Configuring, modifying, and removing IAM policies

This topic describes how to configure, modify, and remove the Identity and Access Management (IAM) policies that let members create and manage Certificate Authority Service resources. For more information about IAM, see Overview for IAM.

IAM policies that are set on a certificate authority (CA) pool are inherited by all the CAs in that CA pool. You cannot set IAM policies on certificates and CA resources.

Before you begin

  • Read the Quickstart guide to set up the API and create a CA pool.
  • Read IAM policies to learn more about IAM policies.
  • Read the Permissions and roles topic to learn about the IAM roles available for Certificate Authority Service.

Configuring IAM policy bindings

The following scenarios describe how you can grant users access to CA Service resources.

Administering resources

A CA Service Admin (roles/privateca.admin) has the permissions to manage all CA Service resources, and set IAM policies on CA pools and certificate templates.

To assign the CA Service Admin (roles/privateca.admin) role to a user, use the following instructions:

Console

  1. In the Google Cloud console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click ADD.

  3. In the New members field, enter the member.

  4. Click the Select a role field.

  5. Type the filter CA Service Admin, scroll down the list, and select CA Service Admin.

  6. Click Save.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.admin

Replace the following:

  • PROJECT_ID: the unique identifier of the project.
  • MEMBER: the user or service account to whom you want to assign the CA Service Admin role.

The --role flag takes the IAM role that you want to assign to the member.

You can also set the CA Service Admin (roles/privateca.admin) role at the resource level to manage a specific CA pool or certificate template.

Console

  1. In the Google Cloud console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. If not visible, click SHOW INFO PANEL in the top right of the Google Cloud console.

  3. Click ADD MEMBER.

  4. In the New members field, enter the member.

  5. Click the Select a role field.

  6. In the pop-up, hover over CA Service, and select CA Service Admin.

  7. Click Save.

gcloud

To set the IAM policy, run the following command:

gcloud privateca pools add-iam-policy-binding POOL_ID \
  --location LOCATION \
  --member MEMBER \
  --role roles/privateca.admin

Replace the following:

  • POOL_ID: the unique identifier of the CA pool for which you want to set the IAM policy.
  • LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
  • MEMBER: the user or service account to which you want to assign the IAM role.

The --role flag takes the IAM role that you want to assign to the member.

For more information about the gcloud privateca pools add-iam-policy-binding command, see gcloud privateca pools add-iam-policy-binding.

Creating and managing CA pools and CAs

To create a CA pool and a CA, assign the CA Service Operation Manager (roles/privateca.caManager) role to a user at the project level. Granting CA Service Operation Manager (roles/privateca.caManager) also allows the caller to revoke certificates issued by the CAs in the CA pool.

Console

  1. In the Google Cloud console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click ADD.

  3. In the New members field, enter the member.

  4. Click Select a role.

  5. Type the filter CA Service Operation Manager, and select CA Service Operation Manager.

  6. Click Save.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.caManager

Replace the following:

  • PROJECT_ID: the unique identifier of the project.
  • MEMBER: the user or service account for which you want to add the IAM role.

The --role flag takes the IAM role that you want to assign to the member.

For more information about the gcloud projects add-iam-policy-binding command, see gcloud projects add-iam-policy-binding.

Optionally, creating a CA using an existing Cloud KMS key also requires the caller to be an administrator for the Cloud KMS key.

The Cloud KMS Admin (roles/cloudkms.admin) has complete access to all Cloud KMS resources, except the encrypt and decrypt operations. For more information about IAM roles for Cloud KMS, see Cloud KMS: Permissions and roles.

Console

  1. In the Google Cloud console, go to the Cloud Key Management Service page.

    Go to Cloud Key Management Service

  2. Under Key rings, click the key ring that contains the CA signing key.

  3. Click the key that is the CA signing key.

  4. If not visible, click SHOW INFO PANEL in the top right of the Google Cloud console.

  5. Click ADD MEMBER.

  6. In the New members field, enter the member.

  7. Click the Select a role field.

  8. In the pop-up, hover over Cloud KMS, and select Cloud KMS Admin.

  9. Click Save.

gcloud

gcloud kms keys add-iam-policy-binding KEY \
  --keyring=KEYRING --location=LOCATION \
  --member=MEMBER \
  --role=roles/cloudkms.admin

Replace the following:

  • KEY: the unique identifier of the key.
  • KEYRING: the keyring that contains the key. For more information about key rings, see Key rings.
  • MEMBER: the user or service account for which you want to add the IAM binding.

The --role flag takes the IAM role that you want to assign to the member.

For more information about the gcloud kms keys add-iam-policy-binding command, see gcloud kms keys add-iam-policy-binding.

To manage a specific CA pool and its CAs, the roles/privateca.caManager role can be granted on either the project or on the CA pool. This role also allows the caller to revoke certificates issued by CAs in the CA pool.

Console

  1. In the Google Cloud console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Select your CA under Certificate authorities.

  3. If not visible, click SHOW INFO PANEL in the top right of the Google Cloud console.

  4. Click ADD MEMBER.

  5. In the New members field, enter the member.

  6. Click the Select a role field.

  7. In the pop-up, hover over CA Service, and select CA Service Operation Manager.

  8. Click Save.

gcloud

To grant the role for a specific CA pool, run the following gcloud command:

gcloud privateca pools add-iam-policy-binding POOL_ID \
  --location LOCATION \
  --member MEMBER \
  --role roles/privateca.caManager

Replace the following:

  • POOL_ID: the unique identifier of the CA pool.
  • LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
  • MEMBER: the unique identifier of the user to whom you want to assign the CA Service Operation Manager (roles/privateca.caManager) role.

