AWS::ACMPCA::Permission - AWS CloudFormation
SyntaxProperties
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

This is the new CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.

AWS::ACMPCA::Permission

Grants permissions to the AWS Certificate Manager (ACM) service principal (acm.amazonaws.com) to perform IssueCertificate, GetCertificate, and ListPermissions actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same AWS account as the CA.

About permissions

  • If the private CA and the certificates it issues reside in the same account, you can use AWS::ACMPCA::Permission to grant permissions for ACM to carry out automatic certificate renewals.

  • For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list permissions.

  • If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with AWS Private CA.

Note

To update an AWS::ACMPCA::Permission resource, you must first delete the existing permission resource from the CloudFormation stack and then create a new permission resource with updated properties.

Syntax

To declare this entity in your CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::ACMPCA::Permission",
  "Properties" : {
      "Actions" : [ String, ... ],
      "CertificateAuthorityArn" : String,
      "Principal" : String,
      "SourceAccount" : String
    }
}

YAML

Type: AWS::ACMPCA::Permission
Properties:
  Actions: 
    - String
  CertificateAuthorityArn: String
  Principal: String
  SourceAccount: String

Properties

Actions

The private CA actions that can be performed by the designated AWS service. Supported actions are IssueCertificate, GetCertificate, and ListPermissions.

Required: Yes

Type: Array of String

Minimum: 1

Maximum: 3

Update requires: Replacement

CertificateAuthorityArn

The Amazon Resource Number (ARN) of the private CA from which the permission was issued.

Required: Yes

Type: String

Pattern: arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*

Minimum: 5

Maximum: 200

Update requires: Replacement

Principal

The AWS service or entity that holds the permission. At this time, the only valid principal is acm.amazonaws.com.

Required: Yes

Type: String

Pattern: [^*]+

Minimum: 0

Maximum: 128

Update requires: Replacement

SourceAccount

The ID of the account that assigned the permission.

Required: No

Type: String

Pattern: [0-9]+

Minimum: 12

Maximum: 12

Update requires: Replacement