Workload Certificate roles and permissions

This page lists the IAM roles and permissions for Workload Certificate. To search through all roles and permissions, see the role and permission index.

Workload Certificate roles

Role Permissions

Role	Permissions
Workload Certificate Admin ^Beta (`roles/workloadcertificate.admin`) Full access to all Workload Certificate API resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `workloadcertificate.*` `workloadcertificate.locations.get` `workloadcertificate.locations.list` `workloadcertificate.operations.cancel` `workloadcertificate.operations.delete` `workloadcertificate.operations.get` `workloadcertificate.operations.list` `workloadcertificate.workloadCertificateFeature.get` `workloadcertificate.workloadCertificateFeature.update` `workloadcertificate.workloadRegistrations.create` `workloadcertificate.workloadRegistrations.delete` `workloadcertificate.workloadRegistrations.get` `workloadcertificate.workloadRegistrations.list` `workloadcertificate.workloadRegistrations.update`
Workload Certificate Viewer ^Beta (`roles/workloadcertificate.viewer`) Read-only access to Workload Certificate all resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `workloadcertificate.locations.*` `workloadcertificate.locations.get` `workloadcertificate.locations.list` `workloadcertificate.operations.get` `workloadcertificate.operations.list` `workloadcertificate.workloadCertificateFeature.get` `workloadcertificate.workloadRegistrations.get` `workloadcertificate.workloadRegistrations.list`
Workload Certificate Registration Admin ^Beta (`roles/workloadcertificate.registrationAdmin`) Full access to WorkloadRegistration resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `workloadcertificate.locations.` `workloadcertificate.locations.get` `workloadcertificate.locations.list` `workloadcertificate.operations.` `workloadcertificate.operations.cancel` `workloadcertificate.operations.delete` `workloadcertificate.operations.get` `workloadcertificate.operations.list` `workloadcertificate.workloadRegistrations.*` `workloadcertificate.workloadRegistrations.create` `workloadcertificate.workloadRegistrations.delete` `workloadcertificate.workloadRegistrations.get` `workloadcertificate.workloadRegistrations.list` `workloadcertificate.workloadRegistrations.update`
Workload Certificate Registration Viewer ^Beta (`roles/workloadcertificate.registrationViewer`) Read-only access to WorkloadRegistration resources.	`resourcemanager.projects.get` `resourcemanager.projects.list` `workloadcertificate.locations.*` `workloadcertificate.locations.get` `workloadcertificate.locations.list` `workloadcertificate.operations.get` `workloadcertificate.operations.list` `workloadcertificate.workloadRegistrations.get` `workloadcertificate.workloadRegistrations.list`

Workload Certificate Admin ^Beta

(roles/workloadcertificate.admin)

Full access to all Workload Certificate API resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadcertificate.*

workloadcertificate.locations.get
workloadcertificate.locations.list
workloadcertificate.operations.cancel
workloadcertificate.operations.delete
workloadcertificate.operations.get
workloadcertificate.operations.list
workloadcertificate.workloadCertificateFeature.get
workloadcertificate.workloadCertificateFeature.update
workloadcertificate.workloadRegistrations.create
workloadcertificate.workloadRegistrations.delete
workloadcertificate.workloadRegistrations.get
workloadcertificate.workloadRegistrations.list
workloadcertificate.workloadRegistrations.update

Workload Certificate Viewer ^Beta

(roles/workloadcertificate.viewer)

Read-only access to Workload Certificate all resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadcertificate.locations.*

workloadcertificate.locations.get
workloadcertificate.locations.list

workloadcertificate.operations.get

workloadcertificate.operations.list

workloadcertificate.workloadCertificateFeature.get

workloadcertificate.workloadRegistrations.get

workloadcertificate.workloadRegistrations.list

Workload Certificate Registration Admin ^Beta

(roles/workloadcertificate.registrationAdmin)

Full access to WorkloadRegistration resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadcertificate.locations.*

workloadcertificate.locations.get
workloadcertificate.locations.list

workloadcertificate.operations.*

workloadcertificate.operations.cancel
workloadcertificate.operations.delete
workloadcertificate.operations.get
workloadcertificate.operations.list

workloadcertificate.workloadRegistrations.*

workloadcertificate.workloadRegistrations.create
workloadcertificate.workloadRegistrations.delete
workloadcertificate.workloadRegistrations.get
workloadcertificate.workloadRegistrations.list
workloadcertificate.workloadRegistrations.update

Workload Certificate Registration Viewer ^Beta

(roles/workloadcertificate.registrationViewer)

Read-only access to WorkloadRegistration resources.

resourcemanager.projects.get

resourcemanager.projects.list

workloadcertificate.locations.*

workloadcertificate.locations.get
workloadcertificate.locations.list

workloadcertificate.operations.get

workloadcertificate.operations.list

workloadcertificate.workloadRegistrations.get

workloadcertificate.workloadRegistrations.list

Service agent roles

Service agent roles should only be granted to service agents.

Role Permissions

Role	Permissions
Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`) Gives the Workload Certificate service agent access to Cloud Platform resources. Warning: Do not grant service agent roles to any principals except service agents.	`container.clusterRoleBindings.get` `container.clusterRoleBindings.list` `container.clusters.get` `container.clusters.update` `container.customResourceDefinitions.create` `container.customResourceDefinitions.get` `container.customResourceDefinitions.list` `container.operations.get` `container.thirdPartyObjects.update` `gkehub.features.get` `gkehub.fleet.create` `gkehub.fleet.get` `gkehub.locations.*` `gkehub.locations.get` `gkehub.locations.list` `gkehub.memberships.get` `gkehub.memberships.list` `gkehub.operations.get` `serviceconsumermanagement.tenancyu.addResource` `serviceconsumermanagement.tenancyu.create` `serviceconsumermanagement.tenancyu.delete` `serviceconsumermanagement.tenancyu.removeResource` `serviceusage.services.use` `workloadcertificate.workloadCertificateFeature.get` `workloadcertificate.workloadRegistrations.list`

Workload Certificate Service Agent

(roles/workloadcertificate.serviceAgent)

Gives the Workload Certificate service agent access to Cloud Platform resources.

container.clusterRoleBindings.get

container.clusterRoleBindings.list

container.clusters.get

container.clusters.update

container.customResourceDefinitions.create

container.customResourceDefinitions.get

container.customResourceDefinitions.list

container.operations.get

container.thirdPartyObjects.update

gkehub.features.get

gkehub.fleet.create

gkehub.fleet.get

gkehub.locations.*

gkehub.locations.get
gkehub.locations.list

gkehub.memberships.get

gkehub.memberships.list

gkehub.operations.get

serviceconsumermanagement.tenancyu.addResource

serviceconsumermanagement.tenancyu.create

serviceconsumermanagement.tenancyu.delete

serviceconsumermanagement.tenancyu.removeResource

serviceusage.services.use

workloadcertificate.workloadCertificateFeature.get

workloadcertificate.workloadRegistrations.list

Workload Certificate permissions

Permission	Included in roles
`workloadcertificate.locations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Viewer (`roles/workloadcertificate.viewer`) Support User (`roles/iam.supportUser`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`) Workload Certificate Registration Viewer (`roles/workloadcertificate.registrationViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`)
`workloadcertificate.locations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Viewer (`roles/workloadcertificate.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`) Workload Certificate Registration Viewer (`roles/workloadcertificate.registrationViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`)
`workloadcertificate.operations.cancel`	Owner (`roles/owner`) Editor (`roles/editor`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`)
`workloadcertificate.operations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`)
`workloadcertificate.operations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Viewer (`roles/workloadcertificate.viewer`) Support User (`roles/iam.supportUser`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`) Workload Certificate Registration Viewer (`roles/workloadcertificate.registrationViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`)
`workloadcertificate.operations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Viewer (`roles/workloadcertificate.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`) Workload Certificate Registration Viewer (`roles/workloadcertificate.registrationViewer`)
`workloadcertificate.workloadCertificateFeature.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Viewer (`roles/workloadcertificate.viewer`) Support User (`roles/iam.supportUser`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`)
`workloadcertificate.workloadCertificateFeature.update`	Owner (`roles/owner`) Editor (`roles/editor`) Workload Certificate Admin (`roles/workloadcertificate.admin`)
`workloadcertificate.workloadRegistrations.create`	Owner (`roles/owner`) Editor (`roles/editor`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`)
`workloadcertificate.workloadRegistrations.delete`	Owner (`roles/owner`) Editor (`roles/editor`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`)
`workloadcertificate.workloadRegistrations.get`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Viewer (`roles/workloadcertificate.viewer`) Support User (`roles/iam.supportUser`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`) Workload Certificate Registration Viewer (`roles/workloadcertificate.registrationViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`)
`workloadcertificate.workloadRegistrations.list`	Owner (`roles/owner`) Editor (`roles/editor`) Viewer (`roles/viewer`) Security Admin (`roles/iam.securityAdmin`) Security Reviewer (`roles/iam.securityReviewer`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Viewer (`roles/workloadcertificate.viewer`) Security Auditor (`roles/iam.securityAuditor`) Support User (`roles/iam.supportUser`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`) Workload Certificate Registration Viewer (`roles/workloadcertificate.registrationViewer`) Service agent roles Warning: Don't grant service agent roles to any principals except service agents. Anthos Service Mesh Service Agent (`roles/anthosservicemesh.serviceAgent`) Workload Certificate Service Agent (`roles/workloadcertificate.serviceAgent`)
`workloadcertificate.workloadRegistrations.update`	Owner (`roles/owner`) Editor (`roles/editor`) Workload Certificate Admin (`roles/workloadcertificate.admin`) Workload Certificate Registration Admin (`roles/workloadcertificate.registrationAdmin`)

Workload Certificate roles and permissions