Permissions and roles

Certificate authorities, certificates, and certificate revocation lists in CA Service can have Identity and Access Management policies bound to the resource.

Required permissions

The following table lists the permissions that the caller must have to call each method:

Permission	Description
`privateca.certificateAuthorities.create`	Create a certificate authority (CA).
`privateca.certificateAuthorities.delete`	Schedule a CA for deletion.
`privateca.certificateAuthorities.get`	Get a CA or CA certificate signing request.
`privateca.certificateAuthorities.getIamPolicy`	Get the IAM policy for a CA.
`privateca.certificateAuthorities.list`	List CAs in a project.
`privateca.certificateAuthorities.setIamPolicy`	Set the IAM policy for a CA.
`privateca.certificateAuthorities.update`	Update a CA, including activating, enabling, disabling, and restoring the CA.
`privateca.certificates.create`	Create a new certificate in a CA.
`privateca.certificates.get`	Get a certificate and its metadata.
`privateca.certificates.list`	List all certificates in a CA.
`privateca.certificates.update`	Update a certificate's metadata, including revocation.
`privateca.certificateRevocationLists.get`	Get a certificate revocation list (CRL) in a CA.
`privateca.certificateRevocationLists.getIamPolicy`	Get the IAM policy for a CRL.
`privateca.certificateRevocationLists.list`	List all CRLs in a CA.
`privateca.certificateRevocationLists.setIamPolicy`	Set the IAM policy for a CRL.
`privateca.certificateRevocationLists.update`	Update a CRL.
`privateca.operations.cancel`	Cancel a long-running operation.
`privateca.operations.delete`	Delete a long-running operation.
`privateca.operations.get`	Get a long-running operation.
`privateca.operations.list`	List long-running operations in a project.
`privateca.reusableConfigs.get`	Get a reusable configuration.
`privateca.reusableConfigs.list`	List reusable configurations in a project.

Predefined roles

It is important to implement separation of duties to protect the security and integrity of a CA. Through the implementation of discrete roles, organizations can better manage the security of the CA and the overall PKI itself.

CA Service lets you assign roles to a user or service account. These role bindings can be added at the CA-level (to grant access to a specific CA), or at the project or organization-level (to grant access to all CAs in that scope).

Roles are inherited if granted at a higher resource level. For example, a user who is granted the Auditor role at the project level is able to view all resources under the project. The role that grants the broadest scope takes precedence. For example, if the user is granted the Admin role at the project level but only the Auditor role for a specific resource, they can still edit the resource.

Role	Permissions	Description
CA Service Auditor `roles/privateca.auditor`	`privateca.certificateAuthorities.list` `privateca.certificateAuthorities.get` `privateca.certificateAuthorities.getIamPolicy` `privateca.certificates.list` `privateca.certificates.get` `privateca.certificates.getIamPolicy` `privateca.certificateRevocationLists.list` `privateca.certificateRevocationLists.get` `privateca.certificateRevocationLists.getIamPolicy` `privateca.reusableConfigs.list` `privateca.reusableConfigs.get` `privateca.reusableConfigs.getIamPolicy` `resourcemanager.projects.get` `resourcemanager.projects.list`	The CA Service Auditor has read-only access to all CA Service resources and can retrieve and list properties of the CA, certificates, revocation lists, reusable configs, IAM policies and projects. This role should be assigned to individuals who are accountable for validating security and operations of the CA and are not assigned any daily responsibility of administering the service.
CA Service Certificate Requester `roles/privateca.certificateRequester`	`privateca.certificates.create`	A CA Service Certificate Requester can submit certificate requests to a CA. This role should be granted to trusted individuals who are allowed to request certificates. A user with this role can request arbitrary certificates subject to the issuance policy. Unlike the CA Service Certificate Manager role, this role does not allow the user to get or list the newly issued certificate, or to get any information about the CA.
CA Service Certificate Manager `roles/privateca.certificateManager`	All permissions from `roles/privateca.auditor`, plus: `privateca.certificates.create`	A CA Service Certificate Manager can submit certificate issuance requests to a CA like the CA Service Certificate Requester. In addition, this role also inherits the permissions of the CA Service Auditor. It should be assigned to individuals accountable for creating, tracking and reviewing certificate requests on a CA such as a manager or lead engineer.
CA Service Operation Manager `roles/privateca.caManager`	All permissions from `roles/privateca.auditor`, plus: `privateca.certificates.update` `privateca.certificateAuthorities.create` `privateca.certificateAuthorities.update` `privateca.certificateAuthorities.delete` `privateca.certificateRevocationLists.update` `privateca.reusableConfigs.create` `privateca.reusableConfigs.update` `privateca.reusableConfigs.delete` `storage.buckets.create`	A CA Service Operation Manager can create, update, and delete CAs. This role can also revoke certificates and create storage buckets. It also includes the same abilities as the CA Service Auditor. In this role, individuals are responsible for configuring and deploying CAs in the organization, along with configuring the CA's issuance policy. This role does not allow for creating certificates. To do that, use the CA Service Certificate Requester, CA Service Certificate Manager, or CA Service Admin roles.
CA Service Admin `roles/privateca.admin`	All permissions from `roles/privateca.certificateManager`, and `roles/privateca.caManager`, plus: `privateca.*.setIamPolicy`	The CA Service Admin role inherits permissions from the CA Service Operation Manager and CA Service Certificate Manager. This role can perform all actions within CA Service and should be seldom assigned once the service is established. In this role, individuals can perform all aspects of administration including assigning rights to others and managing certificate requests in CA Service. It is recommended to implement special control and access to this role account to prevent unauthorized access or use.

CA Service Service Agent

When providing existing Cloud KMS signing keys or Cloud Storage buckets during CA creation, the CA Service Service Agent service account (service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com) must be granted access to the respective resource.

For Cloud KMS, roles/cloudkms.signerVerifier is required to use the signing key and read the public key. roles/viewer is required to monitor the key for Cloud Monitoring integration.

For Cloud Storage, roles/storage.objectAdmin is required to write the CA certificate and CRLs to a bucket. roles/storage.legacyBucketReader is required to monitor the bucket for Cloud Monitoring integration.

When accessing the service through the API, the following commands should be run. First, create the Service Agent service account.

In the following example, PROJECT_ID is the unique identifier of the project where the CA resource is created.

gcloud

gcloud beta services identity create --service=privateca.googleapis.com --project=PROJECT_ID

If existing Cloud KMS signing keys are provided:

gcloud

gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \
--keyring='KEYRING_NAME' \
--location='LOCATION' \
--member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \
--role='roles/cloudkms.signerVerifier'

gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \
--keyring='KEYRING_NAME' \
--location='LOCATION' \
--member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \
--role='roles/viewer'

If existing Cloud Storage buckets are provided, use the gsutil command-line tool to bind the required roles for the Cloud Storage bucket:

gsutil

gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.objectAdmin gs://BUCKET_NAME
gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.legacyBucketReader gs://BUCKET_NAME

What's next

Learn how IAM centralizes management of permissions and access scopes for Google Cloud resources.