View a markdown version of this page

IAM for ACME certificate automation - Amazon Certificate Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM for ACME certificate automation

ACME certificate automation uses IAM roles to authorize certificate issuance and revocation. This section describes the permissions model for ACME.

PKI administrator permissions

PKI administrators who create and manage ACME resources need the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "acm:CreateAcmeEndpoint", "acm:DescribeAcmeEndpoint", "acm:ListAcmeEndpoints", "acm:UpdateAcmeEndpoint", "acm:DeleteAcmeEndpoint", "acm:CreateAcmeExternalAccountBinding", "acm:DescribeAcmeExternalAccountBinding", "acm:ListAcmeExternalAccountBindings", "acm:GetAcmeExternalAccountBindingCredentials", "acm:RevokeAcmeExternalAccountBinding", "acm:DeleteAcmeExternalAccountBinding", "acm:CreateAcmeDomainValidation", "acm:DescribeAcmeDomainValidation", "acm:ListAcmeDomainValidations", "acm:UpdateAcmeDomainValidation", "acm:DeleteAcmeDomainValidation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::account-id:role/AcmeIssuanceRole", "Condition": { "StringEquals": { "iam:PassedToService": "acm-acme.amazonaws.com" } } } ] }

EAB role requirements

Each external account binding is associated with an IAM role. ACM uses this role to authorize certificate issuance and revocation for ACME clients that authenticate with the binding's credentials.

Trust policy

The role must trust the ACME service principal, granting sts:AssumeRole, sts:TagSession, and sts:SetSourceIdentity. The following trust policy also uses a condition on sts:SourceIdentity to allow only sessions that ACM establishes for ACME (source identities that begin with acm-acme-):

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "acm-acme.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession", "sts:SetSourceIdentity" ], "Condition": { "StringLike": { "sts:SourceIdentity": "acm-acme-*" } } } ] }

Permissions policy

The role needs permissions for the certificate operations you want to allow. The same ACM actions and condition keys that apply to direct API calls apply here:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "acm:RequestCertificate", "acm:RevokeCertificate" ], "Resource": "*" }] }

You can restrict issuance using the same condition keys supported by acm:RequestCertificate, such as acm:DomainNames or acm:KeyAlgorithm. For more information, see Use condition keys with ACM.

Role session name and source identity

When ACM assumes the role, it sets a role session name and a source identity that appear in CloudTrail logs and that you can reference with the sts:RoleSessionName and sts:SourceIdentity condition keys:

  • At certificate issuance and revocation – the role session name is acme-request-request-id and the source identity is acm-acme-acme-account-id.

  • When validating the role at external account binding creation – the role session name is acme-verification and the source identity is acm-acme-verification.

Both source identities begin with acm-acme-, so the sts:SourceIdentity condition in the trust policy allows both. ACM also attaches session tags on the assumed-role session, including acme-endpoint-arn, acme-account-url, and acme-operation.

SCP compatibility

Because the ACME service makes standard ACM API calls using the assumed role, Amazon Organizations Service Control Policies (SCPs) are enforced at certificate issuance time. If an SCP denies acm:RequestCertificate for the account, ACME certificate issuance also fails. This provides the same governance controls for ACME-issued certificates as for certificates issued directly through the ACM API.