Use a service-linked role (SLR) with ACM
Amazon Certificate Manager uses an Amazon Identity and Access Management (IAM) service-linked role to enable enable automatic renewals of private certificates issued from a private CA for another account shared by Amazon Resource Access Manager. A service-linked role (SLR) is an IAM role that is linked directly to the ACM service. SLRs are predefined by ACM and include all the permissions that the service requires to call other Amazon services on your behalf.
The SLR makes setting up ACM easier because you don’t have to manually add the necessary permissions for unattended certificate signing. ACM defines the permissions of its SLR, and unless defined otherwise, only ACM can assume the role. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
For information about other services that support SLRs, see Amazon Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the SLR documentation for that service.
SLR permissions for ACM
ACM uses an SLR named Amazon Certificate Manager Service Role Policy.
The AWSServiceRoleForCertificateManager SLR trusts the following services to assume the role:
-
acm.amazonaws.com
The role permissions policy allows ACM to complete the following actions on the specified resources:
-
Actions:
acm-pca:IssueCertificate
,acm-pca:GetCertificate
on "*"
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete an SLR. For more information, see Service-Linked Role Permissions in the IAM User Guide.
Important
ACM might alert you that it cannot determine whether an SLR exists on your account. If the
required iam:GetRole
permission has already been granted to the ACM SLR for your account,
then the alert will not recur after the SLR is created. If it does recur,
then you or your account administrator might need to grant the iam:GetRole
permission to ACM, or associate your account with the ACM-managed policy
AWSCertificateManagerFullAccess
.
Creating the SLR for ACM
You don't need to manually create the SLR that ACM uses. When you issue an ACM certificate using the Amazon Web Services Management Console, the Amazon CLI, or the Amazon API, ACM creates the SLR for you the first time that you a private CA for another account shared by Amazon RAM to sign your certificate.
If you encounter messages stating that ACM cannot determine whether an SLR exists on your account, it may mean that your account has not granted a read permission that Amazon Private CA requires. This will not prevent the SLR from being installed, and you can still issue certificates, but ACM will be unable to renew the certificates automatically until you resolve the problem. For more information, see Problems with the ACM service-linked role (SLR).
Important
This SLR can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the ACM service before January 1, 2017, when it began supporting SLRs, then ACM created the AWSServiceRoleForCertificateManager role in your account. To learn more, see A New Role Appeared in My IAM Account.
If you delete this SLR, and then need to create it again, you can use either of these methods:
-
In the IAM console, choose Role, Create role, Certificate Manager to create a new role with the CertificateManagerServiceRolePolicy use case.
-
Using the IAM API CreateServiceLinkedRole or the corresponding Amazon CLI command create-service-linked-role, create an SLR with the
acm.amazonaws.com
service name.
For more information, see Creating a Service-Linked Role in the IAM User Guide.
Editing the SLR for ACM
ACM does not allow you to edit the AWSServiceRoleForCertificateManager service-linked role. After you create an SLR, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.
Deleting the SLR for ACM
You typically don't need to delete the AWSServiceRoleForCertificateManager SLR. However, you can delete the role manually using the IAM console, the Amazon CLI or the Amazon API. For more information, see Deleting a Service-Linked Role in the IAM User Guide.
Supported Regions for ACM SLRs
ACM supports using SLRs in all of the regions where both ACM and Amazon Private CA are available. For more information, see Amazon Regions and Endpoints.
Region name | Region identity | Support in ACM |
---|---|---|
US East (N. Virginia) | us-east-1 | Yes |
us-west-2 | Yes | |
US West (N. California) | us-west-1 | Yes |
US West (Oregon) | us-west-2 | Yes |
Asia Pacific (Mumbai) | ap-south-1 | Yes |
Asia Pacific (Osaka) | ap-northeast-3 | Yes |
Asia Pacific (Seoul) | ap-northeast-2 | Yes |
Asia Pacific (Singapore) | ap-southeast-1 | Yes |
Asia Pacific (Sydney) | ap-southeast-2 | Yes |
Asia Pacific (Tokyo) | ap-northeast-1 | Yes |
Canada (Central) | ca-central-1 | Yes |
Europe (Frankfurt) | eu-central-1 | Yes |
Europe (Zurich) | eu-central-2 | Yes |
Europe (Ireland) | eu-west-1 | Yes |
Europe (London) | eu-west-2 | Yes |
Europe (Paris) | eu-west-3 | Yes |
South America (São Paulo) | sa-east-1 | Yes |
China (Beijing) | cn-north-1 | No |
China (Ningxia) | cn-northwest-1 | No |
Amazon GovCloud (US-West) | us-gov-west-1 | Yes |
Amazon GovCloud (US-East) East | us-gov-east-1 | Yes |