View a markdown version of this page

Actions, resources, and condition keys for AWS Private Certificate Authority - Service Authorization Reference

Actions, resources, and condition keys for AWS Private Certificate Authority

AWS Private Certificate Authority (service prefix: acm-pca) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Private Certificate Authority

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateCertificateAuthority

acm-pca:CreateCertificateAuthority

Write

acm-pca:TagCertificateAuthority

Tagging, Write

CreateCertificateAuthorityAuditReport

acm-pca:CreateCertificateAuthorityAuditReport

Write

CreatePermission

acm-pca:CreatePermission

Permissions management, Write

DeleteCertificateAuthority

acm-pca:DeleteCertificateAuthority

Write

DeletePermission

acm-pca:DeletePermission

Permissions management, Write

DeletePolicy

acm-pca:DeletePolicy

Permissions management, Write

DescribeCertificateAuthority

acm-pca:DescribeCertificateAuthority

Read

DescribeCertificateAuthorityAuditReport

acm-pca:DescribeCertificateAuthorityAuditReport

Read

GetCertificate

acm-pca:GetCertificate

Read

GetCertificateAuthorityCertificate

acm-pca:GetCertificateAuthorityCertificate

Read

GetCertificateAuthorityCsr

acm-pca:GetCertificateAuthorityCsr

Read

GetPolicy

acm-pca:GetPolicy

Read

ImportCertificateAuthorityCertificate

acm-pca:ImportCertificateAuthorityCertificate

Write

IssueCertificate

acm-pca:IssueCertificate

Write

ListCertificateAuthorities

acm-pca:ListCertificateAuthorities

List

ListPermissions

acm-pca:ListPermissions

Read

ListTags

acm-pca:ListTags

Read

PutPolicy

acm-pca:PutPolicy

Permissions management, Write

RestoreCertificateAuthority

acm-pca:RestoreCertificateAuthority

Write

RevokeCertificate

acm-pca:RevokeCertificate

Write

TagCertificateAuthority

acm-pca:TagCertificateAuthority

Tagging, Write

UntagCertificateAuthority

acm-pca:UntagCertificateAuthority

Tagging, Write

UpdateCertificateAuthority

acm-pca:UpdateCertificateAuthority

Write

Actions defined by AWS Private Certificate Authority

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreateCertificateAuthority

Grants permission to create an AWS Private CA and its associated private key and configuration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateCertificateAuthorityAuditReport

Grants permission to create an audit report for an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Write

CreatePermission

Grants permission to create a permission for an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Permissions management, