Skip to content

Venafi user permissions for GCP service account

When setting up a GCP service account, specify the Venafi user permissions based on your authentication method.

Venafi Generated Key authentication permissions

Action(s) Required permissions
Allow Certificate Manager - SaaS to create (provision) a new certificate for the certificate manager. certificatemanager.certs.create
Allow certificate metadata to be retrieved (after the certificate creation operation completes). certificatemanager.certs.get
Verify access to the certificate manager. certificatemanager.certs.list
Allow Certificate Manager - SaaS to replace/reprovision a certificate. certificatemanager.certs.update
Allow Certificate Manager - SaaS to list certificate manager locations. certificatemanager.locations.list
Allow Certificate Manager - SaaS to check an operation status (for example, certificate creation/replace). certificatemanager.operations.get
To allow Certificate Manager - SaaS to obtain details of projects associated with the svcAccount. resourcemanager.projects.get

Workload Identity Federation - Built-in Identity authentication permissions

Action(s) Required permissions
Allow Certificate Manager - SaaS to create (provision) a new certificate for the certificate manager. certificatemanager.certs.create
Allow certificate metadata to be retrieved (after the certificate creation operation completes). certificatemanager.certs.get
Verify access to the certificate manager. certificatemanager.certs.list
Allow Certificate Manager - SaaS to replace/reprovision a certificate. certificatemanager.certs.update
Allow Certificate Manager - SaaS to list certificate manager locations. certificatemanager.locations.list
Allow Certificate Manager - SaaS to check an operation status (for example, certificate creation/replace). certificatemanager.operations.get
To allow Certificate Manager - SaaS to obtain details of projects associated with the svcAccount. resourcemanager.projects.get
Allows access tokens to be issued for the service account. iam.serviceAccounts.getAccessToken

Workload Identity Federation – Azure Identity Provider authentication permissions

Action(s) Required permissions
Allow {{ vs }} to create (provision) a new certificate for Certificate Manager. certificatemanager.certs.create
Allow certificate metadata to be retrieved (after the certificate creation operation completes). certificatemanager.certs.get
Verify access to Certificate Manager. certificatemanager.certs.list
Allow {{ vs }} to replace or reprovision a certificate. certificatemanager.certs.update
Allow {{ vs }} to list Certificate Manager locations. certificatemanager.locations.list
Allow {{ vs }} to check an operation status (for example, certificate creation or replacement). certificatemanager.operations.get
Allow {{ vs }} to obtain details of projects associated with the service account. resourcemanager.projects.get
Allow issuance of access tokens for the service account (required for Azure WIF impersonation). iam.serviceAccounts.getAccessToken