Configuring, modifying, and removing IAM policies
This topic describes how to configure, modify, and remove the Identity and Access Management (IAM) policies that let members create and manage Certificate Authority Service resources. For more information about IAM, see Overview for IAM.
IAM policies that are set on a certificate authority (CA) pool are inherited by all the CAs in that CA pool. You cannot set IAM policies on certificates and CA resources.
Before you begin
- Read the Quickstart guide to set up the API and create a CA pool.
- Read IAM policies to learn more about IAM policies.
- Read the Permissions and roles topic to learn about the IAM roles available for Certificate Authority Service.
Configuring IAM policy bindings
The following scenarios describe how you can grant users access to CA Service resources.
Administering resources
A CA Service Admin (roles/privateca.admin
) has the permissions to manage all CA Service
resources, and set IAM policies on CA pools and certificate templates.
To assign the CA Service Admin (roles/privateca.admin
) role to a user, use the following instructions:
Console
In the Google Cloud console, go to the IAM page.
In the top bar for IAM, click ADD.
In the New members field, enter the member.
Click the Select a role field.
Type the filter CA Service Admin, scroll down the list, and select CA Service Admin.
Click Save.
gcloud
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=MEMBER \
--role=roles/privateca.admin
Replace the following:
- PROJECT_ID: the unique identifier of the project.
- MEMBER: the user or service account to whom you want to assign the CA Service Admin role.
The --role
flag takes the IAM role that you want to assign to the member.
You can also set the CA Service Admin (roles/privateca.admin
) role at the resource level to manage a
specific CA pool or certificate template.
Console
In the Google Cloud console, go to the Certificate Authority Service page.
If not visible, click SHOW INFO PANEL in the top right of the Google Cloud console.
Click ADD MEMBER.
In the New members field, enter the member.
Click the Select a role field.
In the pop-up, hover over CA Service, and select CA Service Admin.
Click Save.
gcloud
To set the IAM policy, run the following command:
gcloud privateca pools add-iam-policy-binding POOL_ID \
--location LOCATION \
--member MEMBER \
--role roles/privateca.admin
Replace the following:
- POOL_ID: the unique identifier of the CA pool for which you want to set the IAM policy.
- LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
- MEMBER: the user or service account to which you want to assign the IAM role.
The --role
flag takes the IAM role that you want to assign to the member.
For more information about the gcloud privateca pools add-iam-policy-binding
command, see gcloud privateca pools add-iam-policy-binding.
Creating and managing CA pools and CAs
To create a CA pool and a CA, assign the CA Service Operation Manager (roles/privateca.caManager
) role to a user at the
project level. Granting CA Service Operation Manager (roles/privateca.caManager
) also allows the caller to
revoke certificates issued by the CAs in the CA pool.
Console
In the Google Cloud console, go to the IAM page.
In the top bar for IAM, click ADD.
In the New members field, enter the member.
Click Select a role.
Type the filter CA Service Operation Manager, and select CA Service Operation Manager.
Click Save.
gcloud
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=MEMBER \
--role=roles/privateca.caManager
Replace the following:
- PROJECT_ID: the unique identifier of the project.
- MEMBER: the user or service account for which you want to add the IAM role.
The --role
flag takes the IAM role that you want to assign to the member.
For more information about the gcloud projects add-iam-policy-binding
command, see gcloud projects add-iam-policy-binding.
Optionally, creating a CA using an existing Cloud KMS key also requires the caller to be an administrator for the Cloud KMS key.
The Cloud KMS Admin (roles/cloudkms.admin
) has complete access to all Cloud KMS resources, except the encrypt and decrypt operations. For more information about IAM roles for Cloud KMS, see Cloud KMS: Permissions and roles.
Console
In the Google Cloud console, go to the Cloud Key Management Service page.
Under Key rings, click the key ring that contains the CA signing key.
Click the key that is the CA signing key.
If not visible, click SHOW INFO PANEL in the top right of the Google Cloud console.
Click ADD MEMBER.
In the New members field, enter the member.
Click the Select a role field.
In the pop-up, hover over Cloud KMS, and select Cloud KMS Admin.
Click Save.
gcloud
gcloud kms keys add-iam-policy-binding KEY \
--keyring=KEYRING --location=LOCATION \
--member=MEMBER \
--role=roles/cloudkms.admin
Replace the following:
- KEY: the unique identifier of the key.
- KEYRING: the keyring that contains the key. For more information about key rings, see Key rings.
- MEMBER: the user or service account for which you want to add the IAM binding.
The --role
flag takes the IAM role that you want to assign to the member.
For more information about the gcloud kms keys add-iam-policy-binding
command, see gcloud kms keys add-iam-policy-binding.
To manage a specific CA pool and its CAs, the roles/privateca.caManager
role can be granted
on either the project or on the CA pool. This role also allows the caller to
revoke certificates issued by CAs in the CA pool.
Console
In the Google Cloud console, go to the Certificate Authority Service page.
Select your CA under Certificate authorities.
If not visible, click SHOW INFO PANEL in the top right of the Google Cloud console.
Click ADD MEMBER.
In the New members field, enter the member.
Click the Select a role field.
In the pop-up, hover over CA Service, and select CA Service Operation Manager.
Click Save.
gcloud
To grant the role for a specific CA pool, run the following gcloud
command:
gcloud privateca pools add-iam-policy-binding POOL_ID \
--location LOCATION \
--member MEMBER \
--role roles/privateca.caManager
Replace the following:
- POOL_ID: the unique identifier of the CA pool.
- LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
- MEMBER: the unique identifier of the user to whom you want to assign the CA Service Operation Manager (
roles/privateca.caManager
) role.
The --role
flag takes the IAM role that you want to assign to the member.
For more information about the gcloud privateca pools add-iam-policy-binding
command, see gcloud privateca pools add-iam-policy-binding.
Creating certificates
To create certificates, use the CA Service Certificate Manager (roles/privateca.certificateManager
) role.
This role also gives read access to CA Service resources. To only
allow certificate creation without read access, use
the CA Service Certificate Requester (roles/privateca.certificateRequester
) role. For more information about IAM roles for CA Service, see Predefined roles.
To grant the user access to create certificates for a specific CA, use the following instructions.
Console
In the Google Cloud console, go to the Certificate Authority Service page.
Select your CA under Certificate authorities.
If not visible, click SHOW INFO PANEL in the top right of the Google Cloud console.
Click ADD MEMBER.
In the New members field, enter the member.
Click the Select a role field.
In the pop-up, hover over CA Service, and select CA Service Certificate Manager.
Click Save.
gcloud
gcloud privateca pools add-iam-policy-binding 'POOL_ID' \
--location LOCATION \
--member MEMBER \
--role roles/privateca.certificateManager
Replace the following:
- POOL_ID: the unique identifier of the CA pool.
- LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
- MEMBER: the unique identifier of the user to whom you want to assign the CA Service Certificate Manager (
roles/privateca.certificateManager
) role.
The --role
flag takes the IAM role that you want to assign to the member.
Auditing resources
A CA Service Auditor (roles/privateca.auditor
) has read access to all resources in CA Service. When
granted for a specific CA pool, it grants read access to the
CA pool. If the CA pool is in the Enterprise tier, the user with this role can also view
certificates and CRLs issued by the CAs in the CA pool. Assign this role to individuals who are accountable for validating security and operations of the CA pool. For more information about the predefined IAM roles for CA Service, see Predefined roles.
Console
In the Google Cloud console, go to the IAM page.
In the top bar for IAM, click ADD.
In the New members field, enter the member.
Click Select a role.
Type the filter CA Service Auditor, and select CA Service Auditor.
Click Save.
gcloud
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=MEMBER \
--role=roles/privateca.auditor
Replace the following:
- PROJECT_ID: the unique identifier of the project.
- MEMBER: the unique identifier of the user to whom you want to assign the CA Service Auditor (
roles/privateca.auditor
) role.
The --role
flag takes the IAM role that you want to assign to the member.
Configuring IAM policy bindings per resource
This section describes how you can configure IAM policy bindings for a particular resource in CA Service.
Adding IAM policy bindings
The procedure for modifying a user's IAM role is the same as that for granting a role. You can modify an existing IAM policy binding using the Google Cloud CLI's add-iam-policy-binding
command.
To add an IAM policy on a particular CA pool, use the following gcloud
command:
gcloud
gcloud privateca pools add-iam-policy-binding POOL_ID \
--location=LOCATION \
--member=MEMBER \
--role=ROLE
Replace the following:
- LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
- MEMBER: the user or service account for which you want to add the IAM policy binding.
- ROLE: the role that you want to modify for the member.
For more information about the gcloud privateca pools add-iam-policy-binding
command, see gcloud privateca pools add-iam-policy-binding.
To add an IAM policy on a particular certificate template, use the following gcloud
command:
gcloud
gcloud privateca templates add-iam-policy-binding TEMPLATE_ID \
--location=LOCATION \
--member=MEMBER \
--role=ROLE
Replace the following:
- LOCATION: the location of the certificate template. For the complete list of locations, see Locations.
- MEMBER: the user or service account for which you want to add the IAM policy binding.
- ROLE: the role that you want to modify for the member.
For more information about the gcloud privateca templates add-iam-policy-binding
command, see gcloud privateca templates add-iam-policy-binding.
For more information about modifying a user's IAM role, see Granting access.
Removing IAM policy bindings
You can remove an existing IAM policy binding using the Google Cloud CLI's remove-iam-policy-binding
command.
To remove an IAM policy on a particular CA pool, use the following gcloud
command:
gcloud
gcloud privateca pools remove-iam-policy-binding POOL_ID \
--location=LOCATION \
--member=MEMBER \
--role=ROLE
Replace the following:
- LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
- MEMBER: the user or service account for which you want to remove the IAM policy binding.
- ROLE: the role that you want to remove for the member.
For more information about the gcloud privateca pools remove-iam-policy-binding
command, see gcloud privateca pools remove-iam-policy-binding.
To remove an IAM policy on a particular certificate template, use the following gcloud
command:
gcloud
gcloud privateca templates remove-iam-policy-binding TEMPLATE_ID \
--location=LOCATION \
--member=MEMBER \
--role=ROLE
Replace the following:
- LOCATION: the location of the certificate template. For the complete list of locations, see Locations.
- MEMBER: the user or service account for which you want to remove the IAM policy binding.
- ROLE: the role that you want to remove for the member.
For more information about the gcloud privateca templates remove-iam-policy-binding
command, see gcloud privateca templates remove-iam-policy-binding.
For more information about removing a user's IAM role, see Revoking access.
What's next
- Read the overview for IAM.
- Learn more about IAM roles.
- Learn more about IAM roles for CA Service, and their associated permissions.
- Learn more about policy controls.
- Learn how to manage policy controls.