Roles and permissions

Stay organized with collections Save and categorize content based on your preferences.

This page lists the permissions required by Certificate Manager and the Identity and Access Management roles that encapsulate them.

Permissions

This section lists the permissions required to perform specific operations in Certificate Manager.

Operation and method Resource Permission
Create a certificate

certificates.create
Certificates certificatemanager.certs.create on the target Cloud project. If using DNS authorization, also requires certificatemanager.dnsauthorizations.use on each associated DNS authorization.
List certificates

certificates.list
Certificates certificatemanager.certs.list on the target Cloud project
Retrieve a certificate

certificates.get
Certificates certificatemanager.certs.get on the target certificate
Update a certificate

certificates.patch
Certificates certificatemanager.certs.update on the target certificate
Delete a certificate

certificates.delete
Certificates certificatemanager.certs.delete on the target certificate
Create a certificate map

certificateMaps.create
Certificate maps certificatemanager.certmaps.create on the target Cloud project
List certificate maps

certificateMaps.list
Certificate maps certificatemanager.certmaps.list on the target Cloud project
Retrieve a certificate map

certificateMaps.get
Certificate maps certificatemanager.certmaps.get on the target certificate map
Update a certificate map

certificateMaps.patch
Certificate maps certificatemanager.certmaps.update on the target certificate map
Delete a certificate map

certificateMaps.delete
Certificate maps certificatemanager.certmaps.delete on the target certificate map
Create a certificate map entry

certificateMaps.certificateMapEntries.create
Certificate map entries certificatemanager.certmapentries.create on the target certificate map and certificatemanager.certs.use on each associated certificate.
List certificate map entries

certificateMaps.certificateMapEntries.list
Certificate map entries certificatemanager.certmapentries.list on the target certificate map
Retrieve a certificate map entry

certificateMaps.certificateMapEntries.get
Certificate map entries certificatemanager.certmapentries.get on the target certificate map entry
Update a certificate map entry

certificateMaps.certificateMapEntries.patch
Certificate map entries certificatemanager.certmapentries.update on the target certificate map entry and certificatemanager.certs.use on each associated certificate.
Delete a certificate map entry

certificateMaps.certificateMapEntries.delete
Certificate map entries certificatemanager.certmapentries.delete on the target certificate map entry
Create a DNS authorization

dnsAuthorizations.create
DNS authorizations certificatemanager.dnsauthorizations.create on the target Cloud project
List DNS authorizations

dnsAuthorizations.list
DNS authorizations certificatemanager.dnsauthorizations.list on the target Cloud project
Retrieve a DNS authorization

dnsAuthorizations.get
DNS authorizations certificatemanager.dnsauthorizations.get on the target DNS authorization
Update a DNS authorization

dnsAuthorizations.patch
DNS authorizations certificatemanager.dnsauthorizations.update on the target DNS authorization
Delete a DNS authorization

dnsAuthorizations.delete
DNS authorizations certificatemanager.dnsauthorizations.delete on the target DNS authorization
Create a certificate issuance config

certificiateIssuanceConfigs.create
Certificate issuance configs certificatemanager.certissuanceconfigs.create on the target Cloud project
List certificate issuance configs

certificiateIssuanceConfigs.list
Certificate issuance configs certificatemanager.certissuanceconfigs.list on the target Cloud project
Retrieve a certificate issuance config

certificiateIssuanceConfigs.get
Certificate issuance configs certificatemanager.certissuanceconfigs.get on the target certificate issuance config
Delete a certificate issuance config

certificiateIssuanceConfigs.delete
Certificate issuance configs certificatemanager.certissuanceconfigs.delete on the target certificate issuance config
Create an external account key

externalAccountKeys.create
External account keys publicca.externalAccountKeys.create on the target Cloud project

Roles

This section lists the IAM roles that encapsulate Certificate Manager permissions.

Certificate Manager roles for Cloud projects

The following table lists the Cloud project roles and the Certificate Manager permissions they encapsulate.

Role Permissions

(roles/certificatemanager.editor)

Edit access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.create

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certissuanceconfigs.update

certificatemanager.certissuanceconfigs.use

certificatemanager.certmapentries.create

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

certificatemanager.locations.*

  • certificatemanager.locations.get
  • certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.owner)

Full access to Certificate Manager all resources.

Contains 4 owner permissions

certificatemanager.*

  • certificatemanager.certissuanceconfigs.create
  • certificatemanager.certissuanceconfigs.delete
  • certificatemanager.certissuanceconfigs.get
  • certificatemanager.certissuanceconfigs.list
  • certificatemanager.certissuanceconfigs.update
  • certificatemanager.certissuanceconfigs.use
  • certificatemanager.certmapentries.create
  • certificatemanager.certmapentries.delete
  • certificatemanager.certmapentries.get
  • certificatemanager.certmapentries.getIamPolicy
  • certificatemanager.certmapentries.list
  • certificatemanager.certmapentries.setIamPolicy
  • certificatemanager.certmapentries.update
  • certificatemanager.certmaps.create
  • certificatemanager.certmaps.delete
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.getIamPolicy
  • certificatemanager.certmaps.list
  • certificatemanager.certmaps.setIamPolicy
  • certificatemanager.certmaps.update
  • certificatemanager.certmaps.use
  • certificatemanager.certs.create
  • certificatemanager.certs.delete
  • certificatemanager.certs.get
  • certificatemanager.certs.getIamPolicy
  • certificatemanager.certs.list
  • certificatemanager.certs.setIamPolicy
  • certificatemanager.certs.update
  • certificatemanager.certs.use
  • certificatemanager.dnsauthorizations.create
  • certificatemanager.dnsauthorizations.delete
  • certificatemanager.dnsauthorizations.get
  • certificatemanager.dnsauthorizations.getIamPolicy
  • certificatemanager.dnsauthorizations.list
  • certificatemanager.dnsauthorizations.setIamPolicy
  • certificatemanager.dnsauthorizations.update
  • certificatemanager.dnsauthorizations.use
  • certificatemanager.locations.get
  • certificatemanager.locations.list
  • certificatemanager.operations.cancel
  • certificatemanager.operations.delete
  • certificatemanager.operations.get
  • certificatemanager.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.viewer)

Read-only access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.locations.*

  • certificatemanager.locations.get
  • certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Public CA roles for Cloud projects

The following roles and the permissions they encapsulate are required specifically for Certificate Manager Public CA operations:

Role Permissions
Public CA External Account Key Creator
(roles/publicca.externalAccountKeyCreator)

Create access for Public CA external key account resources.

resourcemanager.projects.get
resourcemanager.projects.list
publicca.externalAccountKeys.create

Custom roles

Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least needed privilege. For instructions, see Creating and managing custom roles.

What's next