AWS::ACMPCA::Permission - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


Grants permissions to the Amazon Certificate Manager (ACM) service principal ( to perform IssueCertificate, GetCertificate, and ListPermissions actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same Amazon account as the CA.

About permissions
  • If the private CA and the certificates it issues reside in the same account, you can use AWS::ACMPCA::Permission to grant permissions for ACM to carry out automatic certificate renewals.

  • For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list permissions.

  • If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with Amazon Private CA.


To update an AWS::ACMPCA::Permission resource, you must first delete the existing permission resource from the CloudFormation stack and then create a new permission resource with updated properties.


To declare this entity in your Amazon CloudFormation template, use the following syntax:


{ "Type" : "AWS::ACMPCA::Permission", "Properties" : { "Actions" : [ String, ... ], "CertificateAuthorityArn" : String, "Principal" : String, "SourceAccount" : String } }


Type: AWS::ACMPCA::Permission Properties: Actions: - String CertificateAuthorityArn: String Principal: String SourceAccount: String



The private CA actions that can be performed by the designated Amazon service. Supported actions are IssueCertificate, GetCertificate, and ListPermissions.

Required: Yes

Type: Array of String

Minimum: 1

Maximum: 3

Update requires: Replacement


The Amazon Resource Number (ARN) of the private CA from which the permission was issued.

Required: Yes

Type: String

Pattern: arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*

Minimum: 5

Maximum: 200

Update requires: Replacement


The Amazon service or entity that holds the permission. At this time, the only valid principal is

Required: Yes

Type: String

Pattern: [^*]+

Minimum: 0

Maximum: 128

Update requires: Replacement


The ID of the account that assigned the permission.

Required: No

Type: String

Pattern: [0-9]+

Minimum: 12

Maximum: 12

Update requires: Replacement