Roles and permissions

This page lists the permissions required by Certificate Manager and the Identity and Access Management roles that encapsulate them.

Permissions

This section lists the permissions required to perform specific operations in Certificate Manager.

Operation and method	Resource	Permission
Create a certificate `certificates.create`	Certificates	`certificatemanager.certs.create` on the target Google Cloud project. If using DNS authorization, also requires `certificatemanager.dnsauthorizations.use` on each associated DNS authorization.
List certificates `certificates.list`	Certificates	`certificatemanager.certs.list` on the target Google Cloud project
Retrieve a certificate `certificates.get`	Certificates	`certificatemanager.certs.get` on the target certificate
Update a certificate `certificates.patch`	Certificates	`certificatemanager.certs.update` on the target certificate
Attach a certificate to a resource	Certificates	`certificatemanager.certs.use` on the target certificate
Delete a certificate `certificates.delete`	Certificates	`certificatemanager.certs.delete` on the target certificate
Create a certificate map `certificateMaps.create`	Certificate maps	`certificatemanager.certmaps.create` on the target Google Cloud project
List certificate maps `certificateMaps.list`	Certificate maps	`certificatemanager.certmaps.list` on the target Google Cloud project
Retrieve a certificate map `certificateMaps.get`	Certificate maps	`certificatemanager.certmaps.get` on the target certificate map
Update a certificate map `certificateMaps.patch`	Certificate maps	`certificatemanager.certmaps.update` on the target certificate map
Attach a certificate map to a resource	Certificate maps	`certificatemanager.certmaps.use` on the target certificate map
Delete a certificate map `certificateMaps.delete`	Certificate maps	`certificatemanager.certmaps.delete` on the target certificate map
Create a certificate map entry `certificateMaps.certificateMapEntries.create`	Certificate map entries	`certificatemanager.certmapentries.create` on the target certificate map and `certificatemanager.certs.use` on each associated certificate.
List certificate map entries `certificateMaps.certificateMapEntries.list`	Certificate map entries	`certificatemanager.certmapentries.list` on the target certificate map
Retrieve a certificate map entry `certificateMaps.certificateMapEntries.get`	Certificate map entries	`certificatemanager.certmapentries.get` on the target certificate map entry
Update a certificate map entry `certificateMaps.certificateMapEntries.patch`	Certificate map entries	`certificatemanager.certmapentries.update` on the target certificate map entry and `certificatemanager.certs.use` on each associated certificate.
Delete a certificate map entry `certificateMaps.certificateMapEntries.delete`	Certificate map entries	`certificatemanager.certmapentries.delete` on the target certificate map entry
Create a DNS authorization `dnsAuthorizations.create`	DNS authorizations	`certificatemanager.dnsauthorizations.create` on the target Google Cloud project
List DNS authorizations `dnsAuthorizations.list`	DNS authorizations	`certificatemanager.dnsauthorizations.list` on the target Google Cloud project
Retrieve a DNS authorization `dnsAuthorizations.get`	DNS authorizations	`certificatemanager.dnsauthorizations.get` on the target DNS authorization
Update a DNS authorization `dnsAuthorizations.patch`	DNS authorizations	`certificatemanager.dnsauthorizations.update` on the target DNS authorization
Delete a DNS authorization `dnsAuthorizations.delete`	DNS authorizations	`certificatemanager.dnsauthorizations.delete` on the target DNS authorization
Create a certificate issuance config `certificateIssuanceConfigs.create`	Certificate issuance configs	`certificatemanager.certissuanceconfigs.create` on the target Google Cloud project
List certificate issuance configs `certificateIssuanceConfigs.list`	Certificate issuance configs	`certificatemanager.certissuanceconfigs.list` on the target Google Cloud project
Retrieve a certificate issuance config `certificateIssuanceConfigs.get`	Certificate issuance configs	`certificatemanager.certissuanceconfigs.get` on the target certificate issuance config
Delete a certificate issuance config `certificateIssuanceConfigs.delete`	Certificate issuance configs	`certificatemanager.certissuanceconfigs.delete` on the target certificate issuance config
Create a trust config `trustConfigs.create`	Trust configs	`certificatemanager.trustconfigs.create` on the target Google Cloud project
List trust configs `trustConfigs.list`	Trust configs	`certificatemanager.trustconfigs.list` on the target Google Cloud project
Update a trust config `trustConfigs.patch`	Trust configs	`certificatemanager.trustconfigs.update` on the target trust config
Get the state of a trust config `trustConfigs.get`	Trust configs	`certificatemanager.trustconfigs.get` on the target trust config
Attach a trust config to a resource	Trust configs	`certificatemanager.trustconfigs.use` on the target trust config
Delete a trust config `trustConfigs.delete`	Trust configs	`certificatemanager.trustconfigs.delete` on the target trust config
Create an external account key `externalAccountKeys.create`	External account keys	`publicca.externalAccountKeys.create` on the target Google Cloud project

Roles

This section lists the IAM roles that encapsulate Certificate Manager permissions.

