Venafi user permissions for GCP service account
When setting up a GCP service account, specify the Venafi user permissions based on your authentication method.
Venafi Generated Key authentication permissions
Action(s) | Required permissions |
Allow Certificate Manager - SaaS to create (provision) a new certificate for the certificate manager. | certificatemanager.certs.create |
Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
Verify access to the certificate manager. | certificatemanager.certs.list |
Allow Certificate Manager - SaaS to replace/reprovision a certificate. | certificatemanager.certs.update |
Allow Certificate Manager - SaaS to list certificate manager locations. | certificatemanager.locations.list |
Allow Certificate Manager - SaaS to check an operation status (for example, certificate creation/replace). | certificatemanager.operations.get |
To allow Certificate Manager - SaaS to obtain details of projects associated with the svcAccount. | resourcemanager.projects.get |
Workload Identity Federation - Built-in Identity authentication permissions
Action(s) | Required permissions |
Allow Certificate Manager - SaaS to create (provision) a new certificate for the certificate manager. | certificatemanager.certs.create |
Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
Verify access to the certificate manager. | certificatemanager.certs.list |
Allow Certificate Manager - SaaS to replace/reprovision a certificate. | certificatemanager.certs.update |
Allow Certificate Manager - SaaS to list certificate manager locations. | certificatemanager.locations.list |
Allow Certificate Manager - SaaS to check an operation status (for example, certificate creation/replace). | certificatemanager.operations.get |
To allow Certificate Manager - SaaS to obtain details of projects associated with the svcAccount. | resourcemanager.projects.get |
Allows access tokens to be issued for the service account. | iam.serviceAccounts.getAccessToken |
Workload Identity Federation – Azure Identity Provider authentication permissions
Action(s) | Required permissions |
Allow {{ vs }} to create (provision) a new certificate for Certificate Manager. | certificatemanager.certs.create |
Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
Verify access to Certificate Manager. | certificatemanager.certs.list |
Allow {{ vs }} to replace or reprovision a certificate. | certificatemanager.certs.update |
Allow {{ vs }} to list Certificate Manager locations. | certificatemanager.locations.list |
Allow {{ vs }} to check an operation status (for example, certificate creation or replacement). | certificatemanager.operations.get |
Allow {{ vs }} to obtain details of projects associated with the service account. | resourcemanager.projects.get |
Allow issuance of access tokens for the service account (required for Azure WIF impersonation). | iam.serviceAccounts.getAccessToken |