Minimum set of roles to revoke access to cert.pem

Hi,
What is the minimum set of roles required to revoke access to cert.pem from a secondary account? [Here's](https://github.com/cloudflare/cloudflared/issues/93) the bug for more details.
Here are the available roles:

Super Administrator - All Privileges
Can edit any Cloudflare setting, make purchases, update billing, and manage memberships. Super Administrators can revoke the access of other Super Administrators.
Vectorize Readonly
Can read Vectorize configurations.
Vectorize Admin
Can edit Vectorize configurations.
Bot Management (Account-Wide)
Can edit Bot Management (including Super Bot Fight Mode) configurations for all domains in account
Hyperdrive Readonly
Can read Hyperdrive database configurations.
Hyperdrive Admin
Can edit Hyperdrive database configurations.
Turnstile Read
Grants read access to Turnstile
Turnstile
Grants full access to Turnstile
API Gateway Read
Grants read access to API Gateway (including API Shield) for all domains in an account
API Gateway
Grants full access to API Gateway (including API Shield) for all domains in an account
Cloudflare R2 Read
Can read R2 buckets, objects, and associated configurations.
Cloudflare R2 Admin
Can edit R2 buckets, objects, and associated configurations.
Page Shield Read
Grants read access to Page Shield across the whole account
Page Shield
Grants write access to Page Shield across the whole account
Cloudflare DEX
Can edit Cloudflare DEX.
Zone Versioning Read (Account-Wide)
Can view Zone Versioning for all domains in account
Zone Versioning (Account-Wide)
Can view and edit Zone Versioning for all domains in account’
Minimal Account Access
Can view account, and nothing else
Zaraz Edit
Can edit Zaraz configuration.
Waiting Room Admin
Can edit Waiting Room configuration.
Waiting Room Read
Can read waiting rooms configuration.
Magic Network Monitoring Admin
Can view, edit, create, and delete MNM configuration
Magic Network Monitoring
Can view and edit MNM configuration
Magic Network Monitoring Read-Only
Can view MNM configuration
Network Services Write (Magic)
Grants write access to network configurations for Magic services.
Network Services Read (Magic)
Grants read access to network configurations for Magic services.
HTTP Applications
Can view and edit HTTP Applications
HTTP Applications Read
Can view HTTP Applications
Trust and Safety
Can view and request reviews for blocks
Zaraz Admin
Can edit and publish Zaraz configuration.
Zaraz Readonly
Can read Zaraz configuration.
Cloudflare Images
Can edit Cloudflare Images assets
Cloudflare Gateway
Can edit Cloudflare Gateway and read Access.
Cloudflare Zero Trust Reporting
Can access Cloudflare for Zero Trust reporting data.
Cloudflare Zero Trust Read Only
Can access Cloudflare for Zero Trust read only mode.
Cloudflare Zero Trust
Can edit Cloudflare Zero Trust.
Cloudflare Zero Trust PII
Can access Cloudflare Zero Trust PII.
SSL/TLS, Caching, Performance, Page Rules, and Customization
Can edit most Cloudflare settings except for DNS and Firewall.
Log Share Reader
Can read Enterprise Log Share.
Log Share
Can edit Log Share configuration.
Load Balancer
Can edit Load Balancers, Pools, Origins, and Health Checks.
Firewall
Can edit WAF, IP Firewall, and Zone Lockdown settings.
DNS
Can edit DNS records.
Cloudflare Workers Admin
Can edit Cloudflare Workers.
Cloudflare Stream
Can edit Cloudflare Stream media.
Cloudflare Access
Can edit Cloudflare Access.
Cache Purge
Can purge the edge cache.
Billing
Can edit the account’s billing profile and subscriptions.
Audit Logs Viewer
Can view Audit Logs.
Analytics
Can read Analytics.
Administrator Read Only
Can access the full account in read-only mode.
Administrator
Can access the full account, except for membership management and billing.