Certificate authoritites, certificates, and certificate revocation lists in CA Service can have Identity and Access Management policies bound to the resource.
Required Permissions
The following table lists the permissions that the caller must have to call each method:
| Permission | Description |
|---|---|
privateca.certificateAuthorities.create |
Create a certificate authority (CA). |
privateca.certificateAuthorities.delete |
Schedule a CA for deletion. |
privateca.certificateAuthorities.get |
Get a CA or CA certificate signing request. |
privateca.certificateAuthorities.getIamPolicy |
Get the IAM policy for a CA. |
privateca.certificateAuthorities.list |
List CAs in a project. |
privateca.certificateAuthorities.setIamPolicy |
Set the IAM policy for a CA. |
privateca.certificateAuthorities.update |
Update a CA, including activating, enabling, disabling, and restoring the CA. |
privateca.certificates.create |
Create a new certificate in a CA. |
privateca.certificates.get |
Get a certificate and its metadata. |
privateca.certificates.list |
List all certificates in a CA. |
privateca.certificates.update |
Update a certificate's metadata, including revocation. |
privateca.certificateRevocationLists.get |
Get a certificate revocation list (CRL) in a CA. |
privateca.certificateRevocationLists.getIamPolicy |
Get the IAM policy for a CRL. |
privateca.certificateRevocationLists.list |
List all CRLs in a CA. |
privateca.certificateRevocationLists.setIamPolicy |
Set the IAM policy for a CRL. |
privateca.certificateRevocationLists.update |
Update a CRL. |
privateca.operations.cancel |
Cancel a long-running operation. |
privateca.operations.delete |
Delete a long-running operation. |
privateca.operations.get |
Get a long-running operation. |
privateca.operations.list |
List long-running operations in a project. |
privateca.reusableConfigs.get |
Get a reusable configuration. |
privateca.reusableConfigs.list |
List reusable configurations in a project. |
Predefined Roles
Roles can be assigned to a user or service account. For CA Service, we also support resource-level role assignment, so roles can be assigned to users or service accounts for a specific resource. This allows for fine-grained control of certificates.
Roles are inherited if granted at a higher resource level. For example, if the user is granted the Auditor role at the project level, the user will be able to view all resources under the project. Note that the role that grants the broadest scope will take precedence. For example, if the user is granted the Admin role at the project level but only the Auditor role for a specific resource, they will still be able to edit the resource.
| Role | Permissions |
|---|---|
roles/privateca.auditor |
privateca.certificateAuthorities.listprivateca.certificateAuthorities.getprivateca.certificateAuthorities.getIamPolicyprivateca.certificates.listprivateca.certificates.getprivateca.certificates.getIamPolicyprivateca.certificateRevocationLists.listprivateca.certificateRevocationLists.getprivateca.certificateRevocationLists.getIamPolicyprivateca.reusableConfigs.listprivateca.reusableConfigs.getprivateca.reusableConfigs.getIamPolicyresourcemanager.projects.getresourcemanager.projects.list
|
roles/privateca.certificateRequester |
privateca.certificates.create
|
roles/privateca.certificateManager |
All permissions from roles/privateca.auditor, plus:privateca.certificates.create
|
roles/privateca.caManager |
All permissions from roles/privateca.auditor, plus:privateca.certificates.updateprivateca.certificateAuthorities.createprivateca.certificateAuthorities.updateprivateca.certificateAuthorities.deleteprivateca.certificateRevocationLists.updateprivateca.reusableConfigs.createprivateca.reusableConfigs.updateprivateca.reusableConfigs.deletestorage.buckets.create
|
roles/privateca.admin |
All permissions from roles/privateca.certificateManager,
and roles/privateca.caManager, plus:privateca.*.setIamPolicy
|
CA Service Service Agent
When providing existing Cloud KMS signing keys or
Cloud Storage buckets during CA creation, the CA Service
Service Agent service account
(service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com) must be
granted access to the respective resource.
For Cloud KMS, roles/cloudkms.signerVerifier is required to use the
signing key and read the public key. roles/viewer is required to monitor
the key for Cloud Monitoring integration.
For Cloud Storage, roles/storage.objectAdmin is required to write the
CA certificate and CRLs to a bucket. roles/storage.legacyBucketReader is
required to monitor the bucket for Cloud Monitoring integration.
When accessing the service through the API, the following commands should be run. First, create the Service Agent service account:
gcloud
gcloud beta services identity create --service=privateca.googleapis.com --project=PROJECT_ID
If existing Cloud KMS signing keys will be provided:
gcloud
gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \
--keyring='KEYRING_NAME' \
--location='LOCATION' \
--member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \
--role='roles/cloudkms.signerVerifier'
gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \
--keyring='KEYRING_NAME' \
--location='LOCATION' \
--member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \
--role='roles/viewer'
If existing Cloud Storage buckets will be provided, use the
gsutil command line tool to bind the
required roles for the Cloud Storage bucket:
gsutil
gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.objectAdmin gs://BUCKET_NAME
gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.legacyBucketReader gs://BUCKET_NAME
What's next
- Learn how IAM centralizes management of permissions and access scopes for Google Cloud resources.