View a markdown version of this page

Actions, resources, and condition keys for Amazon Certificate Manager - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Certificate Manager

Amazon Certificate Manager (service prefix: acm) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Certificate Manager

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AddTagsToCertificate

acm:AddTagsToCertificate

Tagging, Write

DeleteCertificate

acm:DeleteCertificate

Write

DescribeCertificate

acm:DescribeCertificate

Read

ExportCertificate

acm:ExportCertificate

Read

GetAccountConfiguration

acm:GetAccountConfiguration

Read

GetCertificate

acm:GetCertificate

Read

ImportCertificate

acm:AddTagsToCertificate

Tagging, Write

acm:ImportCertificate

Write

ListCertificates

acm:ListCertificates

List

ListTagsForCertificate

acm:ListTagsForCertificate

Read

ListTagsForResource

acm:ListTagsForResource

Read

PutAccountConfiguration

acm:PutAccountConfiguration

Write

RemoveTagsFromCertificate

acm:RemoveTagsFromCertificate

Tagging, Write

RenewCertificate

acm:RenewCertificate

Write

RequestCertificate

acm:AddTagsToCertificate

Tagging, Write

acm:RequestCertificate

Write

ResendValidationEmail

acm:ResendValidationEmail

Write

RevokeCertificate

acm:RevokeCertificate

Write

SearchCertificates

acm:SearchCertificates

List

TagResource

acm:TagResource

Tagging, Write

UntagResource

acm:UntagResource

Tagging, Write

UpdateCertificateOptions

acm:UpdateCertificateOptions

Write

Actions defined by Amazon Certificate Manager

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AddTagsToCertificate

Grants permission to add one or more tags to a certificate

certificate*

acm:CertificateKeyPairOrigin

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

CreateAcmeDomainValidation

Grants permission to create an ACME domain validation

acme-endpoint*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateAcmeEndpoint

Grants permission to create an ACME endpoint

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateAcmeExternalAccountBinding

Grants permission to create an ACME external account binding

acme-endpoint*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteAcmeDomainValidation

Grants permission to delete an ACME domain validation

acme-domain-validation*

aws:ResourceTag/${TagKey}

Write

DeleteAcmeEndpoint

Grants permission to delete an ACME endpoint

acme-endpoint*

aws:ResourceTag/${TagKey}

Write

DeleteAcmeExternalAccountBinding

Grants permission to delete an ACME external account binding

acme-external-account-binding*

aws:ResourceTag/${TagKey}

Write

DeleteCertificate

Grants permission to delete a certificate and its associated private key

certificate*

acm:CertificateKeyPairOrigin

aws:ResourceTag/${TagKey}

Write

DescribeAcmeAccount

Grants permission to retrieve details of an ACME account

acme-endpoint*

aws:ResourceTag/${TagKey}

Read

DescribeAcmeDomainValidation

Grants permission to retrieve details of an ACME domain validation

acme-domain-validation*

aws:ResourceTag/${TagKey}

Read

DescribeAcmeEndpoint

Grants permission to retrieve details of an ACME endpoint

acme-endpoint*

aws:ResourceTag/${TagKey}

Read

DescribeAcmeExternalAccountBinding

Grants permission to retrieve details of an ACME external account binding

acme-external-account-binding*

aws:ResourceTag/${TagKey}

Read

DescribeCertificate

Grants permission to retreive a certificates and its metadata

certificate*

aws:ResourceTag/${TagKey}

Read

ExportCertificate

Grants permission to export an exportable certificate for use anywhere

certificate*

acm:DomainNames

aws:ResourceTag/${TagKey}

Read

GetAccountConfiguration

Grants permission to retrieve account level configuration from Amazon Certificate Manager

Read

GetAcmeExternalAccountBindingCredentials

Grants permission to retrieve credentials for an ACME external account binding

acme-external-account-binding*

aws:ResourceTag/${TagKey}

Read

GetCertificate

Grants permission to retrieve a certificate and certificate chain for a certificate ARN

certificate*

aws:ResourceTag/${TagKey}

Read

ImportCertificate

Grants permission to import a 3rd party certificate into Amazon Certificate Manager (ACM)

certificate*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

ListAcmeAccounts

Grants permission to list ACME accounts

acme-endpoint*

aws:ResourceTag/${TagKey}

List

ListAcmeDomainValidations

Grants permission to list ACME domain validations

acme-endpoint*

aws:ResourceTag/${TagKey}

List

ListAcmeEndpoints

Grants permission to list ACME endpoints

List

ListAcmeExternalAccountBindings

Grants permission to list ACME external account bindings

acme-endpoint*

aws:ResourceTag/${TagKey}

List

ListCertificates

Grants permission to retrieve a list of certificates for specific certificate parameters

