Certificate Authority Service roles and permissions

This page lists the IAM roles and permissions for Certificate Authority Service. To search through all roles and permissions, see the role and permission index.

Certificate Authority Service roles

Role Permissions

Role	Permissions
CA Service Admin (`roles/privateca.admin`) Full access to all CA Service resources.	`privateca.*` `privateca.caPools.create` `privateca.caPools.createTagBinding` `privateca.caPools.delete` `privateca.caPools.deleteTagBinding` `privateca.caPools.get` `privateca.caPools.getIamPolicy` `privateca.caPools.list` `privateca.caPools.listEffectiveTags` `privateca.caPools.listTagBindings` `privateca.caPools.setIamPolicy` `privateca.caPools.update` `privateca.caPools.use` `privateca.certificateAuthorities.create` `privateca.certificateAuthorities.delete` `privateca.certificateAuthorities.get` `privateca.certificateAuthorities.getIamPolicy` `privateca.certificateAuthorities.list` `privateca.certificateAuthorities.setIamPolicy` `privateca.certificateAuthorities.update` `privateca.certificateRevocationLists.create` `privateca.certificateRevocationLists.get` `privateca.certificateRevocationLists.getIamPolicy` `privateca.certificateRevocationLists.list` `privateca.certificateRevocationLists.setIamPolicy` `privateca.certificateRevocationLists.update` `privateca.certificateTemplates.create` `privateca.certificateTemplates.createTagBinding` `privateca.certificateTemplates.delete` `privateca.certificateTemplates.deleteTagBinding` `privateca.certificateTemplates.get` `privateca.certificateTemplates.getIamPolicy` `privateca.certificateTemplates.list` `privateca.certificateTemplates.listEffectiveTags` `privateca.certificateTemplates.listTagBindings` `privateca.certificateTemplates.setIamPolicy` `privateca.certificateTemplates.update` `privateca.certificateTemplates.use` `privateca.certificates.create` `privateca.certificates.createForSelf` `privateca.certificates.get` `privateca.certificates.getIamPolicy` `privateca.certificates.list` `privateca.certificates.setIamPolicy` `privateca.certificates.update` `privateca.locations.get` `privateca.locations.list` `privateca.operations.cancel` `privateca.operations.delete` `privateca.operations.get` `privateca.operations.list` `privateca.reusableConfigs.create` `privateca.reusableConfigs.delete` `privateca.reusableConfigs.get` `privateca.reusableConfigs.getIamPolicy` `privateca.reusableConfigs.list` `privateca.reusableConfigs.setIamPolicy` `privateca.reusableConfigs.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.create`
CA Service Auditor (`roles/privateca.auditor`) Read-only access to all CA Service resources.	`privateca.caPools.get` `privateca.caPools.getIamPolicy` `privateca.caPools.list` `privateca.certificateAuthorities.get` `privateca.certificateAuthorities.getIamPolicy` `privateca.certificateAuthorities.list` `privateca.certificateRevocationLists.get` `privateca.certificateRevocationLists.getIamPolicy` `privateca.certificateRevocationLists.list` `privateca.certificateTemplates.get` `privateca.certificateTemplates.getIamPolicy` `privateca.certificateTemplates.list` `privateca.certificates.get` `privateca.certificates.getIamPolicy` `privateca.certificates.list` `privateca.locations.*` `privateca.locations.get` `privateca.locations.list` `privateca.operations.get` `privateca.operations.list` `privateca.reusableConfigs.get` `privateca.reusableConfigs.getIamPolicy` `privateca.reusableConfigs.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
CA Service Operation Manager (`roles/privateca.caManager`) Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.	`privateca.caPools.create` `privateca.caPools.createTagBinding` `privateca.caPools.delete` `privateca.caPools.deleteTagBinding` `privateca.caPools.get` `privateca.caPools.getIamPolicy` `privateca.caPools.list` `privateca.caPools.listEffectiveTags` `privateca.caPools.listTagBindings` `privateca.caPools.update` `privateca.certificateAuthorities.create` `privateca.certificateAuthorities.delete` `privateca.certificateAuthorities.get` `privateca.certificateAuthorities.getIamPolicy` `privateca.certificateAuthorities.list` `privateca.certificateAuthorities.update` `privateca.certificateRevocationLists.get` `privateca.certificateRevocationLists.getIamPolicy` `privateca.certificateRevocationLists.list` `privateca.certificateRevocationLists.update` `privateca.certificateTemplates.create` `privateca.certificateTemplates.createTagBinding` `privateca.certificateTemplates.delete` `privateca.certificateTemplates.deleteTagBinding` `privateca.certificateTemplates.get` `privateca.certificateTemplates.getIamPolicy` `privateca.certificateTemplates.list` `privateca.certificateTemplates.listEffectiveTags` `privateca.certificateTemplates.listTagBindings` `privateca.certificateTemplates.update` `privateca.certificates.get` `privateca.certificates.getIamPolicy` `privateca.certificates.list` `privateca.certificates.update` `privateca.locations.*` `privateca.locations.get` `privateca.locations.list` `privateca.operations.get` `privateca.operations.list` `privateca.reusableConfigs.create` `privateca.reusableConfigs.delete` `privateca.reusableConfigs.get` `privateca.reusableConfigs.getIamPolicy` `privateca.reusableConfigs.list` `privateca.reusableConfigs.update` `resourcemanager.projects.get` `resourcemanager.projects.list` `storage.buckets.create`
CA Service Certificate Manager (`roles/privateca.certificateManager`) Create certificates and read-only access for CA Service resources.	`privateca.caPools.get` `privateca.caPools.getIamPolicy` `privateca.caPools.list` `privateca.caPools.listEffectiveTags` `privateca.caPools.listTagBindings` `privateca.certificateAuthorities.get` `privateca.certificateAuthorities.getIamPolicy` `privateca.certificateAuthorities.list` `privateca.certificateRevocationLists.get` `privateca.certificateRevocationLists.getIamPolicy` `privateca.certificateRevocationLists.list` `privateca.certificateTemplates.get` `privateca.certificateTemplates.getIamPolicy` `privateca.certificateTemplates.list` `privateca.certificateTemplates.listEffectiveTags` `privateca.certificateTemplates.listTagBindings` `privateca.certificates.create` `privateca.certificates.get` `privateca.certificates.getIamPolicy` `privateca.certificates.list` `privateca.locations.*` `privateca.locations.get` `privateca.locations.list` `privateca.operations.get` `privateca.operations.list` `privateca.reusableConfigs.get` `privateca.reusableConfigs.getIamPolicy` `privateca.reusableConfigs.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
CA Service Certificate Requester (`roles/privateca.certificateRequester`) Request certificates from CA Service.	`privateca.certificates.create`
CA Service Pool Reader (`roles/privateca.poolReader`) Read CA Pools in CA Service.	`privateca.caPools.get`
CA Service Certificate Template User (`roles/privateca.templateUser`) Read, list and use certificate templates.	`privateca.certificateTemplates.get` `privateca.certificateTemplates.list` `privateca.certificateTemplates.use`
CA Service Workload Certificate Requester (`roles/privateca.workloadCertificateRequester`) Request certificates from CA Service with caller's identity.	`privateca.certificates.createForSelf`

