角色与权限

本页面列出了 Certificate Manager 以及封装了这些权限的 Identity and Access Management 角色所需的权限。

权限

本部分列出了在 Certificate Manager 中执行特定操作所需的权限。

操作和方法 资源 权限
创建证书

certificates.create		 证书 针对目标 Google Cloud 项目的 certificatemanager.certs.create 权限。如果使用 DNS 授权,则每个关联的 DNS 授权也需要具有 certificatemanager.dnsauthorizations.use 权限。
列出证书

certificates.list		 证书 针对目标 Google Cloud 项目的 certificatemanager.certs.list 权限
检索证书

certificates.get		 证书 针对目标证书的 certificatemanager.certs.get 权限
更新证书

certificates.patch		 证书 针对目标证书的 certificatemanager.certs.update 权限
将证书附加到资源 证书 针对目标证书的 certificatemanager.certs.use 权限
删除证书

certificates.delete		 证书 针对目标证书的 certificatemanager.certs.delete 权限
创建证书映射

certificateMaps.create		 证书映射 针对目标 Google Cloud 项目的 certificatemanager.certmaps.create 权限
列出证书映射

certificateMaps.list		 证书映射 针对目标 Google Cloud 项目的 certificatemanager.certmaps.list 权限
检索证书映射

certificateMaps.get		 证书映射 目标证书地图上的 certificatemanager.certmaps.get
更新证书映射

certificateMaps.patch		 证书映射 目标证书地图上的 certificatemanager.certmaps.update
将证书映射附加到资源 证书映射 目标证书地图上的 certificatemanager.certmaps.use
删除证书映射

certificateMaps.delete		 证书映射 目标证书地图上的 certificatemanager.certmaps.delete
创建证书映射条目

certificateMaps.certificateMapEntries.create		 证书映射条目 目标证书映射上的 certificatemanager.certmapentries.create 权限以及每个关联证书上的 certificatemanager.certs.use
列出证书映射条目

certificateMaps.certificateMapEntries.list		 证书映射条目 目标证书地图上的 certificatemanager.certmapentries.list
检索证书映射条目

certificateMaps.certificateMapEntries.get		 证书映射条目 目标证书映射条目上的 certificatemanager.certmapentries.get
更新证书映射条目

certificateMaps.certificateMapEntries.patch		 证书映射条目 针对目标证书映射条目的 certificatemanager.certmapentries.update 权限以及每个关联证书的 certificatemanager.certs.use
删除证书映射条目

certificateMaps.certificateMapEntries.delete		 证书映射条目 目标证书映射条目上的 certificatemanager.certmapentries.delete
创建 DNS 授权

dnsAuthorizations.create		 DNS 授权 针对目标 Google Cloud 项目的 certificatemanager.dnsauthorizations.create 权限
列出 DNS 授权

dnsAuthorizations.list		 DNS 授权 针对目标 Google Cloud 项目的 certificatemanager.dnsauthorizations.list 权限
检索 DNS 授权

dnsAuthorizations.get		 DNS 授权 针对目标 DNS 授权的 certificatemanager.dnsauthorizations.get
更新 DNS 授权

dnsAuthorizations.patch		 DNS 授权 针对目标 DNS 授权的 certificatemanager.dnsauthorizations.update
删除 DNS 授权

dnsAuthorizations.delete		 DNS 授权 针对目标 DNS 授权的 certificatemanager.dnsauthorizations.delete
创建证书颁发配置

certificateIssuanceConfigs.create		 证书颁发配置 针对目标 Google Cloud 项目的 certificatemanager.certissuanceconfigs.create 权限
列出证书颁发配置

certificateIssuanceConfigs.list		 证书颁发配置 针对目标 Google Cloud 项目的 certificatemanager.certissuanceconfigs.list 权限
检索证书颁发配置

certificateIssuanceConfigs.get		 证书颁发配置 针对目标证书颁发配置的 certificatemanager.certissuanceconfigs.get 权限
删除证书颁发配置

certificateIssuanceConfigs.delete		 证书颁发配置 针对目标证书颁发配置的 certificatemanager.certissuanceconfigs.delete 权限
创建信任配置

trustConfigs.create		 信任配置 针对目标 Google Cloud 项目的 certificatemanager.trustconfigs.create 权限
列出信任配置

trustConfigs.list		 信任配置 针对目标 Google Cloud 项目的 certificatemanager.trustconfigs.list 权限
更新信任配置

trustConfigs.patch		 信任配置 针对目标信任配置的 certificatemanager.trustconfigs.update 权限
获取信任配置的状态

trustConfigs.get		 信任配置 针对目标信任配置的 certificatemanager.trustconfigs.get 权限
将信任配置附加到资源 信任配置 针对目标信任配置的 certificatemanager.trustconfigs.use 权限
删除信任配置

trustConfigs.delete		 信任配置 针对目标信任配置的 certificatemanager.trustconfigs.delete 权限
创建外部账号密钥

externalAccountKeys.create		 外部账号密钥 针对目标 Google Cloud 项目的 publicca.externalAccountKeys.create 权限

