TransferCertificate
Transfers the specified certificate to the specified Amazon Web Services account.
Requires permission to access the TransferCertificate action.
You can cancel the transfer until it is accepted by the recipient.
No notification is sent to the transfer destination's account. The caller is responsible for notifying the transfer target.
The certificate being transferred must not be in the ACTIVE state. You can use the
UpdateCertificate action to deactivate it.
The certificate must not have any policies attached to it. You can use the DetachPolicy action to detach them.
Customer managed key behavior: When you use a customer managed key to encrypt your data and then transfer
the certificate to a customer in a different account using the TransferCertificate operation, the certificates will no longer be encrypted by their
customer managed key configuration. During the transfer process, certificates are encrypted using Amazon IoT Core owned keys.
While a certificate is in the PENDING_TRANSFER state, it's always protected by Amazon IoT Core owned keys, regardless of the customer managed key configuration of either the source or destination account.
Once the transfer is completed through AcceptCertificateTransfer, RejectCertificateTransfer, or CancelCertificateTransfer, the certificate will be protected by the customer managed key configuration of the account that owns the certificate after the transfer operation:
-
If the transfer is accepted: The certificate is encrypted by the target account's customer managed key configuration.
-
If the transfer is rejected or cancelled: The certificate is protected by the source account's customer managed key configuration.
Request Syntax
PATCH /transfer-certificate/certificateId?targetAwsAccount=targetAwsAccount HTTP/1.1
Content-type: application/json
{
"transferMessage": "string"
}URI Request Parameters
The request uses the following URI parameters.
- certificateId
-
The ID of the certificate. (The last part of the certificate ARN contains the certificate ID.)
Length Constraints: Fixed length of 64.
Pattern:
(0x)?[a-fA-F0-9]+Required: Yes
- targetAwsAccount
-
The Amazon Web Services account.
Length Constraints: Fixed length of 12.
Pattern:
[0-9]+Required: Yes
Request Body
The request accepts the following data in JSON format.
- transferMessage
-
The transfer message.
Type: String
Length Constraints: Maximum length of 128.
Pattern:
[\s\S]*Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"transferredCertificateArn": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- transferredCertificateArn
-
The ARN of the certificate.
Type: String
Errors
- CertificateStateException
-
The certificate operation is not allowed.
HTTP Status Code: 406
- InternalFailureException
-
An unexpected error has occurred.
HTTP Status Code: 500
- InvalidRequestException
-
The request is not valid.
HTTP Status Code: 400
- ResourceNotFoundException
-
The specified resource does not exist.
HTTP Status Code: 404
- ServiceUnavailableException
-
The service is temporarily unavailable.
HTTP Status Code: 503
- ThrottlingException
-
The rate exceeds the limit.
HTTP Status Code: 400
- TransferConflictException
-
You can't transfer the certificate because authorization policies are still attached.
HTTP Status Code: 409
- UnauthorizedException
-
You are not authorized to perform this operation.
HTTP Status Code: 401
See Also
For more information about using this API in one of the language-specific Amazon SDKs, see the following: