View a markdown version of this page

Actions, resources, and condition keys for Amazon Private Certificate Authority - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Private Certificate Authority

Amazon Private Certificate Authority (service prefix: acm-pca) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Private Certificate Authority

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateCertificateAuthority

acm-pca:CreateCertificateAuthority

Write

acm-pca:TagCertificateAuthority

Tagging, Write

CreateCertificateAuthorityAuditReport

acm-pca:CreateCertificateAuthorityAuditReport

Write

CreatePermission

acm-pca:CreatePermission

Permissions management, Write

DeleteCertificateAuthority

acm-pca:DeleteCertificateAuthority

Write

DeletePermission

acm-pca:DeletePermission

Permissions management, Write

DeletePolicy

acm-pca:DeletePolicy

Permissions management, Write

DescribeCertificateAuthority

acm-pca:DescribeCertificateAuthority

Read

DescribeCertificateAuthorityAuditReport

acm-pca:DescribeCertificateAuthorityAuditReport

Read

GetCertificate

acm-pca:GetCertificate

Read

GetCertificateAuthorityCertificate

acm-pca:GetCertificateAuthorityCertificate

Read

GetCertificateAuthorityCsr

acm-pca:GetCertificateAuthorityCsr

Read

GetPolicy

acm-pca:GetPolicy

Read

ImportCertificateAuthorityCertificate

acm-pca:ImportCertificateAuthorityCertificate

Write

IssueCertificate

acm-pca:IssueCertificate

Write

ListCertificateAuthorities

acm-pca:ListCertificateAuthorities

List

ListPermissions

acm-pca:ListPermissions

Read

ListTags

acm-pca:ListTags

Read

PutPolicy

acm-pca:PutPolicy

Permissions management, Write

RestoreCertificateAuthority

acm-pca:RestoreCertificateAuthority

Write

RevokeCertificate

acm-pca:RevokeCertificate

Write

TagCertificateAuthority

acm-pca:TagCertificateAuthority

Tagging, Write

UntagCertificateAuthority

acm-pca:UntagCertificateAuthority

Tagging, Write

UpdateCertificateAuthority

acm-pca:UpdateCertificateAuthority

Write

Actions defined by Amazon Private Certificate Authority

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreateCertificateAuthority

Grants permission to create an Amazon Private CA and its associated private key and configuration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateCertificateAuthorityAuditReport

Grants permission to create an audit report for an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Write

CreatePermission

Grants permission to create a permission for an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Permissions management, Write

DeleteCertificateAuthority

Grants permission to delete an Amazon Private CA and its associated private key and configuration

certificate-authority*

aws:ResourceTag/${TagKey}

Write

DeletePermission

Grants permission to delete a permission for an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Permissions management, Write

DeletePolicy

Grants permission to delete the policy for an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Permissions management, Write

DescribeCertificateAuthority

Grants permission to return a list of the configuration and status fields contained in the specified Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Read

DescribeCertificateAuthorityAuditReport

Grants permission to return the status and information about an Amazon Private CA audit report

certificate-authority*

aws:ResourceTag/${TagKey}

Read

GetCertificate

Grants permission to retrieve an Amazon Private CA certificate and certificate chain for the certificate authority specified by an ARN

certificate-authority*

aws:ResourceTag/${TagKey}

Read

GetCertificateAuthorityCertificate

Grants permission to retrieve an Amazon Private CA certificate and certificate chain for the certificate authority specified by an ARN

certificate-authority*

aws:ResourceTag/${TagKey}

Read

GetCertificateAuthorityCsr

Grants permission to retrieve an Amazon Private CA certificate signing request (CSR) for the certificate-authority specified by an ARN

certificate-authority*

aws:ResourceTag/${TagKey}

Read

GetPolicy

Grants permission to retrieve the policy on an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Read

ImportCertificateAuthorityCertificate

Grants permission to import an SSL/TLS certificate into Amazon Private CA for use as the CA certificate of an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Write

IssueCertificate

Grants permission to issue an Amazon Private CA certificate

certificate-authority*

acm-pca:TemplateArn

aws:ResourceTag/${TagKey}

Write

ListCertificateAuthorities

Grants permission to retrieve a list of the Amazon Private CA certificate authority ARNs, and a summary of the status of each CA in the calling account

List

ListPermissions

Grants permission to list the permissions that have been applied to the Amazon Private CA certificate authority

certificate-authority*

aws:ResourceTag/${TagKey}

Read

ListTags

Grants permission to list the tags that have been applied to the Amazon Private CA certificate authority

certificate-authority*

aws:ResourceTag/${TagKey}

Read

PutPolicy

Grants permission to put a policy on an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Permissions management, Write

RestoreCertificateAuthority

Grants permission to restore an Amazon Private CA from the deleted state to the state it was in when deleted

certificate-authority*

aws:ResourceTag/${TagKey}

Write

RevokeCertificate

Grants permission to revoke a certificate issued by an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Write

TagCertificateAuthority

Grants permission to add one or more tags to an Amazon Private CA

certificate-authority*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagCertificateAuthority

Grants permission to remove one or more tags from an Amazon Private CA

certificate-authority*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UpdateCertificateAuthority

Grants permission to update the configuration of an Amazon Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon Private Certificate Authority

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

certificate-authority

arn:${Partition}:acm-pca:${Region}:${Account}:certificate-authority/${CertificateAuthorityId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Private Certificate Authority

Amazon Private Certificate Authority defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

acm-pca:TemplateArn

Filters access by the arn of the certificate template used in Issue Certificate request

ARN

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString