Permissions and roles

Certificate authoritites, certificates, and certificate revocation lists in CA Service can have Identity and Access Management policies bound to the resource.

Required Permissions

The following table lists the permissions that the caller must have to call each method:

Permission Description
privateca.certificateAuthorities.create Create a certificate authority (CA).
privateca.certificateAuthorities.delete Schedule a CA for deletion.
privateca.certificateAuthorities.get Get a CA or CA certificate signing request.
privateca.certificateAuthorities.getIamPolicy Get the IAM policy for a CA.
privateca.certificateAuthorities.list List CAs in a project.
privateca.certificateAuthorities.setIamPolicy Set the IAM policy for a CA.
privateca.certificateAuthorities.update Update a CA, including activating, enabling, disabling, and restoring the CA.
privateca.certificates.create Create a new certificate in a CA.
privateca.certificates.get Get a certificate and its metadata.
privateca.certificates.list List all certificates in a CA.
privateca.certificates.update Update a certificate's metadata, including revocation.
privateca.certificateRevocationLists.get Get a certificate revocation list (CRL) in a CA.
privateca.certificateRevocationLists.getIamPolicy Get the IAM policy for a CRL.
privateca.certificateRevocationLists.list List all CRLs in a CA.
privateca.certificateRevocationLists.setIamPolicy Set the IAM policy for a CRL.
privateca.certificateRevocationLists.update Update a CRL.
privateca.operations.cancel Cancel a long-running operation.
privateca.operations.delete Delete a long-running operation.
privateca.operations.get Get a long-running operation.
privateca.operations.list List long-running operations in a project.
privateca.reusableConfigs.get Get a reusable configuration.
privateca.reusableConfigs.list List reusable configurations in a project.

Predefined Roles

Roles can be assigned to a user or service account. For CA Service, we also support resource-level role assignment, so roles can be assigned to users or service accounts for a specific resource. This allows for fine-grained control of certificates.

Roles are inherited if granted at a higher resource level. For example, if the user is granted the Auditor role at the project level, the user will be able to view all resources under the project. Note that the role that grants the broadest scope will take precedence. For example, if the user is granted the Admin role at the project level but only the Auditor role for a specific resource, they will still be able to edit the resource.

Role Permissions
roles/privateca.auditor privateca.certificateAuthorities.list
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificates.list
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
resourcemanager.projects.get
resourcemanager.projects.list
roles/privateca.certificateRequester privateca.certificates.create
roles/privateca.certificateManager All permissions from roles/privateca.auditor, plus:
privateca.certificates.create
roles/privateca.caManager All permissions from roles/privateca.auditor, plus:
privateca.certificates.update
privateca.certificateAuthorities.create
privateca.certificateAuthorities.update
privateca.certificateAuthorities.delete
privateca.certificateRevocationLists.update
privateca.reusableConfigs.create
privateca.reusableConfigs.update
privateca.reusableConfigs.delete
storage.buckets.create
roles/privateca.admin All permissions from roles/privateca.certificateManager, and roles/privateca.caManager, plus:
privateca.*.setIamPolicy

CA Service Service Agent

When providing existing Cloud KMS signing keys or Cloud Storage buckets during CA creation, the CA Service Service Agent service account (service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com) must be granted access to the respective resource.

For Cloud KMS, roles/cloudkms.signerVerifier is required to use the signing key and read the public key. roles/viewer is required to monitor the key for Cloud Monitoring integration.

For Cloud Storage, roles/storage.objectAdmin is required to write the CA certificate and CRLs to a bucket. roles/storage.legacyBucketReader is required to monitor the bucket for Cloud Monitoring integration.

When accessing the service through the API, the following commands should be run. First, create the Service Agent service account:

gcloud

gcloud beta services identity create --service=privateca.googleapis.com --project=PROJECT_ID

If existing Cloud KMS signing keys will be provided:

gcloud

gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \
--keyring='KEYRING_NAME' \
--location='LOCATION' \
--member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \
--role='roles/cloudkms.signerVerifier'

gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \
--keyring='KEYRING_NAME' \
--location='LOCATION' \
--member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \
--role='roles/viewer'

If existing Cloud Storage buckets will be provided, use the gsutil command line tool to bind the required roles for the Cloud Storage bucket:

gsutil

gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.objectAdmin gs://BUCKET_NAME
gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.legacyBucketReader gs://BUCKET_NAME

What's next

  • Learn how IAM centralizes management of permissions and access scopes for Google Cloud resources.