Configuring IAM policies

This topic describes how to configure the necessary Identity and Access Management (IAM) policies for creating and managing Certificate Authority Service resources. For more information about IAM, see Overview for IAM.

IAM policies that are set on a certificate authority (CA) pool are inherited by all the CAs in that CA pool. You cannot set IAM policies on certificates and CA resources.

Before you begin

  • Read the Quickstart guide to set up the API and create a CA pool.
  • Read IAM policies to learn more about IAM policies.
  • Read the Permissions and roles topic to learn about the IAM roles available for Certificate Authority Service.

Configuring IAM

The following scenarios describe how you can grant users access to CA Service resources.

Administering resources

A CA Service Admin (roles/privateca.admin) has the permissions to manage all CA Service resources, and set IAM policies on CA pools and certificate templates.

To assign the CA Service Admin (roles/privateca.admin) role to a user, use the following instructions:

Console

  1. In the Google Cloud Console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click ADD.

  3. In the New members field, enter the member.

  4. Click the Select a role field.

  5. Type the filter CA Service Admin, scroll down the list, and select CA Service Admin.

  6. Click Save.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.admin

Where:

  • PROJECT_ID is the unique identifier of the project.
  • MEMBER is the user or service account to whom you want to assign the CA Service Admin role.

You can also set the CA Service Admin (roles/privateca.admin) role at the resource level to manage a specific CA pool or certificate template.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.

  3. Click the ADD MEMBER button.

  4. In the New members text box, enter the member.

  5. Click the Select a role text box.

  6. In the pop-up, hover over CA Service, and select CA Service Admin.

  7. Click the Save button.

gcloud

Set the policy with the following command:

gcloud privateca pools add-iam-policy-binding POOL_ID \
  --location LOCATION \
  --member MEMBER \
  --role roles/privateca.admin

Creating and managing CA pools and CAs

To create a CA pool and a CA, assign the CA Service Operation Manager (roles/privateca.caManager) role to a user at the project level. Granting CA Service Operation Manager (roles/privateca.caManager) also allows the caller to revoke certificates issued by the CAs in the CA pool.

Console

  1. In the Google Cloud Console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click the ADD button.

  3. In the New members text box, enter the member.

  4. Click the Select a role text box.

  5. Type the filter CA Service Operation Manager, and select CA Service Operation Manager.

  6. Click the Save button.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.caManager

Optionally, creating a CA using an existing Cloud KMS key also requires the caller to be an administrator for the Cloud KMS key.

Console

  1. In the Google Cloud Console, go to the Cloud Key Management Service page.

    Go to Cloud Key Management Service

  2. Under Key rings, click the key ring that contains the CA signing key.

  3. Click the key that is the CA signing key.

  4. If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.

  5. Click the ADD MEMBER button.

  6. In the New members text box, enter the member.

  7. Click the Select a role text box.

  8. In the pop-up, hover over Cloud KMS, and select Cloud KMS Admin.

  9. Click the Save button.

gcloud

gcloud kms keys add-iam-policy-binding KEY \
  --keyring=KEYRING --location=LOCATION \
  --member=MEMBER \
  --role=roles/cloudkms.admin

To manage a specific CA pool and its CAs, the roles/privateca.caManager role can be granted on either the project or on the CA pool. This role also allows the caller to revoke certificates issued by CAs in the CA pool.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Select your CA under Certificate authorities.

  3. If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.

  4. Click the ADD MEMBER button.

  5. In the New members text box, enter the member.

  6. Click the Select a role text box.

  7. In the pop-up, hover over CA Service, and select CA Service Operation Manager.

  8. Click the Save button.

gcloud

To grant the role for a specific CA pool, run the following gcloud command:

gcloud privateca pools add-iam-policy-binding POOL_ID \
  --location LOCATION \
  --member MEMBER \
  --role roles/privateca.caManager

Creating certificates

To create certificates, use the CA Service Certificate Manager (roles/privateca.certificateManager) role. This role also gives read access to CA Service resources. To only allow certificate creation without read access, use the CA Service Certificate Requester (roles/privateca.certificateRequester) role. For more information about IAM roles for CA Service, see Predefined roles.

Executing the following command grants the user access to create certificates for a specific CA.

Console

  1. In the Google Cloud Console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Select your CA under Certificate authorities.

  3. If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.

  4. Click the ADD MEMBER button.

  5. In the New members text box, enter the member.

  6. Click the Select a role text box.

  7. In the pop-up, hover over CA Service, and select CA Service Certificate Manager.

  8. Click the Save button.

gcloud

gcloud privateca pools add-iam-policy-binding 'POOL_ID' \
  --location LOCATION \
  --member MEMBER \
  --role roles/privateca.certificateManager

Where:

  • 'POOL_ID' is the unique identifier of the CA pool.
  • 'MEMBER' is the unique identifier of the user to whom you want to assign the CA Service Certificate Manager (roles/privateca.certificateManager) role.

Auditing resources

A CA Service Auditor (roles/privateca.auditor) has read access to all resources in CA Service. When granted for a specific CA pool, it grants read access to the CA pool. If the CA pool is in the Enterprise tier, the user with this role can also view certificates and CRLs issued by the CAs in the CA pool. Assign this role to individuals who are accountable for validating security and operations of the CA pool. For more information about predefined roles, see Predefined roles.

Console

  1. In the Google Cloud Console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click the ADD button.

  3. In the New members text box, enter the member.

  4. Click the Select a role text box.

  5. Type the filter CA Service Auditor, and select CA Service Auditor.

  6. Click the Save button.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.auditor

Where:

  • 'PROJECT_ID' is the unique identifier of the project.
  • 'MEMBER' is the unique identifier of the user to whom you want to assign the CA Service Auditor (roles/privateca.auditor) role.

What's next