This topic describes how to configure the necessary IAM policies for creating and managing CA Service resources.
Before you begin
Follow the Quickstart guide to set up the API. Review Permissions and roles to learn about the IAM policies that can be bound to CA Service resources.
Configuring IAM
The scenarios below describe how to grant users access to CA Service resources.
Administer resources
A CA administrator has the permissions to manage all CA Service resources, along with setting IAM policies for CA Service certificate authorities.
Console
In the Google Cloud Console, go to the IAM page.
In the top bar for IAM, click the ADD button.
In the New members text box, enter the member.
Click the Select a role text box.
Type the filter CA Service Admin, scroll down the list, and select CA Service Admin.
Click the Save button.
gcloud
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=MEMBER \
--role=roles/privateca.admin
roles/privateca.admin
can also be set at the resource level to manage a
specific CA.
Console
In the Google Cloud Console, go to the Certificate Authority Service page.
Select your CA under CAs.
If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.
Click the ADD MEMBER button.
In the New members text box, enter the member.
Click the Select a role text box.
In the pop-up, hover over CA Service, and select CA Service Admin.
Click the Save button.
gcloud
When granting a policy for a root CA, use roots
for the CA_TYPE
variable.
When granting a policy for a subordinate CA, use subordinates
for the
CA_TYPE
variable.
Set the policy with the following command:
gcloud beta privateca CA_TYPE add-iam-policy-binding \
CA_ID --member MEMBER --role roles/privateca.admin
Create and manage certificate authorities
To create a CA resource, roles/privateca.caManager
should be granted at the
project level. Granting roles/privateca.caManager
also allows the caller to
revoke certificates issued by the CA.
Console
In the Google Cloud Console, go to the IAM page.
In the top bar for IAM, click the ADD button.
In the New members text box, enter the member.
Click the Select a role text box.
Type the filter CA Service Operation Manager, and select CA Service Operation Manager.
Click the Save button.
gcloud
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=MEMBER \
--role=roles/privateca.caManager
Optionally, creating a CA using an existing Cloud KMS key also requires the caller to be an administrator for the Cloud KMS key.
Console
In the Google Cloud Console, go to the Cloud Key Management Service page.
Under Key rings, click the key ring that contains the CA signing key.
Click the key that is the CA signing key.
If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.
Click the ADD MEMBER button.
In the New members text box, enter the member.
Click the Select a role text box.
In the pop-up, hover over Cloud KMS, and select Cloud KMS Admin.
Click the Save button.
gcloud
gcloud kms keys add-iam-policy-binding KEY \
--keyring=KEYRING --location=LOCATION \
--member=MEMBER \
--role=roles/cloudkms.admin
To update or delete a specific CA, roles/privateca.caManager
can be granted
on either the project or the specific CA resource. This role also allows the
caller to revoke all certificates issued by the specific CA.
Console
In the Google Cloud Console, go to the Certificate Authority Service page.
Select your CA under CAs.
If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.
Click the ADD MEMBER button.
In the New members text box, enter the member.
Click the Select a role text box.
In the pop-up, hover over CA Service, and select CA Service Operation Manager.
Click the Save button.
gcloud
To grant the role for a specific CA:
gcloud beta privateca CA_TYPE add-iam-policy-binding \
CA_ID --member MEMBER --role roles/privateca.caManager
Create certificates
To create certificates, use the role roles/privateca.certificateManager
.
This role also gives read access to CA Service resources. To only
allow certificate creation without read access, use
roles/privateca.certificateRequester
.
The following command will grant the user access to create certificates for a specific certificate authority.
Console
In the Google Cloud Console, go to the Certificate Authority Service page.
Select your CA under CAs.
If not visible, click SHOW INFO PANEL in the top right of the Cloud Console.
Click the ADD MEMBER button.
In the New members text box, enter the member.
Click the Select a role text box.
In the pop-up, hover over CA Service, and select CA Service Certificate Manager.
Click the Save button.
gcloud
gcloud beta privateca CA_TYPE add-iam-policy-binding \
CA_ID --member MEMBER --role roles/privateca.certificateManager
Audit resources
A CA auditor has read access to all resources in CA Service. When granted for a specific certificate authority, it will grant read access to the CA. If the CA is in the Enterprise tier, this role can also view certificates and CRLs issued by the CA.
Console
In the Google Cloud Console, go to the IAM page.
In the top bar for IAM, click the ADD button.
In the New members text box, enter the member.
Click the Select a role text box.
Type the filter CA Service Auditor, and select CA Service Auditor.
Click the Save button.
gcloud
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=MEMBER \
--role=roles/privateca.auditor