[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eCommon Expression Language (CEL) is used with certificate issuance policies, certificate templates, and Identity and Access Management (IAM) conditions to enforce certificate issuance controls.\u003c/p\u003e\n"],["\u003cp\u003eThere are two CEL dialects: one for certificate issuance policies and templates, which allows validation of Subject and Subject Alternative Name (SAN) fields, and another more limited one for IAM conditions.\u003c/p\u003e\n"],["\u003cp\u003eThe CEL dialect for certificate issuance uses \u003ccode\u003esubject\u003c/code\u003e and \u003ccode\u003esubject_alt_names\u003c/code\u003e variables to access and validate the Subject and SAN fields within certificate requests.\u003c/p\u003e\n"],["\u003cp\u003eIAM conditions use CEL expressions that evaluate contextual attributes like \u003ccode\u003eprivateca.googleapis.com/subject\u003c/code\u003e, \u003ccode\u003eprivateca.googleapis.com/subject_alt_names\u003c/code\u003e, and \u003ccode\u003eprivateca.googleapis.com/template\u003c/code\u003e to determine if an IAM role binding is effective.\u003c/p\u003e\n"],["\u003cp\u003eExample expressions are provided for both certificate issuance policies and IAM conditions, to illustrate how CEL can be used to ensure certain requirements for subjects, SANs, and template usage.\u003c/p\u003e\n"]]],[],null,["# Use Common Expression Language\n==============================\n\nThis page describes how you can use Common Expression Language (CEL) with certificate issuance policies, certificate templates, and Identity and Access Management (IAM) conditions on your CA pool.\n\nOverview\n--------\n\n[Common Expression Language (CEL)](https://opensource.google/projects/cel) is an open source non-Turing complete language that implements common semantics for expression evaluation. Certificate Authority Service supports CEL to enforce various policy controls for certificate issuance.\n\nThere are two CEL dialects that can be used with CA Service:\n\n- A flexible dialect that can be used in a CA pool's certificate issuance policies and certificate templates.\n- A more limited dialect that can be used in IAM conditions.\n\nCEL dialect for certificate issuance policies and certificate templates\n-----------------------------------------------------------------------\n\nWhen creating a CA pool or a certificate template, you can specify a CEL expression as part of the certificate identity constraints. The CEL expression lets you validate the Subject and Subject Alternative Name (SAN) fields.\n\nFor more information about issuance policies, see [Add certificate issuance policies](/certificate-authority-service/docs/use-issuance-policy).\n\nFor more information about certificate templates, see\n[Overview of policy controls](/certificate-authority-service/docs/policy-controls).\n\nThe CEL dialect for the identity constraints of CA pools and certificate templates exposes the following variables for accessing and validating the subject and SAN fields:\n\n- Subject: `subject`\n- SAN: `subject_alt_names`\n\n#### Subject\n\nYou can validate all the fields in a certificate's subject domain name (including the common name), as specified in the certificate request using a variable of type `Subject` and name `subject`.\n\n`Subject` is a structure that contains the following fields:\n\n#### Subject Alternative Names (SANs)\n\nYou can validate all SANs as specified in the certificate request using the `subject_alt_names` variable. The `subject_alt_names` variable contains a list SAN structs, where each SAN is of type `SubjectAltName`.\n\n`SubjectAltName` is a struct that contains the following fields:\n\nYou can use the following values for the `SubjectAltName` type:\n\n- `DNS`\n- `URI`\n- `EMAIL`\n- `IP_ADDRESS`\n- `CUSTOM`\n\nThe `subject_alt_names` variable contains a list with all the requested SANs.\n\nYou can use the following macros on SANs:\n\n- `subject_alt_names.all(san, predicate)`\n- `subject_alt_names.exists(san, predicate)`\n- `subject_alt_names.exists_one(san, predicate)`\n- `subject_alt_names.filter(san, predicate)`\n\nFor more information about macros, see [Language definition: Macros](https://github.com/google/cel-spec/blob/master/doc/langdef.md#macros).