Permissions and roles
This topic describes the Identity and Access Management (IAM) roles available for Certificate Authority Service. For information about IAM, see Overview for IAM.
Overview
It is important to implement separation of duties to protect the security and integrity of a CA pool. Through the implementation of discrete roles, organizations can better manage the security of the CA pool and the overall Public Key Infrastructure (PKI) itself.
IAM lets you create and manage permissions for CA Service resources. Each IAM role provides a consistent set of permissions that restricts the operations a user can perform on CA Service resources.
You can define IAM policies for CA pools and certificate templates, but not on certificates and CA resources. IAM policies that are set on a CA pool are inherited by all the CAs in that CA pool. For more information about IAM policies, see IAM policies.
Required permissions
The following table lists the permissions that you must have to call each method:
Permission | Description |
---|---|
privateca.caPools.create |
Create a certificate authority (CA) pool. |
privateca.caPools.update |
Update a CA pool. |
privateca.caPools.list |
List CA pools in a project. |
privateca.caPools.get |
Retrieve a CA pool. |
privateca.caPools.delete |
Delete a CA pool. |
privateca.caPools.getIamPolicy |
Retrieve the IAM policy of the CA pool. |
privateca.caPools.setIamPolicy |
Set an IAM policy for the CA pool. |
privateca.certificateAuthorities.create |
Create a CA. |
privateca.certificateAuthorities.delete |
Schedule a CA for deletion. |
privateca.certificateAuthorities.get |
Get a CA or CA certificate signing request. |
privateca.certificateAuthorities.list |
List CAs in a project. |
privateca.certificateAuthorities.update |
Update a CA, including activating, enabling, disabling, and restoring the CA. |
privateca.certificates.create |
Request certificates from CA Service. |
privateca.certificates.createForSelf |
Request certificates from CA Service with caller's identity. |
privateca.certificates.get |
Get a certificate and its metadata. |
privateca.certificates.list |
List all certificates in a CA. |
privateca.certificates.update |
Update a certificate's metadata, including revocation. |
privateca.certificateRevocationLists.get |
Get a certificate revocation list (CRL) in a CA. |
privateca.certificateRevocationLists.getIamPolicy |
Get the IAM policy for a CRL. |
privateca.certificateRevocationLists.list |
List all CRLs in a CA. |
privateca.certificateRevocationLists.setIamPolicy |
Set the IAM policy for a CRL. |
privateca.certificateRevocationLists.update |
Update a CRL. |
privateca.certificateTemplates.create |
Create a certificate template. |
privateca.certificateTemplates.get |
Retrieve a certificate template. |
privateca.certificateTemplates.list |
List all certificate templates. |
privateca.certificateTemplates.update |
Update a certificate template. |
privateca.certificateTemplates.delete |
Delete a certificate template. |
privateca.certificateTemplates.getIamPolicy |
Get IAM policy for a certificate template. |
privateca.certificateTemplates.setIamPolicy |
Set IAM policy for a certificate template. |
privateca.certificateTemplates.use |
Use a certificate template. |
privateca.operations.cancel |
Cancel a long-running operation. |
privateca.operations.delete |
Delete a long-running operation. |
privateca.operations.get |
Get a long-running operation. |
privateca.operations.list |
List long-running operations in a project. |
Predefined roles
The following table lists the predefined IAM roles and the permissions associated with each of them:
Role | Permissions | Description |
---|---|---|
CA Service Auditorroles/privateca.auditor |
privateca.caPools.get privateca.caPools.getIamPolicy privateca.caPools.list privateca.certificateAuthorities.list privateca.certificateAuthorities.get privateca.certificateTemplates.get privateca.certificateTemplates.getIamPolicy privateca.certificateTemplates.list privateca.certificates.list privateca.certificates.get privateca.locations.get privateca.locations.list privateca.operations.get privateca.operations.list privateca.certificateRevocationLists.list privateca.certificateRevocationLists.get privateca.certificateRevocationLists.getIamPolicy resourcemanager.projects.get resourcemanager.projects.list
|
The CA Service Auditor role has read-only access to all CA Service resources, and can retrieve and list properties of the CA pool, CA, certificates, revocation lists, IAM policies, and projects. We recommend that you assign this role to individuals who are accountable for validating security and operations of the CA pool, and don't have any daily responsibilities assigned to administer the service. |
CA Service Certificate Requesterroles/privateca.certificateRequester |
privateca.certificates.create
|
A CA Service Certificate Requester role can submit certificate requests to a CA pool. We recommend that you grant this role to trusted individuals who are allowed to request certificates. A user with this role can request arbitrary certificates subject to the issuance policy. Unlike the CA Service Certificate Manager role, this role does not allow the user to get or list the newly issued certificate, or to get any information about the CA pool. |
CA Service Workload Certificate Requesterroles/privateca.workloadCertificateRequester |
privateca.certificates.createForSelf
|
A CA Service Workload Certificate Requester can request certificates from CA Service with caller's identity. |
