Google Cloud Storage HMAC Credential

Overview

Google Cloud Storage HMAC credentials are required to authenticate S3-compatible requests from AutoSSL to Cloud Storage. By adding HMAC credentials, you authorize AutoSSL to upload SSL certificate files to your Cloud Storage buckets on your behalf.

HMAC keys only work with the Cloud Storage S3-compatible XML API. Service account JSON key files are not supported by this credential type.

Configuration Parameters

Parameter	Description
HMAC Access ID	Your Cloud Storage HMAC Access ID. Typically starts with `GOOG`.
HMAC Secret	The corresponding HMAC Secret. This value is securely encrypted before being stored in AutoSSL.

Important

If you need to modify the HMAC Secret field later, you must provide the full secret again.

How to Get HMAC Credentials

Log in to the Google Cloud Console.
Navigate to Cloud Storage > Settings > Interoperability.
In the Service account HMAC keys section, click Create a key for a service account.
Select the service account that should own the HMAC key and click Create key.
Copy the Access key and Secret and paste them into AutoSSL as HMAC Access ID and HMAC Secret.

For more detailed instructions, please refer to the Google Cloud documentation on managing HMAC keys.

Security Recommendations

To improve the security of your HMAC credentials, we strongly recommend the following practices:

Use Service Accounts: Create HMAC keys for a dedicated service account rather than a user account.
Principle of Least Privilege: Only grant the service account the exact permissions needed for the target bucket (e.g., storage.objectCreator on a specific bucket prefix).
Regular Rotation: Periodically rotate your HMAC keys to minimize the risk of leaked credentials.

Supported Deployment Targets

The Google Cloud Storage HMAC credential is used by the following deployment providers in AutoSSL:

Google Cloud Storage: Uploads certificate files to a Cloud Storage bucket with versioned and latest paths.