Certificate authoritites, certificates, and certificate revocation lists in CA Service can have Identity and Access Management policies bound to the resource.
Required Permissions
The following table lists the permissions that the caller must have to call each method:
Permission | Description |
---|---|
privateca.certificateAuthorities.create |
Create a certificate authority (CA). |
privateca.certificateAuthorities.delete |
Schedule a CA for deletion. |
privateca.certificateAuthorities.get |
Get a CA or CA certificate signing request. |
privateca.certificateAuthorities.getIamPolicy |
Get the IAM policy for a CA. |
privateca.certificateAuthorities.list |
List CAs in a project. |
privateca.certificateAuthorities.setIamPolicy |
Set the IAM policy for a CA. |
privateca.certificateAuthorities.update |
Update a CA, including activating, enabling, disabling, and restoring the CA. |
privateca.certificates.create |
Create a new certificate in a CA. |
privateca.certificates.get |
Get a certificate and its metadata. |
privateca.certificates.list |
List all certificates in a CA. |
privateca.certificates.update |
Update a certificate's metadata, including revocation. |
privateca.certificateRevocationLists.get |
Get a certificate revocation list (CRL) in a CA. |
privateca.certificateRevocationLists.getIamPolicy |
Get the IAM policy for a CRL. |
privateca.certificateRevocationLists.list |
List all CRLs in a CA. |
privateca.certificateRevocationLists.setIamPolicy |
Set the IAM policy for a CRL. |
privateca.certificateRevocationLists.update |
Update a CRL. |
privateca.operations.cancel |
Cancel a long-running operation. |
privateca.operations.delete |
Delete a long-running operation. |
privateca.operations.get |
Get a long-running operation. |
privateca.operations.list |
List long-running operations in a project. |
privateca.reusableConfigs.get |
Get a reusable configuration. |
privateca.reusableConfigs.list |
List reusable configurations in a project. |
Predefined Roles
It is important to implement separation of duties to protect the security and integrity of a CA. Through the implementation of discrete roles, organizations can better manage the security of the CA and the overall PKI itself.
CA Service allows you to assign roles to a user or service account. These role bindings can be added at the CA-level (to grant access to a specific CA), or at the project or organization-level (to grant access to all CAs in that scope).
Roles are inherited if granted at a higher resource level. For example, a user who is granted the Auditor role at the project level will be able to view all resources under the project. Note that the role that grants the broadest scope will take precedence. For example, if the user is granted the Admin role at the project level but only the Auditor role for a specific resource, they will still be able to edit the resource.
Role | Permissions | Description |
---|---|---|
CA Service Auditorroles/privateca.auditor |
privateca.certificateAuthorities.list privateca.certificateAuthorities.get privateca.certificateAuthorities.getIamPolicy privateca.certificates.list privateca.certificates.get privateca.certificates.getIamPolicy privateca.certificateRevocationLists.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy privateca.reusableConfigs.list privateca.reusableConfigs.get privateca.reusableConfigs.getIamPolicy resourcemanager.projects.get resourcemanager.projects.list
|
The CA Service Auditor has read-only access to all CA Service resources and can retrieve and list properties of the CA, certificates, revocation lists, reusable configs, IAM policies and projects. This role should be assigned to individuals who are accountable for validating security and operations of the CA and are not assigned any daily responsibility of administering the service. |
CA Service Certificate Requesterroles/privateca.certificateRequester |
privateca.certificates.create
|
A CA Service Certificate Requester can submit certificate requests to a CA. This role should be granted to trusted individuals who are allowed to request certificates. Note that a user with this role can request arbitrary certificates subject to the issuance policy. Unlike the CA Service Certificate Manager role, this role does not allow the user to get or list the newly issued certificate, or to get any information about the CA. |
CA Service Certificate Managerroles/privateca.certificateManager |
All permissions from roles/privateca.auditor , plus:privateca.certificates.create
|
A CA Service Certificate Manager can submit certificate issuance requests to a CA like the CA Service Certificate Requester. In addition, this role also inherits the permissions of the CA Service Auditor. It should be assigned to individuals accountable for creating, tracking and reviewing certificate requests on a CA such as a manager or lead engineer. |
CA Service Operation Managerroles/privateca.caManager |
All permissions from roles/privateca.auditor , plus:privateca.certificates.update privateca.certificateAuthorities.create privateca.certificateAuthorities.update privateca.certificateAuthorities.delete privateca.certificateRevocationLists.update privateca.reusableConfigs.create privateca.reusableConfigs.update privateca.reusableConfigs.delete storage.buckets.create
|
A CA Service Operation Manager can create, update, and delete CAs. This role can also revoke certificates and create storage buckets. It also includes the same abilities as the CA Service Auditor. In this role, individuals will be responsible for configuring and deploying CAs in the organization, along with configuring the CA's issuance policy. Note that this role does not allow for creating certificates. To do that, use the CA Service Certificate Requester, CA Service Certificate Manager or CA Service Admin roles. |
CA Service Adminroles/privateca.admin |
All permissions from roles/privateca.certificateManager ,
and roles/privateca.caManager , plus:privateca.*.setIamPolicy
|
The CA Service Admin role inherits permissions from the CA Service Operation Manager and CA Service Certificate Manager. This role can perform all actions within CA Service and should be seldom assigned once the service is established. In this role, individuals can perform all aspects of administration including assigning rights to others and managing certificate requests in CA Service. It is recommended to implement special control and access to this role account to prevent unauthorized access or use. |
CA Service Service Agent
When providing existing Cloud KMS signing keys or
Cloud Storage buckets during CA creation, the CA Service
Service Agent service account
(service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com
) must be
granted access to the respective resource.
For Cloud KMS, roles/cloudkms.signerVerifier
is required to use the
signing key and read the public key. roles/viewer
is required to monitor
the key for Cloud Monitoring integration.
For Cloud Storage, roles/storage.objectAdmin
is required to write the
CA certificate and CRLs to a bucket. roles/storage.legacyBucketReader
is
required to monitor the bucket for Cloud Monitoring integration.
When accessing the service through the API, the following commands should be run. First, create the Service Agent service account.
In the following example, PROJECT_ID is the unique identifier of the project where the CA resource is created.
gcloud
gcloud beta services identity create --service=privateca.googleapis.com --project=PROJECT_ID
If existing Cloud KMS signing keys will be provided:
gcloud
gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \
--keyring='KEYRING_NAME' \
--location='LOCATION' \
--member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \
--role='roles/cloudkms.signerVerifier'
gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \
--keyring='KEYRING_NAME' \
--location='LOCATION' \
--member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \
--role='roles/viewer'
If existing Cloud Storage buckets will be provided, use the
gsutil
command line tool to bind the
required roles for the Cloud Storage bucket:
gsutil
gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.objectAdmin gs://BUCKET_NAME
gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.legacyBucketReader gs://BUCKET_NAME
What's next
- Learn how IAM centralizes management of permissions and access scopes for Google Cloud resources.