Details for the Certificates Service
Learn the details about permissions for the Certificates service so you can write policies to control access to its resources.
This topic covers Certificates service details about resource-types you can grant permissions to, special variables you can use when adding conditions to a policy, the hierarchy of permissions and API operations covered by each verb for each resource-type, and the permissions for each API operation.
Individual Resource-Types
Individual resource-types let you write policy statements scoped to a specific resource-type and no others.
leaf-certificates
leaf-certificate-versions
leaf-certificate-bundles
certificate-authorities
certificate-authority-versions
certificate-authority-bundles
certificate-authority-delegates
cabundles
certificate-associations
certificate-authority-associations
cabundle-associations
Aggregate Resource-Types
Aggregate resource-types let you write policy statements with a scope that extends beyond an individual resource-type to all resource-types covered by the aggregate resource-type.
leaf-certificate-family
certificate-authority-family
A policy that uses <verb> leaf-certificate-family
is equivalent to
writing one with a separate <verb> <individual
resource-type>
statement for each of the following individual
certificate resource-types: leaf-certificates
,
leaf-certificate-versions
,
leaf-certificate-bundles
, cabundles
,
certificate-associations
, and
cabundle-associations
.
A policy that uses <verb> certificate-authority-family
is
equivalent to writing one with a separate <verb> <individual
resource-type>
statement for each of the following individual
certificate authority (CA) and certificate resource-types:
certificate-authorities
,
certificate-authority-versions
,
certificate-authority-bundles
,
certificate-authority-delegates
,
leaf-certificates
, leaf-certificate-versions
,
leaf-certificate-bundles
, cabundles
,
certificate-associations
,
certificate-authority-associations
, and
cabundle-associations
.
See the table in Details for Verb + Resource-Type Combinations
for details of the API operations covered by each verb, for each individual
resource-type included in leaf-certificate-family
and
certificate-authority-family
.
Supported Variables
Certificates supports all the general variables, plus the ones listed here. For more information about general variables supported by Oracle Cloud Infrastructure services, see General Variables for All Requests.
Operations for This Resource-Type... | Can Use These Variables... | Variable Type | Comments |
---|---|---|---|
certificate-authorities | target.certificate-authority.id |
Entity (OCID) | Use this variable to control access to a certificate authority (CA) based on the OCID of the CA. (You cannot use this variable when creating a CA, as the CA does not exist to have an OCID yet.) |
target.certificate-authority.name |
String | Use this variable to limit access to a specific CA name. | |
target.certificate-authority.subject |
String | Use this variable to control access to a CA based on the CA subject. | |
target.certificate-authority.type |
String | Use this variable to limit access to CAs of a certain type. CA types
include ROOT_CA and
SUBORDINATE_CA . |
|
target.issuer-certificate-authority.id |
String | Use this variable to limit access to CAs based on the OCID of the issuer CA. | |
certificate-authority-versions | target.certificate-authority.id |
Entity (OCID) | Use this variable to control access to a CA version based on the OCID of its CA. |
target.certificate-authority.name |
String | Use this variable to control access to a CA version based on the name of the CA. | |
certificate-authority-bundles | target.certificate-authority.id |
Entity (OCID) | Use this variable to control access to the bundle of a CA based on the OCID of the bundle's CA. |
target.certificate-authority.name |
String | Use this variable to control access to the bundle of a CA by the name of the bundle's CA. | |
certificate-authority-associations | target.association.id |
Entity (OCID) | Use this variable to control access to a CA association based on the OCID of the association. (You cannot use this variable when creating a CA association, as the association does not exist to have an OCID yet.) |
target.association.name |
String | Use this variable to control access to a CA association based on the name of the association. | |
target.association.resourceid |
Entity (OCID) | Use this variable to control access to a CA association based on the OCID of the resource configured in the association. | |
target.leaf-certificate.id |
Entity (OCID) | Use this variable to control access to a CA association based on the OCID of the certificate configured in the association. | |
target.leaf-certificate.name |
String | Use this variable to control access to a CA association based on the name of the certificate configured in the association. | |
certificate-authority-delegates | target.certificate-authority.id |
Entity (OCID) | Use this variable to control access to a CA delegate based on the OCID of the CA. |
target.certificate-authority.name |
String | Use this variable to control access to a CA delegate based on the name of the CA. | |
target.issuer-certificate-authority.id |
String | Use this variable to control access to a CA delegate based on the OCID of the issuer CA. | |