List

ListTagsForCertificate

Grants permission to lists the tags that have been associated with a certificate

certificate*

aws:ResourceTag/${TagKey}

Read

ListTagsForResource

Grants permission to list tags for a resource

acme-domain-validation

aws:ResourceTag/${TagKey}

Read

acme-endpoint

aws:ResourceTag/${TagKey}

acme-external-account-binding

aws:ResourceTag/${TagKey}

PutAccountConfiguration

Grants permission to update account level configuration in Amazon Certificate Manager

Write

RemoveTagsFromCertificate

Grants permission to remove one or more tags from a certificate

certificate*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

RenewCertificate

Grants permission to renew an eligible private certificate

certificate*

aws:ResourceTag/${TagKey}

Write

RequestCertificate

Grants permission to requests a public or private certificate

acm:CertificateAuthority

acm:CertificateKeyPairOrigin

acm:CertificateTransparencyLogging

acm:DomainNames

acm:Export

acm:KeyAlgorithm

acm:ValidationMethod

aws:RequestTag/${TagKey}

aws:TagKeys

Write

ResendValidationEmail

Grants permission to resend an email to request domain ownership validation

certificate*

aws:ResourceTag/${TagKey}

Write

RevokeAcmeAccount

Grants permission to revoke an ACME account

acme-endpoint*

aws:ResourceTag/${TagKey}

Write

RevokeAcmeExternalAccountBinding

Grants permission to revoke an ACME external account binding

acme-external-account-binding*

aws:ResourceTag/${TagKey}

Write

RevokeCertificate

Grants permission to revoke an exportable certificate

certificate*

acm:CertificateKeyPairOrigin

acm:DomainNames

aws:ResourceTag/${TagKey}

Write

SearchCertificates

Grants permission to retrieve a list of certificates matching search criteria

List

TagResource

Grants permission to add tags to a resource

acme-domain-validation

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

acme-endpoint

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

acme-external-account-binding

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove tags from a resource

acme-domain-validation

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

acme-endpoint

aws:ResourceTag/${TagKey}

aws:TagKeys

acme-external-account-binding

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateAcmeDomainValidation

Grants permission to update an ACME domain validation

acme-domain-validation*

aws:ResourceTag/${TagKey}

Write

UpdateAcmeEndpoint

Grants permission to update an ACME endpoint

acme-endpoint*

aws:ResourceTag/${TagKey}

Write

UpdateCertificate

Grants permission to update a certificate

certificate*

acm:CertificateKeyPairOrigin

aws:ResourceTag/${TagKey}

Write

UpdateCertificateOptions

Grants permission to update a certificate configuration. Use this to specify whether to opt in to or out of certificate transparency logging

certificate*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon Certificate Manager

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

acme-domain-validation

arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId}/acme-domain-validation/${AcmeDomainValidationId}

aws:ResourceTag/${TagKey}

acme-endpoint

arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId}

aws:ResourceTag/${TagKey}

acme-external-account-binding

arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId}/acme-external-account-binding/${ExternalAccountBindingId}

aws:ResourceTag/${TagKey}

certificate

arn:${Partition}:acm:${Region}:${Account}:certificate/${CertificateId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Certificate Manager

Amazon Certificate Manager defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

acm:CertificateAuthority

Filters access by certificateAuthority in the request. Can be used to restrict which Certificate Authorites certificates can be issued from

String

acm:CertificateKeyPairOrigin

Filters access by certificateKeyPairOrigin in the request. Can be used to restrict which certificate provisioning paths are permitted

String

acm:CertificateTransparencyLogging

Filters access by certificateTransparencyLogging option in the request. Default 'ENABLED' if no key is present in the request

String

acm:DomainNames

Filters access by domainNames in the request. This key can be used to restrict which domains can be in certificate requests

ArrayOfString

acm:Export

Filters access by the export option in the request. Can be used to restrict creation of certificates that can be exported

String

acm:KeyAlgorithm

Filters access by keyAlgorithm in the request

String

acm:ValidationMethod

Filters access by validationMethod in the request. Default 'EMAIL' if no key is present in the request

String

aws:RequestTag/${TagKey}

Filters access by the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the presence of tag keys in the request

ArrayOfString