Venafi user permissions for GCP service account
When setting up a GCP service account, specify the Venafi user permissions based on your authentication method.
Venafi Generated Key authentication permissions
| Action(s) | Required permissions |
| Allow Certificate Manager - SaaS to create (provision) a new certificate for the certificate manager. | certificatemanager.certs.create |
| Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
| Verify access to the certificate manager. | certificatemanager.certs.list |
| Allow Certificate Manager - SaaS to replace/reprovision a certificate. | certificatemanager.certs.update |
| Allow Certificate Manager - SaaS to list certificate manager locations. | certificatemanager.locations.list |
| Allow Certificate Manager - SaaS to check an operation status (for example, certificate creation/replace). | certificatemanager.operations.get |
| To allow Certificate Manager - SaaS to obtain details of projects associated with the svcAccount. | resourcemanager.projects.get |
Workload Identity Federation - Built-in Identity authentication permissions
| Action(s) | Required permissions |
| Allow Certificate Manager - SaaS to create (provision) a new certificate for the certificate manager. | certificatemanager.certs.create |
| Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
| Verify access to the certificate manager. | certificatemanager.certs.list |
| Allow Certificate Manager - SaaS to replace/reprovision a certificate. | certificatemanager.certs.update |
| Allow Certificate Manager - SaaS to list certificate manager locations. | certificatemanager.locations.list |
| Allow Certificate Manager - SaaS to check an operation status (for example, certificate creation/replace). | certificatemanager.operations.get |
| To allow Certificate Manager - SaaS to obtain details of projects associated with the svcAccount. | resourcemanager.projects.get |
| Allows access tokens to be issued for the service account. | iam.serviceAccounts.getAccessToken |
Workload Identity Federation – Azure Identity Provider authentication permissions
| Action(s) | Required permissions |
| Allow {{ vs }} to create (provision) a new certificate for Certificate Manager. | certificatemanager.certs.create |
| Allow certificate metadata to be retrieved (after the certificate creation operation completes). | certificatemanager.certs.get |
| Verify access to Certificate Manager. | certificatemanager.certs.list |
| Allow {{ vs }} to replace or reprovision a certificate. | certificatemanager.certs.update |
| Allow {{ vs }} to list Certificate Manager locations. | certificatemanager.locations.list |
| Allow {{ vs }} to check an operation status (for example, certificate creation or replacement). | certificatemanager.operations.get |
| Allow {{ vs }} to obtain details of projects associated with the service account. | resourcemanager.projects.get |
| Allow issuance of access tokens for the service account (required for Azure WIF impersonation). | iam.serviceAccounts.getAccessToken |