角色与权限

本页列出了 Certificate Manager 所需的权限以及封装这些权限的 Identity and Access Management 角色

权限

本部分列出了在 Certificate Manager 中执行特定操作所需的权限。

操作和方法 资源 权限
创建证书

certificates.create		 证书 目标 Google Cloud 项目上的 certificatemanager.certs.create 权限。 如果使用 DNS 授权,则还需要对每个关联的 DNS 授权拥有 certificatemanager.dnsauthorizations.use 权限。
列出证书

certificates.list		 证书 目标 Google Cloud 项目上的 certificatemanager.certs.list 权限
检索证书

certificates.get		 证书 针对目标证书的 certificatemanager.certs.get
更新证书

certificates.patch		 证书 针对目标证书的 certificatemanager.certs.update
将证书附加到资源 证书 针对目标证书的 certificatemanager.certs.use
删除证书

certificates.delete		 证书 针对目标证书的 certificatemanager.certs.delete
创建证书映射

certificateMaps.create		 证书映射 目标 Google Cloud 项目上的 certificatemanager.certmaps.create 权限
列出证书映射

certificateMaps.list		 证书映射 目标 Google Cloud 项目上的 certificatemanager.certmaps.list 权限
检索证书映射

certificateMaps.get		 证书映射 针对目标证书映射的 certificatemanager.certmaps.get
更新证书映射

certificateMaps.patch		 证书映射 针对目标证书映射的 certificatemanager.certmaps.update
将证书映射附加到资源 证书映射 针对目标证书映射的 certificatemanager.certmaps.use
删除证书映射

certificateMaps.delete		 证书映射 针对目标证书映射的 certificatemanager.certmaps.delete
创建证书映射条目

certificateMaps.certificateMapEntries.create		 证书映射条目 目标证书映射上的 certificatemanager.certmapentries.create 和每个关联证书上的 certificatemanager.certs.use
列出证书映射条目

certificateMaps.certificateMapEntries.list		 证书映射条目 针对目标证书映射的 certificatemanager.certmapentries.list
检索证书映射条目

certificateMaps.certificateMapEntries.get		 证书映射条目 目标证书映射条目的 certificatemanager.certmapentries.get
更新证书映射条目

certificateMaps.certificateMapEntries.patch		 证书映射条目 目标证书映射条目上的 certificatemanager.certmapentries.update 和每个关联证书上的 certificatemanager.certs.use
删除证书映射条目

certificateMaps.certificateMapEntries.delete		 证书映射条目 目标证书映射条目的 certificatemanager.certmapentries.delete
创建 DNS 授权

dnsAuthorizations.create		 DNS 授权 目标 Google Cloud 项目上的 certificatemanager.dnsauthorizations.create 权限
列出 DNS 授权

dnsAuthorizations.list		 DNS 授权 目标 Google Cloud 项目上的 certificatemanager.dnsauthorizations.list 权限
检索 DNS 授权

dnsAuthorizations.get		 DNS 授权 对目标 DNS 授权的 certificatemanager.dnsauthorizations.get
更新 DNS 授权

dnsAuthorizations.patch		 DNS 授权 对目标 DNS 授权的 certificatemanager.dnsauthorizations.update
删除 DNS 授权

dnsAuthorizations.delete		 DNS 授权 对目标 DNS 授权的 certificatemanager.dnsauthorizations.delete
创建证书颁发配置

certificateIssuanceConfigs.create		 证书颁发配置 目标 Google Cloud 项目上的 certificatemanager.certissuanceconfigs.create 权限
列出证书颁发配置

certificateIssuanceConfigs.list		 证书颁发配置 目标 Google Cloud 项目上的 certificatemanager.certissuanceconfigs.list 权限
检索证书颁发配置

certificateIssuanceConfigs.get		 证书颁发配置 针对目标证书颁发配置的 certificatemanager.certissuanceconfigs.get
删除证书颁发配置

certificateIssuanceConfigs.delete		 证书颁发配置 针对目标证书颁发配置的 certificatemanager.certissuanceconfigs.delete
创建信任配置

