This document describes the Identity and Access Management (IAM) roles and permissions that apply to Certificate Manager (2nd gen) resources, such as observed certificates, issuance configurations, and trust configurations, which can be granted at the project level or higher. For permissions related to load balancer resources, see IAM roles and permissions for load balancing.
Predefined roles
IAM provides predefined roles that let you grant granular access to specific Google Cloud resources and prevent unauthorized access to other resources.
The following table describes predefined roles that include permissions for Certificate Manager (2nd gen) resources.
| Role | Description |
|---|---|
| Certificate Manager Editor role ( roles/certificatemanager.editor) |
Grants read and write access to Certificate Manager resources, including Certificate Manager (2nd gen) resources like issuance configurations, trust configurations, and observed certificates. |
| Certificate Manager Viewer role ( roles/certificatemanager.viewer) |
Grants read-only access to Certificate Manager resources, including Certificate Manager (2nd gen) resources like issuance configurations, trust configurations, and observed certificates. |
Permissions
The following table lists permissions for Certificate Manager (2nd gen) resources.
These permissions are included in the Certificate Manager Editor role
(roles/certificatemanager.editor) and the Certificate Manager Viewer role
(roles/certificatemanager.viewer).
| Permission | Description |
|---|---|
certificatemanager.observedcerts.get |
Lets you view details of an observed certificate in the inventory. |
certificatemanager.observedcerts.list |
Lets you list observed certificates in the inventory. |
What's next
- Issue a certificate using CA Service and verify in Certificate Manager (2nd gen)
- Automate certificate lifecycle for load balancers
- Configure lifecycle management for managed workloads
- Configure lifecycle management for load balancers
- View certificate inventory