Configuring IAM policies

This topic describes how to configure the necessary IAM policies for creating and managing CA Service resources.

Before you begin

Follow the Quickstart guide to set up the API. Review Permissions and roles to learn about the IAM policies that can be bound to CA Service resources.

Configuring IAM

The scenarios below describe how to grant users access to CA Service resources.

Administer resources

A CA administrator has the permissions to manage all CA Service resources, along with setting IAM policies for CA Service certificate authorities.

Console

  1. In the Google Cloud Console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click the ADD button.

  3. In the New members text box, enter the member.

  4. Click the Select a role text box.

  5. Type the filter CA Service Admin, scroll down the list, and select CA Service Admin.

  6. Click the Save button.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.admin

roles/privateca.admin can also be set at the resource level to manage a specific CA.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Select your CA under CAs.

  3. If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.

  4. Click the ADD MEMBER button.

  5. In the New members text box, enter the member.

  6. Click the Select a role text box.

  7. In the pop-up, hover over CA Service, and select CA Service Admin.

  8. Click the Save button.

gcloud

When granting a policy for a root CA, use roots for the CA_TYPE variable. When granting a policy for a subordinate CA, use subordinates for the CA_TYPE variable.

Set the policy with the following command:

gcloud beta privateca CA_TYPE add-iam-policy-binding \
  CA_ID --member MEMBER --role roles/privateca.admin

Create and manage certificate authorities

To create a CA resource, roles/privateca.caManager should be granted at the project level. Granting roles/privateca.caManager also allows the caller to revoke certificates issued by the CA.

Console

  1. In the Google Cloud Console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click the ADD button.

  3. In the New members text box, enter the member.

  4. Click the Select a role text box.

  5. Type the filter CA Service Operation Manager, and select CA Service Operation Manager.

  6. Click the Save button.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.caManager

Optionally, creating a CA using an existing Cloud KMS key also requires the caller to be an administrator for the Cloud KMS key.

Console

  1. In the Google Cloud Console, go to the Cloud Key Management Service page.

    Go to Cloud Key Management Service

  2. Under Key rings, click the key ring that contains the CA signing key.

  3. Click the key that is the CA signing key.

  4. If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.

  5. Click the ADD MEMBER button.

  6. In the New members text box, enter the member.

  7. Click the Select a role text box.

  8. In the pop-up, hover over Cloud KMS, and select Cloud KMS Admin.

  9. Click the Save button.

gcloud

gcloud kms keys add-iam-policy-binding KEY \
  --keyring=KEYRING --location=LOCATION \
  --member=MEMBER \
  --role=roles/cloudkms.admin

To update or delete a specific CA, roles/privateca.caManager can be granted on either the project or the specific CA resource. This role also allows the caller to revoke all certificates issued by the specific CA.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Select your CA under CAs.

  3. If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.

  4. Click the ADD MEMBER button.

  5. In the New members text box, enter the member.

  6. Click the Select a role text box.

  7. In the pop-up, hover over CA Service, and select CA Service Operation Manager.

  8. Click the Save button.

gcloud

To grant the role for a specific CA:

gcloud beta privateca CA_TYPE add-iam-policy-binding \
  CA_ID --member MEMBER --role roles/privateca.caManager

Create certificates

To create certificates, use the role roles/privateca.certificateManager. This role also gives read access to CA Service resources. To only allow certificate creation without read access, use roles/privateca.certificateRequester.

The following command will grant the user access to create certificates for a specific certificate authority.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Select your CA under CAs.

  3. If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.

  4. Click the ADD MEMBER button.

  5. In the New members text box, enter the member.

  6. Click the Select a role text box.

  7. In the pop-up, hover over CA Service, and select CA Service Certificate Manager.

  8. Click the Save button.

gcloud

gcloud beta privateca CA_TYPE add-iam-policy-binding \
  CA_ID --member MEMBER --role roles/privateca.certificateManager

Audit resources

A CA auditor has read access to all resources in CA Service. When granted for a specific certificate authority, it will grant read access to the CA. If the CA is in the Enterprise tier, this role can also view certificates and CRLs issued by the CA.

Console

  1. In the Google Cloud Console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click the ADD button.

  3. In the New members text box, enter the member.

  4. Click the Select a role text box.

  5. Type the filter CA Service Auditor, and select CA Service Auditor.

  6. Click the Save button.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.auditor

What's next