\n| **Note:** CA Service doesn't support CEL expressions with nested macros. We recommend that you use `and` and `or` operators to implement the same feature.\n\n### Example expressions\n\n**Ensuring a specific common name and a set of countries** \n\n subject.common_name == \"google.com\" && (subject.country_code == \"US\" || subject.country_code == \"IR\")\n\n**Ensuring all DNS names end with a custom string** \n\n subject_alt_names.all(san, san.type == DNS && san.value.endsWith(\".test.com\"))\n\n**Ensuring all SANs are of type DNS or EMAIL** \n\n subject_alt_names.all(san, san.type == DNS || san.type == EMAIL )\n\n**Ensuring only one custom SAN with a specific OID** \n\n subject_alt_names.size() == 1 && subject_alt_names[0].oid == [1, 2, 3, 5, 17]\n\n**Ensuring custom SANs are only a set of OIDs** \n\n subject_alt_names.all(san, san.oid == [1, 2, 4, 5, 55] || san.oid == [1, 2, 4, 5, 54])\n\nCEL dialect for IAM policies\n----------------------------\n\nUse IAM conditions to subject IAM role bindings to a conditional expression. If the condition evaluates to `true`, then the IAM role binding is effective, otherwise it is ignored. CA Service lets you add IAM conditional bindings to a CA pool.\n\nThe IAM condition is a CEL expression that references a set of contextual attributes about the request and evaluates to a boolean. Users set conditions on the role bindings in an IAM policy, which is stored by IAM and evaluated to see whether the operation that is about to be performed is permitted.\n\nFor more information about IAM conditions, see [Overview of IAM conditions](/iam/docs/conditions-overview).\n\nThe following attributes are exposed during CEL evaluation of IAM conditions:\n\n- **`privateca.googleapis.com/subject`**\n\n The `privateca.googleapis.com/subject` is accessible as `api.getAttribute('privateca.googleapis.com/subject', {})`.\n\n- **`privateca.googleapis.com/subject_alt_names`**\n\n The `privateca.googleapis.com/subject_alt_names` is accessible as `api.getAttribute('privateca.googleapis.com/subject_alt_names', [])`.\n\n- **`privateca.googleapis.com/template`**\n\n The `privateca.googleapis.com/template` is accessible as `api.getAttribute('privateca.googleapis.com/template', '')`.\n\nThe template name provided in the IAM condition must match the template name\nin the certificate request. So, if you're providing a project ID in the\n`privateca.googleapis.com/template` attribute of the CEL expression, you must\nalso provide a project ID when requesting the certificate. If you provide a\nproject number in the CEL expression, you must provide a project number in\nthe certificate request as well.\n\n### Example expressions\n\n**Ensuring that all subjects have organization set as 'Example' and country code set as `US` or `UK`** \n\n api.getAttribute('privateca.googleapis.com/subject', {})['organization'] == 'Example' &&\n api.getAttribute('privateca.googleapis.com/subject', {})['country_code'] in ['US', 'UK']\n\n**Ensuring that the certificate request only includes the given DNS SANs** \n\n api.getAttribute('privateca.googleapis.com/subject_alt_names', [])\n .hasOnly(['dns:sample1.prod.example.com', 'dns:sample2.prod.example.com'])\n\n**Ensuring that all certificates use a specific template** \n\n api.getAttribute('privateca.googleapis.com/template', '') == 'my-project-pki/-/leaf-server-tls'\n\nWhat's next\n-----------\n\n- Read the [introduction to CEL](https://github.com/google/cel-spec/blob/master/doc/intro.md).\n- Learn more about [language definition for CEL](https://github.com/google/cel-spec/blob/master/doc/langdef.md).\n- Learn about [certificate templates and issuance policies](/certificate-authority-service/docs/policy-controls).\n- Read the [overview of IAM conditions](/iam/docs/conditions-overview).\n- Learn how to [add a certificate issuance policy to a CA pool](/certificate-authority-service/docs/use-issuance-policy)."]]