Overview
To install a Confidential Space Co-signer in Google Cloud and connect it to your workspace, follow these steps:
- Setup and configure your Google Cloud environment
Prepare your Google Cloud environment and the machine where you plan to install the Co-signer from (e.g., your laptop). - Add a Co-signer to the workspace using an API user
Using the Fireblocks Console or APIs, create an API user and use it to add a Co-signer to the workspace. - Install and connect the Co-signer to the workspace
Download the installation script to the machine where you plan to execute it, run the script to set up the necessary Google Cloud resources and install the Co-signer. Once installation is complete, the workspace owner approves the new MPC key shares for the API user through the Fireblocks mobile app.
You can now view the Co-signer and its paired API user in your Fireblocks Console. Additionally, you can retrieve information about them using the Co-signer APIs.
Step 1: Setup and configure your Google Cloud environment
Proper configuration of your Google Cloud environment is straightforward but must be performed step by step in the specified order. The installation script automates the resource creation and setup process and it is not recommended to change it. Any misconfiguration could compromise the Co-signer's functionality or security.
1.1. Allowlist Domains
To ensure the Co-signer can be installed and operated successfully, add the Fireblocks' domains to your allowlist. Fireblocks-owned domains differ based on the specific Fireblocks SaaS environment you are connected to. If you are connected to the European or Swiss SaaS, update your allowlist according to the domains in the table below.
| Fireblocks SaaS | Domains to Allow |
|---|---|
| Global | mobile-api.fireblocks.ios3signurl.fireblocks.io |
| Europe | eu2-mobile-api.fireblocks.ioeu2-s3signurl.fireblocks.io |
| Swiss | eu-mobile-api.fireblocks.ioeu-s3signurl.fireblocks.io |
1.2. Install the required software packages
Ensure the following software packages are installed on the machine where you will run the installation script (e.g., your laptop):
- gcloud: The installation script automates the setup process by using gcloud and prompts you for the required inputs. It assumes you have the necessary credentials and permissions for your Google Cloud account.
- uuidgen: used for generating the Co-signer’s unique ID during installation.
- jq: used to create an output JSON configuration file.
The installation script uses those packages to create the resources and install the Co-signer.
1.3. Ensure account permissions to the required Google Cloud resources
You must have the necessary Google Cloud account permissions to enable network access to required domains and to create and configure the following resources:
- Project
- IAM Role
- Workload Identity Pool provider
- Customer Managed Key (CMK)
- Bucket
- Workload Container
1.4. Additional security recommendations
It is highly recommended to control user and network access to your Google Cloud environment. See API Co-signer security checklist and recommended defense and monitoring systems for further information.
Step 2: Add a Co-signer to the workspace using an API user
Follow the instructions to add a new Co-signer to the workspace. Ensure you copy to your clipboard the following items, which you will use during the installation process:
- The API user's pairing token
- The download link of the Co-signer's installation script
Step 3: Install and connect the Co-signer to the workspace
3.1. Download the installation script
Using the download link of the Google Cloud Confidential Space Co-signer installation script you copied from the Console, download the script to your local machine, where you will run the script from.
Paste the appropriate URL into the following command:
wget "URL"
3.2. Run the installation script
Run the client_install_gcp_api_cosigner_script.sh script in an interactive shell and respond to prompts as the script executes. When prompted, select option “1 - Create” for first-time setup.
Note: Ensure you place the
encryptor_decryptor_random_bytes_generator_role.yamlfile in the same directory as the script.
You will be prompted to enter the Pairing token for the API user, which you retrieve from the Fireblocks Console. This token pairs the API user with the Co-signer.
At this stage, you will have the option to configure the Callback Handler parameters for the API user connecting the Co-signer to the workspace. This feature is optional. You can configure it later through the Console, APIs, or locally from the Co-signer's host machine.
For detailed instructions on setting up your Callback Handler's interface to the Co-signer and implement its logic and code, refer to the Setup API Co-signer Callback Handler section.
Once the installation is complete, the Co-signer will automatically start running. At the end of the process, the Co-Signer generates a JSON file summarizing all the resources created during the process.
3.3. Approve MPC key shares for the API user
If the API user used to pair with the Co-Signer and connect it to your workspace has an Admin or User role, the workspace owner will receive a notification. This notification will prompt them to approve a new MPC key share request for that API user using the Fireblocks mobile app.
You can now see the Co-signer you installed in the Co-signers tab within the Console's Developer Center. Observe it is online and that the API user is paired to it.
To check the Co-signer's status and observe the logs, see the Google Cloud Confidential Space Co-signer Maintenance article.