CA Service Admin

(roles/privateca.admin)

Full access to all CA Service resources.

privateca.*

privateca.caPools.create
privateca.caPools.createTagBinding
privateca.caPools.delete
privateca.caPools.deleteTagBinding
privateca.caPools.get
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.caPools.listEffectiveTags
privateca.caPools.listTagBindings
privateca.caPools.setIamPolicy
privateca.caPools.update
privateca.caPools.use
privateca.certificateAuthorities.create
privateca.certificateAuthorities.delete
privateca.certificateAuthorities.get
privateca.certificateAuthorities.getIamPolicy
privateca.certificateAuthorities.list
privateca.certificateAuthorities.setIamPolicy
privateca.certificateAuthorities.update
privateca.certificateRevocationLists.create
privateca.certificateRevocationLists.get
privateca.certificateRevocationLists.getIamPolicy
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.setIamPolicy
privateca.certificateRevocationLists.update
privateca.certificateTemplates.create
privateca.certificateTemplates.createTagBinding
privateca.certificateTemplates.delete
privateca.certificateTemplates.deleteTagBinding
privateca.certificateTemplates.get
privateca.certificateTemplates.getIamPolicy
privateca.certificateTemplates.list
privateca.certificateTemplates.listEffectiveTags
privateca.certificateTemplates.listTagBindings
privateca.certificateTemplates.setIamPolicy
privateca.certificateTemplates.update
privateca.certificateTemplates.use
privateca.certificates.create
privateca.certificates.createForSelf
privateca.certificates.get
privateca.certificates.getIamPolicy
privateca.certificates.list
privateca.certificates.setIamPolicy
privateca.certificates.update
privateca.locations.get
privateca.locations.list
privateca.operations.cancel
privateca.operations.delete
privateca.operations.get
privateca.operations.list
privateca.reusableConfigs.create
privateca.reusableConfigs.delete
privateca.reusableConfigs.get
privateca.reusableConfigs.getIamPolicy
privateca.reusableConfigs.list
privateca.reusableConfigs.setIamPolicy
privateca.reusableConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

CA Service Auditor

(roles/privateca.auditor)

Read-only access to all CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

privateca.locations.get
privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

CA Service Operation Manager

(roles/privateca.caManager)

Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.

privateca.caPools.create

privateca.caPools.createTagBinding

privateca.caPools.delete

privateca.caPools.deleteTagBinding

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.listEffectiveTags

privateca.caPools.listTagBindings

privateca.caPools.update

privateca.certificateAuthorities.create

privateca.certificateAuthorities.delete

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateAuthorities.update

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateRevocationLists.update

privateca.certificateTemplates.create

privateca.certificateTemplates.createTagBinding

privateca.certificateTemplates.delete

privateca.certificateTemplates.deleteTagBinding

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.listEffectiveTags

privateca.certificateTemplates.listTagBindings

privateca.certificateTemplates.update

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.certificates.update

privateca.locations.*

privateca.locations.get
privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.create

privateca.reusableConfigs.delete

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

privateca.reusableConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

CA Service Certificate Manager

(roles/privateca.certificateManager)

