Amazon 私有 CA API 操作和权限

在设置您计划附加到 IAM 身份的访问控制和权限策略（基于身份的策略）时，可将下表作为参考。表中的第一列列出了每个 Amazon 私有 CA API 操作。您可以在策略的 Action 元素中指定操作。剩余的列将提供额外的信息。

Amazon 私有 CA API 操作	所需的权限	资源
CreateCertificateAuthority	`acm-pca:CreateCertificateAuthority` `acm-pca:TagCertificateAuthority`（仅在创建带有标签的 CA 时才需要。）	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
CreateCertificateAuthorityAuditReport	`acm-pca:CreateCertificateAuthorityAuditReport`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
CreatePermission	`acm-pca:CreatePermission`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
DeleteCertificateAuthority	`acm-pca:DeleteCertificateAuthority`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
DeletePermission	`acm-pca:DeletePermission`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
DeletePolicy	`acm-pca:DeletePolicy`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
DescribeCertificateAuthority	`acm-pca:DescribeCertificateAuthority`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
DescribeCertificateAuthorityAuditReport	`acm-pca:DescribeCertificateAuthorityAuditReport`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
GetCertificate	`acm-pca:GetCertificate`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
GetCertificateAuthorityCertificate	`acm-pca:GetCertificateAuthorityCertificate`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
GetCertificateAuthorityCsr	`acm-pca:GetCertificateAuthorityCsr`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
GetPolicy	`acm-pca:GetPolicy`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
ImportCertificateAuthorityCertificate	`acm-pca:ImportCertificateAuthorityCertificate`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
IssueCertificate	`acm-pca:IssueCertificate`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
ListCertificateAuthorities	`acm-pca:ListCertificateAuthorities`	不适用
ListPermissions	`acm-pca:ListPermissions`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
ListTags	`acm-pca:ListTags`	不适用
PutPolicy	`acm-pca:PutPolicy`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
RevokeCertificate	`acm-pca:RevokeCertificate`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
TagCertificateAuthority	`acm-pca:TagCertificateAuthority`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
UntagCertificateAuthority	`acm-pca:UntagCertificateAuthority`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`
UpdateCertificateAuthority	`acm-pca:UpdateCertificateAuthority`	`arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566`

要提供访问权限，请为您的用户、组或角色添加权限：

通过身份提供商在 IAM 中托管的用户：

创建适用于身份联合验证的角色。按照《IAM 用户指南》中针对第三方身份提供商创建角色（联合身份验证）的说明进行操作。
IAM 用户：
- 创建您的用户可以担任的角色。按照《IAM 用户指南》中为 IAM 用户创建角色的说明进行操作。
- （不推荐使用）将策略直接附加到用户或将用户添加到用户组。按照《IAM 用户指南》中向用户添加权限（控制台）中的说明进行操作。

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

IAM

Amazon 托管策略