Certificate Manager roles for Google Cloud projects

The following table lists the Google Cloud project roles and the Certificate Manager permissions they encapsulate.

Role Permissions

Role	Permissions
Certificate Manager Editor (`roles/certificatemanager.editor`) Edit access to Certificate Manager all resources.	`certificatemanager.certissuanceconfigs.create` `certificatemanager.certissuanceconfigs.get` `certificatemanager.certissuanceconfigs.list` `certificatemanager.certissuanceconfigs.update` `certificatemanager.certissuanceconfigs.use` `certificatemanager.certmapentries.create` `certificatemanager.certmapentries.get` `certificatemanager.certmapentries.getIamPolicy` `certificatemanager.certmapentries.list` `certificatemanager.certmapentries.update` `certificatemanager.certmaps.create` `certificatemanager.certmaps.get` `certificatemanager.certmaps.getIamPolicy` `certificatemanager.certmaps.list` `certificatemanager.certmaps.update` `certificatemanager.certmaps.use` `certificatemanager.certs.create` `certificatemanager.certs.get` `certificatemanager.certs.getIamPolicy` `certificatemanager.certs.list` `certificatemanager.certs.update` `certificatemanager.certs.use` `certificatemanager.dnsauthorizations.create` `certificatemanager.dnsauthorizations.get` `certificatemanager.dnsauthorizations.getIamPolicy` `certificatemanager.dnsauthorizations.list` `certificatemanager.dnsauthorizations.update` `certificatemanager.dnsauthorizations.use` `certificatemanager.locations.*` `certificatemanager.locations.get` `certificatemanager.locations.list` `certificatemanager.operations.get` `certificatemanager.operations.list` `certificatemanager.trustconfigs.create` `certificatemanager.trustconfigs.get` `certificatemanager.trustconfigs.list` `certificatemanager.trustconfigs.update` `certificatemanager.trustconfigs.use` `resourcemanager.projects.get` `resourcemanager.projects.list`
Certificate Manager Owner (`roles/certificatemanager.owner`) Full access to Certificate Manager all resources.	`certificatemanager.*` `certificatemanager.certissuanceconfigs.create` `certificatemanager.certissuanceconfigs.delete` `certificatemanager.certissuanceconfigs.get` `certificatemanager.certissuanceconfigs.list` `certificatemanager.certissuanceconfigs.update` `certificatemanager.certissuanceconfigs.use` `certificatemanager.certmapentries.create` `certificatemanager.certmapentries.delete` `certificatemanager.certmapentries.get` `certificatemanager.certmapentries.getIamPolicy` `certificatemanager.certmapentries.list` `certificatemanager.certmapentries.setIamPolicy` `certificatemanager.certmapentries.update` `certificatemanager.certmaps.create` `certificatemanager.certmaps.delete` `certificatemanager.certmaps.get` `certificatemanager.certmaps.getIamPolicy` `certificatemanager.certmaps.list` `certificatemanager.certmaps.setIamPolicy` `certificatemanager.certmaps.update` `certificatemanager.certmaps.use` `certificatemanager.certs.create` `certificatemanager.certs.delete` `certificatemanager.certs.get` `certificatemanager.certs.getIamPolicy` `certificatemanager.certs.list` `certificatemanager.certs.setIamPolicy` `certificatemanager.certs.update` `certificatemanager.certs.use` `certificatemanager.dnsauthorizations.create` `certificatemanager.dnsauthorizations.delete` `certificatemanager.dnsauthorizations.get` `certificatemanager.dnsauthorizations.getIamPolicy` `certificatemanager.dnsauthorizations.list` `certificatemanager.dnsauthorizations.setIamPolicy` `certificatemanager.dnsauthorizations.update` `certificatemanager.dnsauthorizations.use` `certificatemanager.locations.get` `certificatemanager.locations.list` `certificatemanager.operations.cancel` `certificatemanager.operations.delete` `certificatemanager.operations.get` `certificatemanager.operations.list` `certificatemanager.trustconfigs.create` `certificatemanager.trustconfigs.delete` `certificatemanager.trustconfigs.get` `certificatemanager.trustconfigs.list` `certificatemanager.trustconfigs.update` `certificatemanager.trustconfigs.use` `resourcemanager.projects.get` `resourcemanager.projects.list`
Certificate Manager Viewer (`roles/certificatemanager.viewer`) Read-only access to Certificate Manager all resources.	`certificatemanager.certissuanceconfigs.get` `certificatemanager.certissuanceconfigs.list` `certificatemanager.certmapentries.get` `certificatemanager.certmapentries.getIamPolicy` `certificatemanager.certmapentries.list` `certificatemanager.certmaps.get` `certificatemanager.certmaps.getIamPolicy` `certificatemanager.certmaps.list` `certificatemanager.certs.get` `certificatemanager.certs.getIamPolicy` `certificatemanager.certs.list` `certificatemanager.dnsauthorizations.get` `certificatemanager.dnsauthorizations.getIamPolicy` `certificatemanager.dnsauthorizations.list` `certificatemanager.locations.*` `certificatemanager.locations.get` `certificatemanager.locations.list` `certificatemanager.operations.get` `certificatemanager.operations.list` `certificatemanager.trustconfigs.get` `certificatemanager.trustconfigs.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Certificate Manager Editor