target.resource.type |
String | Use this variable to control access to CA delegates based on the type
of resource the delegate is, whether the resource is a
leaf-certificate ,
certificate-authority , or
cabundle . |
|
leaf-certificates | target.leaf-certificate.allow-wildcard
|
String | Use this variable to control access to a certificate based on whether the certificate common name or subject alternate name includes a wildcard. |
target.leaf-certificate.alt-subject
|
List | Use this variable to control access to a certificate based on the certificate subject alternate name. | |
target.leaf-certificate.alt-subject-size
|
String | Use this variable to control access to a certificate based on the number of certificate subject alternate names. | |
target.leaf-certificate.id
|
Entity (OCID) | Use this variable to control access to a certificate based on the certificate OCID. (You cannot use this variable when creating a certificate, as the certificate does not exist to have an OCID yet.) | |
target.leaf-certificate.name
|
String | Use this variable to control access to a certificate based on the certificate name. | |
target.issuer-certificate-authority.id
|
String | Use this variable to control access to a certificate based on the OCID of the issuer CA. | |
target.leaf-certificate.profile-type
|
String | Use this variable to control access to certificates based on the
certificate profile type. Certificate profile types include
TLS_SERVER_OR_CLIENT , TLS_SERVER ,
TLS_CLIENT , and
TLS_CODE_SIGN . |
|
target.leaf-certificate.subject |
String | Use this variable to control access to certificates based on the certificate subject. | |
target.leaf-certificate.type |
String | Use this variable to control access to certificates based on the
manner in which the certificate was created. Certificate configuration
types include MANAGED_EXTERNALLY_ISSUED_BY_INTERNAL_CA ,
ISSUED_BY_INTERNAL_CA , or
IMPORTED . |
|
leaf-certificate-versions | target.leaf-certificate.id
|
Entity (OCID) | Use this variable to control access to certificate versions based on the OCID of the certificate. Use this variable to control whether block volumes or buckets can be created without a Vault master encryption key. |
target.leaf-certificate.name |
String | Use this variable to control access to certificate versions based on the name of the certificate. | |
leaf-certificate-bundles | target.leaf-certificate.id
|
Entity (OCID) | Use this variable to control access to certificate bundles based on the OCID of the certificate. |
target.leaf-certificate.name |
String | Use this variable to control access to certificate bundles based on the name of the certificate. | |
target.leaf-certificate.bundle-type |
String | Use this variable to control access to a certificate bundle based on the certificate bundle type. Certificate bundle types include CERTIFICATE_CONTENT_PUBLIC_ONLY and CERTIFICATE_CONTENT_WITH_PRIVATE_KEY . |
|
certificate-associations | target.association.id
|
Entity (OCID) | Use this variable to control access to certificate associations based on the OCID of the association. (You cannot use this variable when creating a certificate association, as the association does not exist to have an OCID yet.) |
target.association.name
|
String | Use this variable to control access to certificate bundles based on the name of the certificate bundle association. | |
target.association.resourceid
|
Entity (OCID) | Use this variable to control access to certificate bundles based on the OCID of the resource targeted in the certificate bundle association. | |
target.leaf-certificate.id
|
Entity (OCID) | Use this variable to control access to certificate associations based on the OCID of the certificate. | |
target.leaf-certificate.name |
String | Use this variable to control access to certificate associations based on the name of the certificate. | |
cabundles | target.cabundle.id |
Entity (OCID) | Use this variable to control access to CA bundles based on the OCID of the CA bundle. (You cannot use this variable when creating a CA bundle, as the CA bundle does not exist to have an OCID yet.) |
target.cabundle.name |
String | Use this variable to control access to CA bundles based on the name of the CA bundle. | |
cabundle-associations | target.association.id |
Entity (OCID) | Use this variable to control access to a CA bundle association based on the OCID of the bundle association. |
target.association.name |
String | Use this variable to control access to a CA bundle association based on the name of the bundle association (You cannot use this variable when creating a CA bundle association, as the association does not exist to have an OCID yet.). | |
target.association.resourceid |
Entity (OCID) | Use this variable to control access to a CA bundle association based on the OCID of the resource configured in the association. | |
target.cabundle.id |
Entity (OCID) | Use this variable to control access to a CA bundle association based on the OCID of the bundle. | |
target.cabundle.name |
String | Use this variable to control access to a CA bundle association based on the name of the bundle. |
Details for Verb + Resource-Type Combinations
Understand the incremental access granted by each verb for each resource-type so you can write policies that grant only the access required and nothing more.
