Enable Cross-account PCA Sharing - Amazon WorkSpaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable Cross-account PCA Sharing

Private CA (PCA) cross-account sharing offers the ability to grant permissions for other accounts to use a centralized CA. The CA can generate and issue certificates by using Amazon Resource Access Manager (RAM) to manage the permissions. This removes the need for a Private CA in every account. Private CA cross-account sharing can be used with AppStream 2.0 certificate-based Authentication (CBA) within the same Amazon Web Services Region.

To use a shared Private CA resource with WorkSpaces Pools CBA, complete the following steps:

  1. Configure the Private CA for CBA in a centralized Amazon Web Services account. For more information, see Certificate-based authentication.

  2. Share the Private CA with the resource Amazon Web Services accounts where WorkSpaces Pools resources utilize CBA. To do this, follow the steps in How to use Amazon RAM to share your ACM Private CA cross-account. You do not need to complete step 3 to create a certificate. You can either share the Private CA with individual Amazon Web Services accounts, or share through Amazon Organizations. If you share with individual accounts, you need to accept the shared Private CA in your resource account by using the Amazon Resource Access Manager console or APIs.

    When configuring the share, confirm that the Amazon Resource Access Manager resource share for the Private CA in the resource account is using the AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority managed permission template. This template aligns with the PCA template used by the WorkSpaces Pools service role when issuing CBA certificates.

  3. After the share is successful, view the shared Private CA by using the Private CA console in the resource account.

  4. Use the API or CLI to associate the Private CA ARN with CBA in your WorkSpaces Pools directory. At this time, the WorkSpaces Pools console does not support selection of shared Private CA ARNs. For more information, see the Amazon WorkSpaces Service API Reference.