AWS::ACMPCA::Permission - Amazon CloudFormation
SyntaxProperties
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::ACMPCA::Permission

Grants permissions to the Amazon Certificate Manager (ACM) service principal (acm.amazonaws.com) to perform IssueCertificate, GetCertificate, and ListPermissions actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same Amazon account as the CA.

About permissions

  • If the private CA and the certificates it issues reside in the same account, you can use AWS::ACMPCA::Permission to grant permissions for ACM to carry out automatic certificate renewals.

  • For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list permissions.

  • If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with Amazon Private CA.

Note

To update an AWS::ACMPCA::Permission resource, you must first delete the existing permission resource from the CloudFormation stack and then create a new permission resource with updated properties.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::ACMPCA::Permission",
  "Properties" : {
      "Actions" : [ String, ... ],
      "CertificateAuthorityArn" : String,
      "Principal" : String,
      "SourceAccount" : String
    }
}

YAML

Type: AWS::ACMPCA::Permission
Properties:
  Actions: 
    - String
  CertificateAuthorityArn: String
  Principal: String
  SourceAccount: String

Properties

Actions

The private CA actions that can be performed by the designated Amazon service. Supported actions are IssueCertificate, GetCertificate, and ListPermissions.

Required: Yes

Type: Array of String

Minimum: 1

Maximum: 3

Update requires: Replacement

CertificateAuthorityArn

The Amazon Resource Number (ARN) of the private CA from which the permission was issued.

Required: Yes

Type: String

Pattern: arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*

Minimum: 5

Maximum: 200

Update requires: Replacement

Principal

The Amazon service or entity that holds the permission. At this time, the only valid principal is acm.amazonaws.com.

Required: Yes

Type: String

Pattern: ^[^*]+$

Minimum: 0

Maximum: 128

Update requires: Replacement

SourceAccount

The ID of the account that assigned the permission.

Required: No

Type: String

Pattern: [0-9]+

Minimum: 12

Maximum: 12

Update requires: Replacement