Managing public key certificates on Snowball Edge
You can securely interact with Amazon services running on a Snowball Edge device or a cluster of Snowball Edge devices through the HTTPS protocol by providing a public key certificate. You can use the HTTPS protocol to interact with Amazon services such as IAM, Amazon EC2, S3 adapter, Amazon S3 compatible storage on Snowball Edge, Amazon EC2 Systems Manager, and Amazon STS on Snowball Edge devices. In the case of a cluster of devices, a single certificate is required and can be generated by any device in the cluster. Once a Snowball Edge device generates the certificate and you unlock the device, you can use Snowball Edge client commands to list, get, and delete the certificate.
A Snowball Edge device generates a certificate when the following events occur:
The Snowball Edge device or cluster is unlocked for the first time.
The Snowball Edge device or cluster is unlocked after deleting the certificate (using the
delete-certificate
command or Renew certificate in Amazon OpsHub).The Snowball Edge device or cluster is rebooted and unlocked after the certificate expires.
Whenever a new certificate is generated, the old certificate is no longer valid. A certificate is valid for a period of one year from the day it was generated.
You can also use Amazon OpsHub to manage public key certificates. For more information, see Managing public key certificates using OpsHub in this guide.
Topics
Listing the certificate on a Snowball Edge
Use the list-certificates
command to see the Amazon Resource Names
(ARNs) for the current certificate.
snowballEdge list-certificates
Example of list-certificates
output
{ "Certificates" : [ { "CertificateArn" : "arn:aws:snowball-device:::certificate/78EXAMPLE516EXAMPLEf538EXAMPLEa7", "SubjectAlternativeNames" : [ "192.0.2.0" ] } ] }
Getting certificates from a Snowball Edge
Use the get-certificate
command to see the content of the certificate based on the ARN provided. Use the list-certificates
command to obtain the ARN of the certificate to use as the certificate-arn
parameter.
snowballEdge get-certificate --certificate-arn
arn:aws:snowball-device:::certificate/78EXAMPLE516EXAMPLEf538EXAMPLEa7
Example of get-certificate
output
-----BEGIN CERTIFICATE-----
Certificate
-----END CERTIFICATE-----
For information about configuring your certificate, see Configuring the Amazon CLI to use the S3 adapter on a Snowball Edge as the endpoint.
Deleting certificates on a Snowball Edge
Use the delete-certificate
command to delete the current certificate. Use the list-certificates
command to obtain the ARN of the certificate to use as the certificate-arn
parameter. To generate a new certificate, reboot the Snowball Edge or each Snowball Edge in a cluster. See Rebooting the Snowball Edge device or use the snowballEdge reboot-device
command.
snowballEdge delete-certificate --certificate-arn
arn:aws:snowball-device:::certificate/78EXAMPLE516EXAMPLEf538EXAMPLEa7
Example of delete-certificate
output
The certificate has been deleted from your Snow device. Please reboot your Snowball Edge or Snowball Edge cluster to generate a new certificate.