Roles and permissions

This document describes the Identity and Access Management (IAM) roles and permissions that apply to Certificate Manager (2nd gen) resources, such as observed certificates, issuance configurations, and trust configurations, which can be granted at the project level or higher. For permissions related to load balancer resources, see IAM roles and permissions for load balancing.

Predefined roles

IAM provides predefined roles that let you grant granular access to specific Google Cloud resources and prevent unauthorized access to other resources.

The following table describes predefined roles that include permissions for Certificate Manager (2nd gen) resources.

Role Description
Certificate Manager Editor role
(roles/certificatemanager.editor)		 Grants read and write access to Certificate Manager resources, including Certificate Manager (2nd gen) resources like issuance configurations, trust configurations, and observed certificates.
Certificate Manager Viewer role
(roles/certificatemanager.viewer)		 Grants read-only access to Certificate Manager resources, including Certificate Manager (2nd gen) resources like issuance configurations, trust configurations, and observed certificates.

Permissions

The following table lists permissions for Certificate Manager (2nd gen) resources. These permissions are included in the Certificate Manager Editor role (roles/certificatemanager.editor) and the Certificate Manager Viewer role (roles/certificatemanager.viewer).

Permission Description
certificatemanager.observedcerts.get View details of an observed certificate in the inventory.
certificatemanager.observedcerts.list List observed certificates in the inventory.
certificatemanager.certs.create Create a certificate.
certificatemanager.certs.list List certificates.
certificatemanager.certs.get View details of a certificate.
certificatemanager.certs.update Update a certificate.
certificatemanager.certs.use Associate a certificate with a resource.
certificatemanager.certs.delete Delete a certificate.
certificatemanager.certmaps.create Create a certificate map.
certificatemanager.certmaps.list List certificate maps.
certificatemanager.certmaps.get View details of a certificate map.
certificatemanager.certmaps.update Update a certificate map.
certificatemanager.certmaps.use Attach a certificate map to a resource.
certificatemanager.certmaps.delete Delete a certificate map.
certificatemanager.certmapentries.create Create a certificate map entry.
certificatemanager.certmapentries.list List certificate map entries.
certificatemanager.certmapentries.get View details of a certificate map entry.
certificatemanager.certmapentries.update Update a certificate map entry.
certificatemanager.certmapentries.delete Delete a certificate map entry.
certificatemanager.dnsauthorizations.create Create a DNS authorization.
certificatemanager.dnsauthorizations.list List DNS authorizations.
certificatemanager.dnsauthorizations.get View details of a DNS authorization.
certificatemanager.dnsauthorizations.update Update a DNS authorization.
certificatemanager.dnsauthorizations.delete Delete a DNS authorization.
certificatemanager.certissuanceconfigs.create Create a certificate issuance config.
certificatemanager.certissuanceconfigs.list List certificate issuance configs.
certificatemanager.certissuanceconfigs.get View a certificate issuance config.
certificatemanager.certissuanceconfigs.delete Delete a certificate issuance config.
certificatemanager.trustconfigs.create Create a trust config.
certificatemanager.trustconfigs.list List trust configs.
certificatemanager.trustconfigs.update Update a trust config.
certificatemanager.trustconfigs.get View details of a trust config.
certificatemanager.trustconfigs.use Associate a trust config with a resource.
certificatemanager.trustconfigs.delete Delete a trust config.

What's next