trustConfigs.create		 信任配置 目标 Google Cloud 项目上的 certificatemanager.trustconfigs.create 权限
列出信任配置

trustConfigs.list		 信任配置 目标 Google Cloud 项目上的 certificatemanager.trustconfigs.list 权限
更新信任配置

trustConfigs.patch		 信任配置 目标信任配置上的 certificatemanager.trustconfigs.update
获取信任配置的状态

trustConfigs.get		 信任配置 目标信任配置上的 certificatemanager.trustconfigs.get
将信任配置附加到资源 信任配置 目标信任配置上的 certificatemanager.trustconfigs.use
删除信任配置

trustConfigs.delete		 信任配置 目标信任配置上的 certificatemanager.trustconfigs.delete
创建外部账号密钥

externalAccountKeys.create		 外部账号密钥 目标 Google Cloud 项目上的 publicca.externalAccountKeys.create 权限

角色

本部分列出了封装 Certificate Manager 权限的 IAM 角色

Google Cloud 项目的 Certificate Manager 角色

下表列出了 Google Cloud 项目角色及其封装的 Certificate Manager 权限。

Role Permissions

(roles/certificatemanager.editor)

Edit access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.create

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certissuanceconfigs.update

certificatemanager.certissuanceconfigs.use

certificatemanager.certmapentries.create

certificatemanager.certmapentries.get

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.get

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

certificatemanager.locations.*

  • certificatemanager.locations.get
  • certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.create

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

certificatemanager.trustconfigs.update

certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.owner)

Full access to Certificate Manager all resources.

certificatemanager.*

  • certificatemanager.certissuanceconfigs.create
  • certificatemanager.certissuanceconfigs.delete
  • certificatemanager.certissuanceconfigs.get
  • certificatemanager.certissuanceconfigs.list
  • certificatemanager.certissuanceconfigs.update
  • certificatemanager.certissuanceconfigs.use
  • certificatemanager.certmapentries.create
  • certificatemanager.certmapentries.delete
  • certificatemanager.certmapentries.get
  • certificatemanager.certmapentries.list
  • certificatemanager.certmapentries.update
  • certificatemanager.certmaps.create
  • certificatemanager.certmaps.delete
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.list
  • certificatemanager.certmaps.update
  • certificatemanager.certmaps.use
  • certificatemanager.certs.create
  • certificatemanager.certs.delete
  • certificatemanager.certs.get
  • certificatemanager.certs.list
  • certificatemanager.certs.update
  • certificatemanager.certs.use
  • certificatemanager.dnsauthorizations.create
  • certificatemanager.dnsauthorizations.delete
  • certificatemanager.dnsauthorizations.get
  • certificatemanager.dnsauthorizations.list
  • certificatemanager.dnsauthorizations.update
  • certificatemanager.dnsauthorizations.use
  • certificatemanager.locations.get
  • certificatemanager.locations.list
  • certificatemanager.operations.cancel
  • certificatemanager.operations.delete
  • certificatemanager.operations.get
  • certificatemanager.operations.list
  • certificatemanager.trustconfigs.create
  • certificatemanager.trustconfigs.delete
  • certificatemanager.trustconfigs.get
  • certificatemanager.trustconfigs.list
  • certificatemanager.trustconfigs.update
  • certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.viewer)

Read-only access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.get

certificatemanager.certmapentries.list

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certs.get

certificatemanager.certs.list

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.list

certificatemanager.locations.*

  • certificatemanager.locations.get
  • certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud 项目的 Public CA 角色

以下角色及其封装的权限专门用于公共 CA 操作:

角色 权限
Public CA External Account Key Creator
(roles/publicca.externalAccountKeyCreator)

为公共 CA 外部密钥账号资源创建访问权限。

 resourcemanager.projects.get
resourcemanager.projects.list
publicca.externalAccountKeys.create

自定义角色

Google Cloud 还允许您创建自定义角色,以封装特定于您的业务需求的权限,例如最小权限原则。如需了解相关说明,请参阅创建和管理自定义角色

后续步骤