This page lists the permissions required by Certificate Manager and the Identity and Access Management roles that encapsulate them.
Permissions
This section lists the permissions required to perform specific operations in Certificate Manager.
| Operation and method | Resource | Permission |
|---|---|---|
Create a certificatecertificates.create |
Certificates | certificatemanager.certs.create on the target Cloud project.
If using DNS authorization, also requires certificatemanager.dnsauthorizations.use
on each associated DNS authorization. |
List certificatescertificates.list |
Certificates | certificatemanager.certs.list on the target Cloud project |
Retrieve a certificatecertificates.get |
Certificates | certificatemanager.certs.get on the target certificate |
Update a certificatecertificates.patch |
Certificates | certificatemanager.certs.update on the target certificate |
Delete a certificatecertificates.delete |
Certificates | certificatemanager.certs.delete on the target certificate |
Create a certificate mapcertificateMaps.create |
Certificate maps | certificatemanager.certmaps.create on the target Cloud project |
List certificate mapscertificateMaps.list |
Certificate maps | certificatemanager.certmaps.list on the target Cloud project |
Retrieve a certificate mapcertificateMaps.get |
Certificate maps | certificatemanager.certmaps.get on the target certificate map |
Update a certificate mapcertificateMaps.patch |
Certificate maps | certificatemanager.certmaps.update on the target certificate map |
Delete a certificate mapcertificateMaps.delete |
Certificate maps | certificatemanager.certmaps.delete on the target certificate map |
Create a certificate map entrycertificateMaps.certificateMapEntries.create |
Certificate map entries | certificatemanager.certmapentries.create on the target certificate map
and certificatemanager.certs.use on each associated certificate. |
List certificate map entriescertificateMaps.certificateMapEntries.list |
Certificate map entries | certificatemanager.certmapentries.list on the target certificate map |
Retrieve a certificate map entrycertificateMaps.certificateMapEntries.get |
Certificate map entries | certificatemanager.certmapentries.get on the target certificate map entry |
Update a certificate map entrycertificateMaps.certificateMapEntries.patch |
Certificate map entries | certificatemanager.certmapentries.update on the target certificate map entry
and certificatemanager.certs.use on each associated certificate. |
Delete a certificate map entrycertificateMaps.certificateMapEntries.delete |
Certificate map entries | certificatemanager.certmapentries.delete on the target certificate map entry |
Create a DNS authorizationdnsAuthorizations.create |
DNS authorizations | certificatemanager.dnsauthorizations.create on the target Cloud project |
List DNS authorizationsdnsAuthorizations.list |
DNS authorizations | certificatemanager.dnsauthorizations.list on the target Cloud project |
Retrieve a DNS authorizationdnsAuthorizations.get |
DNS authorizations | certificatemanager.dnsauthorizations.get on the target DNS authorization |
Update a DNS authorizationdnsAuthorizations.patch |
DNS authorizations | certificatemanager.dnsauthorizations.update on the target DNS authorization |
Delete a DNS authorizationdnsAuthorizations.delete |
DNS authorizations | certificatemanager.dnsauthorizations.delete on the target DNS authorization |
Create a certificate issuance configcertificiateIssuanceConfigs.create |
Certificate issuance configs | certificatemanager.certissuanceconfigs.create on the target Cloud project |
List certificate issuance configscertificiateIssuanceConfigs.list |
Certificate issuance configs | certificatemanager.certissuanceconfigs.list on the target Cloud project |
Retrieve a certificate issuance configcertificiateIssuanceConfigs.get |
Certificate issuance configs | certificatemanager.certissuanceconfigs.get on the target certificate issuance config |
Delete a certificate issuance configcertificiateIssuanceConfigs.delete |
Certificate issuance configs | certificatemanager.certissuanceconfigs.delete on the target certificate issuance config |
Create an external account keyexternalAccountKeys.create |
External account keys | publicca.externalAccountKeys.create on the target Cloud project |
Roles
This section lists the IAM roles that encapsulate Certificate Manager permissions.
Certificate Manager roles for Cloud projects
The following table lists the Cloud project roles and the Certificate Manager permissions they encapsulate.
| Role | Permissions |
|---|---|
Certificate Manager Editor( Edit access to Certificate Manager all resources. |
certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.certs.get certificatemanager. certificatemanager.certs.list certificatemanager. certificatemanager.certs.use certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.locations.*
certificatemanager. certificatemanager. resourcemanager.projects.get resourcemanager.projects.list |
Certificate Manager Owner( Full access to Certificate Manager all resources. Contains 4 owner permissions |
certificatemanager.*
resourcemanager.projects.get resourcemanager.projects.list |
Certificate Manager Viewer( Read-only access to Certificate Manager all resources. |
certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager. certificatemanager.certs.get certificatemanager. certificatemanager.certs.list certificatemanager. certificatemanager. certificatemanager. certificatemanager.locations.*
certificatemanager. certificatemanager. resourcemanager.projects.get resourcemanager.projects.list |
Public CA roles for Cloud projects
The following roles and the permissions they encapsulate are required specifically for Certificate Manager Public CA operations:
| Role | Permissions |
|---|---|
| Public CA External Account Key Creator ( roles/publicca.externalAccountKeyCreator)
Create access for Public CA external key account resources. |
resourcemanager.projects.get resourcemanager.projects.list publicca.externalAccountKeys.create |
Custom roles
Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least needed privilege. For instructions, see Creating and managing custom roles.
What's next
- Deploy a Google-managed certificate with DNS authorization (tutorial)
- Deploy a Google-managed certificate with load balancer authorization (tutorial)
- Deploy a self-managed certificate (tutorial)
- Migrate a certificate to Certificate Manager
- Manage certificates
- Manage certificate maps
- Manage certificate map entries
- Manage DNS authorizations