(roles/certificatemanager.editor)

Edit access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.create

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certissuanceconfigs.update

certificatemanager.certissuanceconfigs.use

certificatemanager.certmapentries.create

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

certificatemanager.locations.*

certificatemanager.locations.get
certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.create

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

certificatemanager.trustconfigs.update

certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

Certificate Manager Owner

(roles/certificatemanager.owner)

Full access to Certificate Manager all resources.

certificatemanager.*

certificatemanager.certissuanceconfigs.create
certificatemanager.certissuanceconfigs.delete
certificatemanager.certissuanceconfigs.get
certificatemanager.certissuanceconfigs.list
certificatemanager.certissuanceconfigs.update
certificatemanager.certissuanceconfigs.use
certificatemanager.certmapentries.create
certificatemanager.certmapentries.delete
certificatemanager.certmapentries.get
certificatemanager.certmapentries.getIamPolicy
certificatemanager.certmapentries.list
certificatemanager.certmapentries.setIamPolicy
certificatemanager.certmapentries.update
certificatemanager.certmaps.create
certificatemanager.certmaps.delete
certificatemanager.certmaps.get
certificatemanager.certmaps.getIamPolicy
certificatemanager.certmaps.list
certificatemanager.certmaps.setIamPolicy
certificatemanager.certmaps.update
certificatemanager.certmaps.use
certificatemanager.certs.create
certificatemanager.certs.delete
certificatemanager.certs.get
certificatemanager.certs.getIamPolicy
certificatemanager.certs.list
certificatemanager.certs.setIamPolicy
certificatemanager.certs.update
certificatemanager.certs.use
certificatemanager.dnsauthorizations.create
certificatemanager.dnsauthorizations.delete
certificatemanager.dnsauthorizations.get
certificatemanager.dnsauthorizations.getIamPolicy
certificatemanager.dnsauthorizations.list
certificatemanager.dnsauthorizations.setIamPolicy
certificatemanager.dnsauthorizations.update
certificatemanager.dnsauthorizations.use
certificatemanager.locations.get
certificatemanager.locations.list
certificatemanager.operations.cancel
certificatemanager.operations.delete
certificatemanager.operations.get
certificatemanager.operations.list
certificatemanager.trustconfigs.create
certificatemanager.trustconfigs.delete
certificatemanager.trustconfigs.get
certificatemanager.trustconfigs.list
certificatemanager.trustconfigs.update
certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

Certificate Manager Viewer

(roles/certificatemanager.viewer)

Read-only access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.get

certificatemanager.certmapentries.getIamPolicy

certificatemanager.certmapentries.list

certificatemanager.certmaps.get

certificatemanager.certmaps.getIamPolicy

certificatemanager.certmaps.list

certificatemanager.certs.get

certificatemanager.certs.getIamPolicy

certificatemanager.certs.list

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.getIamPolicy

certificatemanager.dnsauthorizations.list

certificatemanager.locations.*

certificatemanager.locations.get
certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

Public CA roles for Google Cloud projects

The following roles and the permissions they encapsulate are required specifically for Public CA operations:

Role	Permissions
Public CA External Account Key Creator (`roles/publicca.externalAccountKeyCreator`) Create access for Public CA external key account resources.	resourcemanager.projects.get resourcemanager.projects.list publicca.externalAccountKeys.create

Custom roles

Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least needed privilege. For instructions, see Creating and managing custom roles.

Roles and permissions

Permissions

Roles

Certificate Manager roles for Google Cloud projects

Certificate Manager Editor

Certificate Manager Owner

Certificate Manager Viewer

Public CA roles for Google Cloud projects

Custom roles

What's next