AWS Certificate Manager Private Certificate Authority

Assigns permissions from a private CA to a designated AWS service. Services are specified by their service principals and can be given permission to create and retrieve certificates on a private CA. Services can also be given permission to list the active permissions that the private CA has granted. For ACM to automatically renew your private CA's certificates, you must assign all possible permissions from the CA to the ACM service principal.

At this time, you can only assign permissions to ACM ( acm.amazonaws.com ). Permissions can be revoked with the DeletePermission operation and listed with the ListPermissions operation.

See also: AWS API Documentation

Request Syntax

client.create_permission(
    CertificateAuthorityArn='string',
    Principal='string',
    SourceAccount='string',
    Actions=[
        'IssueCertificate'|'GetCertificate'|'ListPermissions',
    ]
)

type CertificateAuthorityArn

string

param CertificateAuthorityArn

[REQUIRED]

The Amazon Resource Name (ARN) of the CA that grants the permissions. You can find the ARN by calling the ListCertificateAuthorities operation. This must have the following form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

type Principal

string

param Principal

[REQUIRED]

The AWS service or identity that receives the permission. At this time, the only valid principal is acm.amazonaws.com .

type SourceAccount

string

param SourceAccount

The ID of the calling account.

type Actions

list

param Actions

[REQUIRED]

The actions that the specified AWS service principal can use. These include IssueCertificate , GetCertificate , and ListPermissions .

• (string) --

returns

None

Lists all the permissions, if any, that have been assigned by a private CA. Permissions can be granted with the CreatePermission operation and revoked with the DeletePermission operation.

See also: AWS API Documentation

Request Syntax

client.list_permissions(
    CertificateAuthorityArn='string',
    NextToken='string',
    MaxResults=123
)

type CertificateAuthorityArn

string

param CertificateAuthorityArn

[REQUIRED]

The Amazon Resource Number (ARN) of the private CA to inspect. You can find the ARN by calling the ListCertificateAuthorities operation. This must be of the form: arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 You can get a private CA's ARN by running the ListCertificateAuthorities operation.

type NextToken

string

param NextToken

When paginating results, use this parameter in a subsequent request after you receive a response with truncated results. Set it to the value of NextToken from the response you just received.

type MaxResults

integer

param MaxResults

When paginating results, use this parameter to specify the maximum number of items to return in the response. If additional items exist beyond the number you specify, the NextToken element is sent in the response. Use this NextToken value in a subsequent request to retrieve additional items.

rtype

dict

returns

Response Syntax

{
    'Permissions': [
        {
            'CertificateAuthorityArn': 'string',
            'CreatedAt': datetime(2015, 1, 1),
            'Principal': 'string',
            'SourceAccount': 'string',
            'Actions': [
                'IssueCertificate'|'GetCertificate'|'ListPermissions',
            ],
            'Policy': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

• (dict) --

  • Permissions (list) --

    Summary information about each permission assigned by the specified private CA, including the action enabled, the policy provided, and the time of creation.

    • (dict) --

      Permissions designate which private CA operations can be performed by an AWS service or entity. In order for ACM to automatically renew private certificates, you must give the ACM service principal all available permissions ( IssueCertificate , GetCertificate , and ListPermissions ). Permissions can be assigned with the CreatePermission operation, removed with the DeletePermission operation, and listed with the ListPermissions operation.

      • CertificateAuthorityArn (string) --

        The Amazon Resource Number (ARN) of the private CA from which the permission was issued.

      • CreatedAt (datetime) --

        The time at which the permission was created.

      • Principal (string) --

        The AWS service or entity that holds the permission. At this time, the only valid principal is acm.amazonaws.com .

      • SourceAccount (string) --

        The ID of the account that assigned the permission.

      • Actions (list) --

        The private CA operations that can be performed by the designated AWS service.

        • (string) --

      • Policy (string) --

        The name of the policy that is associated with the permission.

  • NextToken (string) --

    When the list is truncated, this value is present and should be used for the NextToken parameter in a subsequent pagination request.

Revokes permissions that a private CA assigned to a designated AWS service. Permissions can be created with the CreatePermission operation and listed with the ListPermissions operation.

See also: AWS API Documentation

Request Syntax

client.delete_permission(
    CertificateAuthorityArn='string',
    Principal='string',
    SourceAccount='string'
)

type CertificateAuthorityArn

string

param CertificateAuthorityArn

[REQUIRED]

The Amazon Resource Number (ARN) of the private CA that issued the permissions. You can find the CA's ARN by calling the ListCertificateAuthorities operation. This must have the following form:

arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 .

type Principal

string

param Principal

[REQUIRED]

The AWS service or identity that will have its CA permissions revoked. At this time, the only valid service principal is acm.amazonaws.com

type SourceAccount

string

param SourceAccount

The AWS account that calls this operation.

returns

None