Certificate Authority Service roles and permissions

This page lists the IAM roles and permissions for Certificate Authority Service. To search through all roles and permissions, see the role and permission index.

Certificate Authority Service roles

Role Permissions

(roles/privateca.admin)

Full access to all CA Service resources.

privateca.*

  • privateca.caPools.create
  • privateca.caPools.createTagBinding
  • privateca.caPools.delete
  • privateca.caPools.deleteTagBinding
  • privateca.caPools.get
  • privateca.caPools.getIamPolicy
  • privateca.caPools.list
  • privateca.caPools.listEffectiveTags
  • privateca.caPools.listTagBindings
  • privateca.caPools.setIamPolicy
  • privateca.caPools.update
  • privateca.caPools.use
  • privateca.certificateAuthorities.create
  • privateca.certificateAuthorities.delete
  • privateca.certificateAuthorities.get
  • privateca.certificateAuthorities.getIamPolicy
  • privateca.certificateAuthorities.list
  • privateca.certificateAuthorities.setIamPolicy
  • privateca.certificateAuthorities.update
  • privateca.certificateRevocationLists.create
  • privateca.certificateRevocationLists.get
  • privateca.certificateRevocationLists.getIamPolicy
  • privateca.certificateRevocationLists.list
  • privateca.certificateRevocationLists.setIamPolicy
  • privateca.certificateRevocationLists.update
  • privateca.certificateTemplates.create
  • privateca.certificateTemplates.createTagBinding
  • privateca.certificateTemplates.delete
  • privateca.certificateTemplates.deleteTagBinding
  • privateca.certificateTemplates.get
  • privateca.certificateTemplates.getIamPolicy
  • privateca.certificateTemplates.list
  • privateca.certificateTemplates.listEffectiveTags
  • privateca.certificateTemplates.listTagBindings
  • privateca.certificateTemplates.setIamPolicy
  • privateca.certificateTemplates.update
  • privateca.certificateTemplates.use
  • privateca.certificates.create
  • privateca.certificates.createForSelf
  • privateca.certificates.get
  • privateca.certificates.getIamPolicy
  • privateca.certificates.list
  • privateca.certificates.setIamPolicy
  • privateca.certificates.update
  • privateca.locations.get
  • privateca.locations.list
  • privateca.operations.cancel
  • privateca.operations.delete
  • privateca.operations.get
  • privateca.operations.list
  • privateca.reusableConfigs.create
  • privateca.reusableConfigs.delete
  • privateca.reusableConfigs.get
  • privateca.reusableConfigs.getIamPolicy
  • privateca.reusableConfigs.list
  • privateca.reusableConfigs.setIamPolicy
  • privateca.reusableConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

(roles/privateca.auditor)

Read-only access to all CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

  • privateca.locations.get
  • privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/privateca.caManager)

Create and manage CAs, revoke certificates, create certificates templates, and read-only access for CA Service resources.

privateca.caPools.create

privateca.caPools.createTagBinding

privateca.caPools.delete

privateca.caPools.deleteTagBinding

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.listEffectiveTags

privateca.caPools.listTagBindings

privateca.caPools.update

privateca.certificateAuthorities.create

privateca.certificateAuthorities.delete

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateAuthorities.update

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateRevocationLists.update

privateca.certificateTemplates.create

privateca.certificateTemplates.createTagBinding

privateca.certificateTemplates.delete

privateca.certificateTemplates.deleteTagBinding

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.listEffectiveTags

privateca.certificateTemplates.listTagBindings

privateca.certificateTemplates.update

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.certificates.update

privateca.locations.*

  • privateca.locations.get
  • privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.create

privateca.reusableConfigs.delete

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

privateca.reusableConfigs.update

resourcemanager.projects.get

resourcemanager.projects.list

storage.buckets.create

(roles/privateca.certificateManager)

Create certificates and read-only access for CA Service resources.

privateca.caPools.get

privateca.caPools.getIamPolicy

privateca.caPools.list

privateca.caPools.listEffectiveTags

privateca.caPools.listTagBindings

privateca.certificateAuthorities.get

privateca.certificateAuthorities.getIamPolicy

privateca.certificateAuthorities.list

privateca.certificateRevocationLists.get

privateca.certificateRevocationLists.getIamPolicy

privateca.certificateRevocationLists.list

privateca.certificateTemplates.get

privateca.certificateTemplates.getIamPolicy

privateca.certificateTemplates.list

privateca.certificateTemplates.listEffectiveTags

privateca.certificateTemplates.listTagBindings

privateca.certificates.create

privateca.certificates.get

privateca.certificates.getIamPolicy

privateca.certificates.list

privateca.locations.*

  • privateca.locations.get
  • privateca.locations.list

privateca.operations.get

privateca.operations.list

privateca.reusableConfigs.get

privateca.reusableConfigs.getIamPolicy

privateca.reusableConfigs.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/privateca.certificateRequester)

Request certificates from CA Service.

privateca.certificates.create

(roles/privateca.poolReader)

Read CA Pools in CA Service.

privateca.caPools.get

(roles/privateca.templateUser)

Read, list and use certificate templates.

privateca.certificateTemplates.get

privateca.certificateTemplates.list

privateca.certificateTemplates.use

(roles/privateca.workloadCertificateRequester)

Request certificates from CA Service with caller's identity.

privateca.certificates.createForSelf

Certificate Authority Service permissions

Permission Included in roles

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Tag User (roles/resourcemanager.tagUser)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Tag User (roles/resourcemanager.tagUser)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

CA Service Pool Reader (roles/privateca.poolReader)

Service agent roles

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Tag User (roles/resourcemanager.tagUser)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Tag User (roles/resourcemanager.tagUser)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

CA Service Certificate Template User (roles/privateca.templateUser)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

CA Service Certificate Template User (roles/privateca.templateUser)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

DLP Organization Data Profiles Driver (roles/dlp.orgdriver)

DLP Project Data Profiles Driver (roles/dlp.projectdriver)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Tag User (roles/resourcemanager.tagUser)

Tag Viewer (roles/resourcemanager.tagViewer)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Certificate Template User (roles/privateca.templateUser)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Certificate Manager (roles/privateca.certificateManager)

CA Service Certificate Requester (roles/privateca.certificateRequester)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Workload Certificate Requester (roles/privateca.workloadCertificateRequester)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Service agent roles

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Editor (roles/editor)

Viewer (roles/viewer)

Security Admin (roles/iam.securityAdmin)

Security Reviewer (roles/iam.securityReviewer)

CA Service Admin (roles/privateca.admin)

CA Service Auditor (roles/privateca.auditor)

CA Service Operation Manager (roles/privateca.caManager)

CA Service Certificate Manager (roles/privateca.certificateManager)

Owner (roles/owner)

Security Admin (roles/iam.securityAdmin)

CA Service Admin (roles/privateca.admin)

Owner (roles/owner)

Editor (roles/editor)

CA Service Admin (roles/privateca.admin)

CA Service Operation Manager (roles/privateca.caManager)