The --role flag takes the IAM role that you want to assign to the member.

For more information about the gcloud privateca pools add-iam-policy-binding command, see gcloud privateca pools add-iam-policy-binding.

Creating certificates

To create certificates, use the CA Service Certificate Manager (roles/privateca.certificateManager) role. This role also gives read access to CA Service resources. To only allow certificate creation without read access, use the CA Service Certificate Requester (roles/privateca.certificateRequester) role. For more information about IAM roles for CA Service, see Predefined roles.

To grant the user access to create certificates for a specific CA, use the following instructions.

Console

  1. In the Google Cloud console, go to the Certificate Authority Service page.

    Go to Certificate Authority Service

  2. Select your CA under Certificate authorities.

  3. If not visible, click SHOW INFO PANEL in the top right of the Google Cloud console.

  4. Click ADD MEMBER.

  5. In the New members field, enter the member.

  6. Click the Select a role field.

  7. In the pop-up, hover over CA Service, and select CA Service Certificate Manager.

  8. Click Save.

gcloud

gcloud privateca pools add-iam-policy-binding 'POOL_ID' \
  --location LOCATION \
  --member MEMBER \
  --role roles/privateca.certificateManager

Replace the following:

  • POOL_ID: the unique identifier of the CA pool.
  • LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
  • MEMBER: the unique identifier of the user to whom you want to assign the CA Service Certificate Manager (roles/privateca.certificateManager) role.

The --role flag takes the IAM role that you want to assign to the member.

Auditing resources

A CA Service Auditor (roles/privateca.auditor) has read access to all resources in CA Service. When granted for a specific CA pool, it grants read access to the CA pool. If the CA pool is in the Enterprise tier, the user with this role can also view certificates and CRLs issued by the CAs in the CA pool. Assign this role to individuals who are accountable for validating security and operations of the CA pool. For more information about the predefined IAM roles for CA Service, see Predefined roles.

Console

  1. In the Google Cloud console, go to the IAM page.

    Go to Identity and Access Management

  2. In the top bar for IAM, click ADD.

  3. In the New members field, enter the member.

  4. Click Select a role.

  5. Type the filter CA Service Auditor, and select CA Service Auditor.

  6. Click Save.

gcloud

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=MEMBER \
  --role=roles/privateca.auditor

Replace the following:

  • PROJECT_ID: the unique identifier of the project.
  • MEMBER: the unique identifier of the user to whom you want to assign the CA Service Auditor (roles/privateca.auditor) role.

The --role flag takes the IAM role that you want to assign to the member.

Configuring IAM policy bindings per resource

This section describes how you can configure IAM policy bindings for a particular resource in CA Service.

Adding IAM policy bindings

The procedure for modifying a user's IAM role is the same as that for granting a role. You can modify an existing IAM policy binding using the Google Cloud CLI's add-iam-policy-binding command.

To add an IAM policy on a particular CA pool, use the following gcloud command:

gcloud

gcloud privateca pools add-iam-policy-binding POOL_ID \
  --location=LOCATION \
  --member=MEMBER \
  --role=ROLE

Replace the following:

  • LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
  • MEMBER: the user or service account for which you want to add the IAM policy binding.
  • ROLE: the role that you want to modify for the member.

For more information about the gcloud privateca pools add-iam-policy-binding command, see gcloud privateca pools add-iam-policy-binding.

To add an IAM policy on a particular certificate template, use the following gcloud command:

gcloud

gcloud privateca templates add-iam-policy-binding TEMPLATE_ID \
  --location=LOCATION \
  --member=MEMBER \
  --role=ROLE

Replace the following:

  • LOCATION: the location of the certificate template. For the complete list of locations, see Locations.
  • MEMBER: the user or service account for which you want to add the IAM policy binding.
  • ROLE: the role that you want to modify for the member.

For more information about the gcloud privateca templates add-iam-policy-binding command, see gcloud privateca templates add-iam-policy-binding.

For more information about modifying a user's IAM role, see Granting access.

Removing IAM policy bindings

You can remove an existing IAM policy binding using the Google Cloud CLI's remove-iam-policy-binding command.

To remove an IAM policy on a particular CA pool, use the following gcloud command:

gcloud

gcloud privateca pools remove-iam-policy-binding POOL_ID \
  --location=LOCATION \
  --member=MEMBER \
  --role=ROLE

Replace the following:

  • LOCATION: the location of the CA pool. For the complete list of locations, see Locations.
  • MEMBER: the user or service account for which you want to remove the IAM policy binding.
  • ROLE: the role that you want to remove for the member.

For more information about the gcloud privateca pools remove-iam-policy-binding command, see gcloud privateca pools remove-iam-policy-binding.

To remove an IAM policy on a particular certificate template, use the following gcloud command:

gcloud

gcloud privateca templates remove-iam-policy-binding TEMPLATE_ID \
  --location=LOCATION \
  --member=MEMBER \
  --role=ROLE

Replace the following:

  • LOCATION: the location of the certificate template. For the complete list of locations, see Locations.
  • MEMBER: the user or service account for which you want to remove the IAM policy binding.
  • ROLE: the role that you want to remove for the member.

For more information about the gcloud privateca templates remove-iam-policy-binding command, see gcloud privateca templates remove-iam-policy-binding.

For more information about removing a user's IAM role, see Revoking access.

What's next