This page lists the permissions required by Certificate Manager and the Identity and Access Management roles that encapsulate them.
Permissions
This section lists the permissions required to perform specific operations in Certificate Manager.
Operation and method | Resource | Permission |
---|---|---|
Create a certificatecertificates.create |
Certificates | certificatemanager.certs.create on the target Google Cloud project.
If using DNS authorization, also requires certificatemanager.dnsauthorizations.use
on each associated DNS authorization. |
List certificatescertificates.list |
Certificates | certificatemanager.certs.list on the target Google Cloud project |
Retrieve a certificatecertificates.get |
Certificates | certificatemanager.certs.get on the target certificate |
Update a certificatecertificates.patch |
Certificates | certificatemanager.certs.update on the target certificate |
Attach a certificate to a resource | Certificates | certificatemanager.certs.use on the target certificate |
Delete a certificatecertificates.delete |
Certificates | certificatemanager.certs.delete on the target certificate |
Create a certificate mapcertificateMaps.create |
Certificate maps | certificatemanager.certmaps.create on the target Google Cloud project |
List certificate mapscertificateMaps.list |
Certificate maps | certificatemanager.certmaps.list on the target Google Cloud project |
Retrieve a certificate mapcertificateMaps.get |
Certificate maps | certificatemanager.certmaps.get on the target certificate map |
Update a certificate mapcertificateMaps.patch |
Certificate maps | certificatemanager.certmaps.update on the target certificate map |
Attach a certificate map to a resource | Certificate maps | certificatemanager.certmaps.use on the target certificate map |
Delete a certificate mapcertificateMaps.delete |
Certificate maps | certificatemanager.certmaps.delete on the target certificate map |
Create a certificate map entrycertificateMaps.certificateMapEntries.create |
Certificate map entries | certificatemanager.certmapentries.create on the target certificate map
and certificatemanager.certs.use on each associated certificate. |
List certificate map entriescertificateMaps.certificateMapEntries.list |
Certificate map entries | certificatemanager.certmapentries.list on the target certificate map |
Retrieve a certificate map entrycertificateMaps.certificateMapEntries.get |
Certificate map entries | certificatemanager.certmapentries.get on the target certificate map entry |
Update a certificate map entrycertificateMaps.certificateMapEntries.patch |
Certificate map entries | certificatemanager.certmapentries.update on the target certificate map entry
and certificatemanager.certs.use on each associated certificate. |
Delete a certificate map entrycertificateMaps.certificateMapEntries.delete |
Certificate map entries | certificatemanager.certmapentries.delete on the target certificate map entry |
Create a DNS authorizationdnsAuthorizations.create |
DNS authorizations | certificatemanager.dnsauthorizations.create on the target Google Cloud project |
List DNS authorizationsdnsAuthorizations.list |
DNS authorizations | certificatemanager.dnsauthorizations.list on the target Google Cloud project |
Retrieve a DNS authorizationdnsAuthorizations.get |
DNS authorizations | certificatemanager.dnsauthorizations.get on the target DNS authorization |
Update a DNS authorizationdnsAuthorizations.patch |
DNS authorizations | certificatemanager.dnsauthorizations.update on the target DNS authorization |
Delete a DNS authorizationdnsAuthorizations.delete |
DNS authorizations | certificatemanager.dnsauthorizations.delete on the target DNS authorization |
Create a certificate issuance configcertificateIssuanceConfigs.create |
Certificate issuance configs | certificatemanager.certissuanceconfigs.create on the target Google Cloud project |
List certificate issuance configscertificateIssuanceConfigs.list |
Certificate issuance configs | certificatemanager.certissuanceconfigs.list on the target Google Cloud project |
Retrieve a certificate issuance configcertificateIssuanceConfigs.get |
Certificate issuance configs | certificatemanager.certissuanceconfigs.get on the target certificate issuance config |
Delete a certificate issuance configcertificateIssuanceConfigs.delete |
Certificate issuance configs | certificatemanager.certissuanceconfigs.delete on the target certificate issuance config |
Create a trust configtrustConfigs.create |
Trust configs | certificatemanager.trustconfigs.create on the target Google Cloud project |
List trust configstrustConfigs.list |
Trust configs | certificatemanager.trustconfigs.list on the target Google Cloud project |
Update a trust configtrustConfigs.patch |
Trust configs | certificatemanager.trustconfigs.update on the target trust config |
Get the state of a trust configtrustConfigs.get |
Trust configs | certificatemanager.trustconfigs.get on the target trust config |
Attach a trust config to a resource | Trust configs | certificatemanager.trustconfigs.use on the target trust config |
Delete a trust configtrustConfigs.delete |
Trust configs | certificatemanager.trustconfigs.delete on the target trust config |
Create an external account keyexternalAccountKeys.create |
External account keys | publicca.externalAccountKeys.create on the target Google Cloud project |
Roles
This section lists the IAM roles that encapsulate Certificate Manager permissions.
Certificate Manager roles for Google Cloud projects
The following table lists the Google Cloud project roles and the Certificate Manager permissions they encapsulate.
Role | Permissions |
---|---|
Certificate Manager Editor( Edit access to Certificate Manager all resources. |
|
Certificate Manager Owner( Full access to Certificate Manager all resources. |
|
Certificate Manager Viewer( Read-only access to Certificate Manager all resources. |
|
Public CA roles for Google Cloud projects
The following roles and the permissions they encapsulate are required specifically for Public CA operations:
Role | Permissions |
---|---|
Public CA External Account Key Creator ( roles/publicca.externalAccountKeyCreator )
Create access for Public CA external key account resources. |
resourcemanager.projects.get resourcemanager.projects.list publicca.externalAccountKeys.create |
Custom roles
Google Cloud also allows you to create custom roles that encapsulate permissions specific to your business needs, such as the principle of least needed privilege. For instructions, see Creating and managing custom roles.
What's next
- Migrate a certificate to Certificate Manager
- Manage certificates
- Manage certificate maps
- Manage certificate map entries
- Manage DNS authorizations