CA Service Certificate Managerroles/privateca.certificateManager |
All permissions from roles/privateca.auditor , plus:privateca.certificates.create
|
A CA Service Certificate Manager can submit certificate issuance requests to a CA pool like the CA Service Certificate Requester. In addition, this role also inherits the permissions of the CA Service Auditor role. We recommend that you assign this role to individuals accountable for creating, tracking, and reviewing certificate requests on a CA pool, such as a manager or a lead engineer. |
CA Service Certificate Template Userroles/privateca.templateUser |
privateca.certificateTemplates.get privateca.certificateTemplates.list privateca.certificateTemplates.use
|
A CA Service Certificate Template User can read, list, and use certificate templates. |
CA Service Operation Managerroles/privateca.caManager |
All permissions from roles/privateca.auditor , plus:privateca.certificates.update privateca.caPools.create privateca.caPools.delete privateca.caPools.update privateca.certificateAuthorities.create privateca.certificateAuthorities.delete privateca.certificateAuthorities.update privateca.certificateRevocationLists.update privateca.certificateTemplates.create privateca.certificateTemplates.delete privateca.certificateTemplates.update privateca.certificates.update privateca.operations.cancel privateca.operations.delete resourcemanager.projects.get resourcemanager.projects.list storage.buckets.create
|
A CA Service Operation Manager can create, update, and delete CA pools and CAs. This role can also revoke certificates and create Cloud Storage buckets. It also includes the same abilities as the CA Service Auditor. In this role, individuals are responsible for configuring and deploying CA pools in the organization, along with configuring the CA pool's issuance policy. This role does not allow creating certificates. To do that, use the CA Service Certificate Requester, CA Service Certificate Manager, or CA Service Admin roles. |
CA Service Adminroles/privateca.admin |
All permissions from roles/privateca.certificateManager ,
and roles/privateca.caManager , plus:privateca.*.setIamPolicy privateca.caPools.use privateca.operations.cancel privateca.operations.delete privateca.resourcemanager.projects.get privateca.resourcemanager.projects.list storage.buckets.create
|
The CA Service Admin role inherits permissions from the CA Service Operation Manager and CA Service Certificate Manager. This role can perform all actions within CA Service. A CA Service Admin can set IAM policies for the CA pool and create Cloud Storage buckets. We recommend that you rarely assign this role once the service is established. In this role, individuals can perform all aspects of administration including assigning rights to others and managing certificate requests in CA Service. We recommend that you implement a special control and access to this role account to prevent unauthorized access or use. |
CA Service Service Agent
When providing existing Cloud KMS signing keys or
Cloud Storage buckets during CA creation, the CA Service
Service Agent service account
(service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com
) must be
granted access to the respective resource.
For Cloud KMS, roles/cloudkms.signerVerifier
is required to use the
signing key and read the public key. roles/viewer
is required to monitor
the key for Cloud Monitoring integration.
For Cloud Storage, roles/storage.objectAdmin
is required to write the
CA certificate and CRLs to a bucket. roles/storage.legacyBucketReader
is
required to monitor the bucket for Cloud Monitoring integration. For more information, see IAM roles for Cloud Storage.
When accessing the service through the API, execute the following commands.
Create a service account with the Service Agent role.
gcloud
gcloud beta services identity create --service=privateca.googleapis.com --project=PROJECT_ID
Where:
- PROJECT_ID is the unique identifier of the project where the CA pool is created.
Grant your service account
roles/cloudkms.signerVerifier
androles/viewer
roles by using the followinggcloud
command.If existing Cloud KMS signing keys are provided:
gcloud
gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \ --keyring='KEYRING_NAME' \ --location='LOCATION' \ --member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \ --role='roles/cloudkms.signerVerifier'
Where:
- 'CRYPTOKEY_NAME' is the name of your key.
- 'KEYRING_NAME' is the name of your key ring.
- 'LOCATION' is the Cloud KMS location where you created your key ring.
- 'PROJECT_NUMBER' is the name of your service account.
gcloud kms keys add-iam-policy-binding 'CRYPTOKEY_NAME' \ --keyring='KEYRING_NAME' \ --location='LOCATION' \ --member='serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com' \ --role='roles/viewer'
If existing Cloud Storage buckets are provided, use the
gsutil
command-line tool to bind the required roles for the Cloud Storage bucket.gsutil
gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.objectAdmin gs://BUCKET_NAME
Where:
- PROJECT_NUMBER is the unique identifier of your service account.
- BUCKET_NAME is the name of your Cloud Storage bucket.
gsutil iam ch serviceAccount:service-PROJECT_NUMBER@gcp-sa-privateca.iam.gserviceaccount.com:roles/storage.legacyBucketReader gs://BUCKET_NAME
What's next
- Learn about policy controls.
- Learn how IAM centralizes management of permissions and access scopes for Google Cloud resources.