The following tables show the permissions
and API operations covered by each verb. The level of access is cumulative as you go
from inspect
> read
> use
>
manage
. A plus sign (+) in a table cell indicates incremental
access compared to the cell directly above it, whereas "no extra" indicates no
incremental access.
For example, the use
verb for the cabundles
resource-type includes the same permissions and API operations as the
read
verb, plus the CABUNDLE_UPDATE permission and the
UpdateCaBundle
API operation. The manage
verb
allows even more permissions and API operations when compared to the
use
verb.
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
CERTIFICATE_INSPECT |
ListCertificates
|
none |
read |
INSPECT + CERTIFICATE_READ |
INSPECT +
|
none |
use |
READ + CERTIFICATE_UPDATE |
no extra |
|
manage |
USE + CERTIFICATE_CREATE CERTIFICATE_DELETE CERTIFICATE_MOVE |
USE +
|
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
CERTIFICATE_VERSION_INSPECT |
ListCertificateVersions
|
none |
read |
INSPECT + CERTIFICATE_VERSION_READ |
INSPECT +
|
none |
use |
READ + no extra |
none |
none |
manage |
USE + CERTIFICATE_VERSION_REVOKE CERTIFICATE_VERSION_DELETE |
none |
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
CERTIFICATE_BUNDLE_INSPECT |
ListCertificateBundleVersions
|
none |
read |
INSPECT + CERTIFICATE_BUNDLE_READ |
INSPECT +
Note: The permission required for this operation depends on the query parameter If If |
none |
use |
READ + no extra |
none |
none |
manage |
USE+ no extra |
none |
|
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
CABUNDLE_INSPECT |
ListCaBundles
|
none |
read |
INSPECT + CABUNDLE_READ |
INSPECT +
|
none |
use |
READ + CABUNDLE_UPDATE |
READ+
|
none |
manage |
USE + CABUNDLE_CREATE CABUNDLE_DELETE CABUNDLE_MOVE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
CERTIFICATE_ASSOCIATION_INSPECT |
ListAssociations
|
none |
read |
INSPECT + CERTIFICATE_ASSOCIATION_READ |
INSPECT +
|
none |
use |
READ + no extra |
none |
none |
manage |
USE + CERTIFICATE_ASSOCIATION_CREATE CERTIFICATE_ASSOCIATION_DELETE |
USE +
|
none |
Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
---|---|---|---|
inspect |
CABUNDLE_ASSOCIATION_INSPECT |
ListAssociations
|
none |
read |
INSPECT + CABUNDLE_ASSOCIATION_READ |
INSPECT +
|
none |
use |
READ + no extra |
none |
none |
manage |
USE + CABUNDLE_ASSOCIATION_CREATE CABUNDLE_ASSOCIATION_DELETE |
USE +
|
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type.
For information about permissions, see Permissions.
