This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

GCP Certificate-Manager global Certificate-Map global certificate : "invalid scope"

Posted on 03-19-2025 09:38 AM
nalb
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a GCP project with : 

  • a global ("scope: ALL_REGIONS") active existing Google-managed certificate (listed as "Certificate" not "classicCertificate")
  • an existing global certificate map

when adding the cert into the certificate map, I receive error : 

ERROR: (gcloud.certificate-manager.maps.entries.create) INVALID_ARGUMENT: certificate "projects/200020001113/locations/global/certificates/cert-dev-global" has invalid scope

I don't understand as it should match (both are "global"). Any help ?

 

1 1 130
1 REPLY 1

Posted on --/--/---- --:-- AM
diannemcm
Staff
Reply posted on --/--/---- --:-- AM

Hi @nalb,

Welcome to Google Cloud Community!

While both are labeled as "global," Google-managed certificates (listed as "Certificate" rather than "classicCertificate") are currently region-specific, even when set to ALL_REGIONS. If the certificate is Google-managed, it may not be compatible with a global certificate map. 

Alternative Solution:

  • Create a Regional Certificate Map:
    If the certificate is Google-managed, it must be mapped to a regional certificate map instead of a global one. Try creating a regional certificate map and adding the certificate there:
    gcloud certificate-manager maps create my-regional-map --location=<REGION

            Then, add the certificate to the newly created map.

  • Or Use Classic Certificates:
    If you require a truly global certificate, consider creating a classicCertificate instead.

Certificate maps are not supported by cross-region internal Application Load Balancers. After you create the Google-managed certificate, attach the certificate directly to the target proxy.

Other References: Certificate Manager Limitations, GCP Public Tracker: Certificate Manager does not support --scope="all-regions"

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Labels in this Space
Top Solution Authors
View all