角色

本部分列出了封装 Certificate Manager 权限的 IAM 角色

Google Cloud 项目的 Certificate Manager 角色

下表列出了 Google Cloud 项目角色及其封装的 Certificate Manager 权限。

Role Permissions

(roles/certificatemanager.editor)

Edit access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.create

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certissuanceconfigs.update

certificatemanager.certissuanceconfigs.use

certificatemanager.certmapentries.create

certificatemanager.certmapentries.get

certificatemanager.certmapentries.list

certificatemanager.certmapentries.update

certificatemanager.certmaps.create

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certmaps.update

certificatemanager.certmaps.use

certificatemanager.certs.create

certificatemanager.certs.get

certificatemanager.certs.list

certificatemanager.certs.update

certificatemanager.certs.use

certificatemanager.dnsauthorizations.create

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.list

certificatemanager.dnsauthorizations.update

certificatemanager.dnsauthorizations.use

certificatemanager.locations.*

  • certificatemanager.locations.get
  • certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.create

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

certificatemanager.trustconfigs.update

certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.owner)

Full access to Certificate Manager all resources.

certificatemanager.*

  • certificatemanager.certissuanceconfigs.create
  • certificatemanager.certissuanceconfigs.delete
  • certificatemanager.certissuanceconfigs.get
  • certificatemanager.certissuanceconfigs.list
  • certificatemanager.certissuanceconfigs.update
  • certificatemanager.certissuanceconfigs.use
  • certificatemanager.certmapentries.create
  • certificatemanager.certmapentries.delete
  • certificatemanager.certmapentries.get
  • certificatemanager.certmapentries.list
  • certificatemanager.certmapentries.update
  • certificatemanager.certmaps.create
  • certificatemanager.certmaps.delete
  • certificatemanager.certmaps.get
  • certificatemanager.certmaps.list
  • certificatemanager.certmaps.update
  • certificatemanager.certmaps.use
  • certificatemanager.certs.create
  • certificatemanager.certs.delete
  • certificatemanager.certs.get
  • certificatemanager.certs.list
  • certificatemanager.certs.update
  • certificatemanager.certs.use
  • certificatemanager.dnsauthorizations.create
  • certificatemanager.dnsauthorizations.delete
  • certificatemanager.dnsauthorizations.get
  • certificatemanager.dnsauthorizations.list
  • certificatemanager.dnsauthorizations.update
  • certificatemanager.dnsauthorizations.use
  • certificatemanager.locations.get
  • certificatemanager.locations.list
  • certificatemanager.operations.cancel
  • certificatemanager.operations.delete
  • certificatemanager.operations.get
  • certificatemanager.operations.list
  • certificatemanager.trustconfigs.create
  • certificatemanager.trustconfigs.delete
  • certificatemanager.trustconfigs.get
  • certificatemanager.trustconfigs.list
  • certificatemanager.trustconfigs.update
  • certificatemanager.trustconfigs.use

resourcemanager.projects.get

resourcemanager.projects.list

(roles/certificatemanager.viewer)

Read-only access to Certificate Manager all resources.

certificatemanager.certissuanceconfigs.get

certificatemanager.certissuanceconfigs.list

certificatemanager.certmapentries.get

certificatemanager.certmapentries.list

certificatemanager.certmaps.get

certificatemanager.certmaps.list

certificatemanager.certs.get

certificatemanager.certs.list

certificatemanager.dnsauthorizations.get

certificatemanager.dnsauthorizations.list

certificatemanager.locations.*

  • certificatemanager.locations.get
  • certificatemanager.locations.list

certificatemanager.operations.get

certificatemanager.operations.list

certificatemanager.trustconfigs.get

certificatemanager.trustconfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

Google Cloud 项目的 Public CA 角色

Public CA 操作需要以下角色及其封装的权限:

角色 权限
Public CA External Account Key Creator
(roles/publicca.externalAccountKeyCreator)

拥有创建 Public CA 外部密钥帐号资源的权限。

 resourcemanager.projects.get
resourcemanager.projects.list
publicca.externalAccountKeys.create

自定义角色

Google Cloud 还允许您创建自定义角色,用于封装特定于您的业务需求的权限,例如最小权限原则。有关说明,请参阅创建和管理自定义角色

后续步骤