GCP.md | 30 ++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 20 deletions(-) create mode 100644 content/docs/guides/auth/ALTS_GCP.md diff --git a/content/docs/guides/auth/ALTS.md b/content/docs/guides/auth/ALTS.md index 3f72a81..c825272 100644 --- a/content/docs/guides/auth/ALTS.md +++ b/content/docs/guides/auth/ALTS.md @@ -15,13 +15,9 @@ production environments. For more information about ALTS and how it works, see the [ALTS whitepaper](https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security). -ALTS is now available to all gRPC users, if the application runs on -[Google Compute Engine (GCE)](https://cloud.google.com/compute/) or -[Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine). It -has the following features: +gRPC ALTS has the following features: - Create gRPC servers & clients with ALTS as the transport security protocol. -- Transparent identity provisioning and key management of ALTS credentials. - ALTS connections are end-to-end protected with privacy and integrity. - Applications can access peer information such as the peer service account. - Client authorization and server authorization support. @@ -31,21 +27,10 @@ gRPC users can configure their applications to use ALTS as a transport security protocol with few lines of code, simply indicating the intent of using ALTS. gRPC ALTS is supported in C++, Java, Go, and Python. -### Identity and Key Management - -Using ALTS transport security protocol, the identity of the gRPC application is -the primary service account associated with the GCE VM that the application runs -on. The service account of a GCE VM can be set or changed using -[gCloud command](https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account) -or via -[GCP console](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#using). - -Google Cloud Platform issues an ALTS credential for each service account running -on the GCE VM. The ALTS credentials are securely located in the hypervisor. The -private key of an ALTS credential is not accessible to the VM and the -application. The session keys used for end-to-end encryption are exposed to the -gRPC stack. Google Cloud Platform fully manages the ALTS credentials, including -certificate issuing, certificate rotation, and certification revocation. +{{< warning >}} + Currently gRPC ALTS transport security protocol only works in Google Cloud + Platform (GCP). For more information, see [ALTS on GCP](ALTS_GCP). +{{< /warning >}} ### gRPC Client with ALTS Transport Security Protocol diff --git a/content/docs/guides/auth/ALTS_GCP.md b/content/docs/guides/auth/ALTS_GCP.md new file mode 100644 index 0000000..9fbc6e9 --- /dev/null +++ b/content/docs/guides/auth/ALTS_GCP.md @@ -0,0 +1,30 @@ +--- +title: ALTS on Google Cloud Platform (GCP) +description: > + An overview of gRPC ALTS authentication running on Google Cloud Platform. +--- + +### Overview + +[ALTS](ALTS) is now available to all gRPC users, if the application runs on +[Google Compute Engine (GCE)](https://cloud.google.com/compute/) or +[Google Kubernetes Engine (GKE)](https://cloud.google.com/kubernetes-engine). +The detailed instructions on how to use ALTS as an authentication mechanism +in gRPC can be found in [ALTS Authentiction guide](ALTS). + +### Identity and Key Management + +Using ALTS transport security protocol on Google Cloud Platform, the identity +of the gRPC application is the primary service account associated with the GCE +VM that the application runs on. The service account of a GCE VM can be set or +changed using +[gCloud command](https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account) +or via +[GCP console](https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#using). + +Google Cloud Platform issues an ALTS credential for each service account running +on the GCE VM. The ALTS credentials are securely located in the hypervisor. The +private key of an ALTS credential is not accessible to the VM and the +application. The session keys used for end-to-end encryption are exposed to the +gRPC stack. Google Cloud Platform fully manages the ALTS credentials, including +certificate issuing, certificate rotation, and certification revocation.