Managing Certificates

Required IAM Policy

To use Oracle Cloud Infrastructure, you must be granted security access in a policy (IAM)  by an administrator. This access is required whether you're using the Console or the REST API with an SDK, CLI, or other tool. If you get a message that you don't have permission or are unauthorized, verify with your administrator what type of access you have and which compartment  you should work in.

The following policy gives permission to the example group CertificateAdmins to manage certificates and CA bundles. Specifically, the policy gives permission to list any resources included in the aggregate resource-type certificate-authority-family (without access to any confidential information). The policy also gives permission to the example group to work with the resource-type certificate-authority-delegate. (The example group can use any CA in the compartment to sign a certificate, but does not have the ability to create, update, or delete CAs). Lastly, the policy gives permission to the group to do anything with any resources included in the aggregate resource-type leaf-certificate-family. Access is limited to resources in the specified example compartments.

Allow group CertificateAdmins to inspect certificate-authority-family in compartment ABC
Allow group CertificateAdmins to use certificate-authority-delegate in compartment ABC
Allow group CertificateAdmins to manage leaf-certificate-family in compartment ABC

These statements provide the minimum access needed to complete administrative tasks with certificates, as described later in this topic.

You might want to provide access to a group to work with certificates while restricting their ability to create, update, or delete any certificate-related resources. The following policy gives permission to the example group CertificateUsers to read and update certificates and CA bundles. The policy also gives permission to the group to renew certificates. Access is limited to resources in the specified example compartments.

Allow group CertificateUsers to use leaf-certificate-family in compartment DEF
Allow group CertificateUsers to use certificate-authority-delegate in compartment DEF
Allow group CertificateUsers to manage certificate-associations in compartment DEF
Allow group CertificateUsers to inspect certificate-authority-associations in compartment DEF
Allow group CertificateUsers to manage cabundle-associations in compartment DEF

For more information about permissions or if you need to write more or less restrictive policies, see Details for the Certificates Service. If you're new to policies, see Getting Started with Policies and Common Policies.