API Operation | Permissions Required to Use the Operation |
---|---|
ListCertificateAuthorities
|
CERTIFICATE_AUTHORITY_INSPECT |
GetCertificateAuthority
|
CERTIFICATE_AUTHORITY_READ |
CreateCertificateAuthority
|
CERTIFICATE_AUTHORITY_CREATE and CERTIFICATE_AUTHORITY_APPLY |
UpdateCertificateAuthority
|
CERTIFICATE_AUTHORITY_UPDATE and CERTIFICATE_AUTHORITY_APPLY |
ChangeCertificateAuthorityCompartment |
CERTIFICATE_AUTHORITY_MOVE |
ScheduleCertificateAuthorityDeletion |
CERTIFICATE_AUTHORITY_DELETE |
CancelCertificateAuthorityDeletion |
CERTIFICATE_AUTHORITY_DELETE |
ListCertificateAuthorityVersions |
CERTIFICATE_AUTHORITY_VERSION_INSPECT |
GetCertificateAuthorityVersion |
CERTIFICATE_AUTHORITY_VERSION_READ |
RevokeCertificateAuthorityVersion |
CERTIFICATE_AUTHORITY_VERSION_REVOKE, CERTIFICATE_AUTHORITY_UPDATE, and CERTIFICATE_AUTHORITY_APPLY |
ScheduleCertificateAuthorityVersionDeletion |
CERTIFICATE_AUTHORITY_VERSION_DELETE and CERTIFICATE_AUTHORITY_UPDATE |
CancelCertificateAuthorityVersionDeletion |
CERTIFICATE_AUTHORITY_VERSION_DELETE and CERTIFICATE_AUTHORITY_UPDATE |
ListCertificateAuthorityBundleVersions |
CERTIFICATE_AUTHORITY_BUNDLE_INSPECT |
GetCertificateAuthorityBundle |
CERTIFICATE_AUTHORITY_BUNDLE_READ |
ListCertificates |
CERTIFICATE_INSPECT |
GetCertificate |
CERTIFICATE_READ |
CreateCertificate |
CERTIFICATE_CREATE and CERTIFICATE_AUTHORITY_APPLY |
UpdateCertificate |
CERTIFICATE_UPDATE and CERTIFICATE_AUTHORITY_APPLY |
ChangeCertificateCompartment |
CERTIFICATE_MOVE |
ScheduleCertificateDeletion |
CERTIFICATE_DELETE |
CancelCertificateDeletion |
CERTIFICATE_DELETE |
ListCertificateVersions |
CERTIFICATE_VERSION_INSPECT |
GetCertificateVersion |
CERTIFICATE_VERSION_READ |
RevokeCertificateVersion |
CERTIFICATE_VERSION_REVOKE, CERTIFICATE_UPDATE, and CERTIFICATE_AUTHORITY_APPLY |
ScheduleCertificateVersionDeletion |
CERTIFICATE_VERSION_DELETE and CERTIFICATE_UPDATE |
CancelCertificateVersionDeletion |
CERTIFICATE_VERSION_DELETE and CERTIFICATE_UPDATE |
ListCertificateBundleVersions |
CERTIFICATE_BUNDLE_INSPECT |
GetCertificateBundle |
CERTIFICATE_BUNDLE_READ For details, see leaf-certificate-bundles. |
ListCaBundles
|
CABUNDLE_INSPECT |
GetCaBundle |
CABUNDLE_READ |
CreateCaBundle |
CABUNDLE_CREATE |
UpdateCaBundle |
CABUNDLE_UPDATE |
ChangeCaBundleCompartment |
CABUNDLE_MOVE |
DeleteCaBundle |
CABUNDLE_DELETE |
ListAssociations |
CERTIFICATE_AUTHORITY_ASSOCIATION_INSPECT (for certificate-authorities), CERTIFICATE_ASSOCIATION_INSPECT (for leaf-certificates), or CABUNDLE_ASSOCIATION_INSPECT (for cabundles) |
GetAssociation |
CERTIFICATE_AUTHORITY_ASSOCIATION_READ (for certificate-authorities), CERTIFICATE_ASSOCIATION_READ (for leaf-certificates), or CABUNDLE_ASSOCIATION_READ (for cabundles) |
DeleteAssociation |
CERTIFICATE_AUTHORITY_ASSOCIATION_DELETE (for certificate-authorities), CERTIFICATE_ASSOCIATION_DELETE (for leaf-certificates), or CABUNDLE_ASSOCIATION_DELETE (for cabundles) |