Create certificates and read-only access for CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.listEffectiveTags

privateca.caPools.listTagBindings

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.listEffectiveTags

privateca.certificateTemplates.listTagBindings

privateca.certificates.create

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

privateca.locations.get
privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

CA Service Certificate Requester

(roles/privateca.certificateRequester)

Request certificates from CA Service.

privateca.certificates.create

CA Service Pool Reader

(roles/privateca.poolReader)

Read CA Pools in CA Service.

privateca.caPools.get

CA Service Certificate Template User

(roles/privateca.templateUser)

Read, list and use certificate templates.

privateca.certificateTemplates.get

privateca.certificateTemplates.list

privateca.certificateTemplates.use

CA Service Workload Certificate Requester

(roles/privateca.workloadCertificateRequester)

Request certificates from CA Service with caller's identity.

privateca.certificates.createForSelf

Certificate Authority Service permissions

Permission	Included in roles
`privateca.caPools.create`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.caPools.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) Tag User (`roles/resourcemanager.tagUser`)
`privateca.caPools.delete`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.caPools.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) Tag User (`roles/resourcemanager.tagUser`)
`privateca.caPools.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`) CA Service Pool Reader (`roles/privateca.poolReader`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Managed Kafka Service Agent (`roles/managedkafka.serviceAgent`)
`privateca.caPools.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.caPools.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.caPools.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`privateca.caPools.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`privateca.caPools.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) CA Service Admin (`roles/privateca.admin`)
`privateca.caPools.update`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.caPools.use`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`)
`privateca.certificateAuthorities.create`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.certificateAuthorities.delete`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.certificateAuthorities.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificateAuthorities.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificateAuthorities.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificateAuthorities.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) CA Service Admin (`roles/privateca.admin`)
`privateca.certificateAuthorities.update`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.certificateRevocationLists.create`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`)
`privateca.certificateRevocationLists.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificateRevocationLists.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificateRevocationLists.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificateRevocationLists.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) CA Service Admin (`roles/privateca.admin`)
`privateca.certificateRevocationLists.update`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.certificateTemplates.create`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.certificateTemplates.createTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) Tag User (`roles/resourcemanager.tagUser`)
`privateca.certificateTemplates.delete`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.certificateTemplates.deleteTagBinding`	Owner (`roles/owner`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) Tag User (`roles/resourcemanager.tagUser`)
`privateca.certificateTemplates.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`) CA Service Certificate Template User (`roles/privateca.templateUser`)
`privateca.certificateTemplates.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificateTemplates.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`) CA Service Certificate Template User (`roles/privateca.templateUser`)
`privateca.certificateTemplates.listEffectiveTags`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`privateca.certificateTemplates.listTagBindings`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) DLP Organization Data Profiles Driver (`roles/dlp.orgdriver`) DLP Project Data Profiles Driver (`roles/dlp.projectdriver`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`) Tag User (`roles/resourcemanager.tagUser`) Tag Viewer (`roles/resourcemanager.tagViewer`)
`privateca.certificateTemplates.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) CA Service Admin (`roles/privateca.admin`)
`privateca.certificateTemplates.update`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.certificateTemplates.use`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Certificate Template User (`roles/privateca.templateUser`)
`privateca.certificates.create`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Certificate Manager (`roles/privateca.certificateManager`) CA Service Certificate Requester (`roles/privateca.certificateRequester`)
`privateca.certificates.createForSelf`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Workload Certificate Requester (`roles/privateca.workloadCertificateRequester`)
`privateca.certificates.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificates.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.certificates.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Cloud Security Compliance Service Agent (`roles/cloudsecuritycompliance.serviceAgent`) Audit Manager Auditing Service Agent (`roles/auditmanager.serviceAgent`)
`privateca.certificates.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) CA Service Admin (`roles/privateca.admin`)
`privateca.certificates.update`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`)
`privateca.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`)
`privateca.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.reusableConfigs.create`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.reusableConfigs.delete`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)
`privateca.reusableConfigs.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.reusableConfigs.getIamPolicy`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.reusableConfigs.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) CA Service Admin (`roles/privateca.admin`) CA Service Auditor (`roles/privateca.auditor`) CA Service Operation Manager (`roles/privateca.caManager`) CA Service Certificate Manager (`roles/privateca.certificateManager`)
`privateca.reusableConfigs.setIamPolicy`	Owner (`roles/owner`) Security Admin (`roles/iam.securityAdmin`) CA Service Admin (`roles/privateca.admin`)
`privateca.reusableConfigs.update`	Owner (`roles/owner`) Editor (`roles/editor`) CA Service Admin (`roles/privateca.admin`) CA Service Operation Manager (`roles/privateca.caManager`)

Certificate Authority Service roles and permissions Stay organized with collections Save and categorize content based on your preferences.