When I try to create a managed certficate through a service account I get the error
managedcertificates.networking.gke.io "..." is forbidden: User "..." cannot get resource "managedcertificates" in API group "networking.gke.io" ... Required "container.managedCertificates.get" permission.
I tried to add the container.managedCertificates.get permission to the service account with a custom role, but there are no "container.managedCertificates.*"-permissions available at all which I could select.
I also tried in my project to reproduce the scenario, yes I am not having permissions "container.managedCertificates."- available when trying to add to a custom role. As the document 1, permission container.managedCertificates is not listed that we could add.
Please note that as Managed Certificates is in beta 2, seems Google Product Engineers are working on this.
However adding the role Kubernetes Engine Admin to the service account does solve the issue.3 Permissions are container.* , resourcemanager.projects.get , resourcemanager.projects.list .
You could follow up the Public Issue Tracker 1. This kind of investigation takes time. You will be able to receive any updates or status of this issue here 1. As the engineering team working on the issue, send any updates or question to them writing in the link 1.
You could have the link 2 about how to subscribe or star any issue to know further update in the issuetracker.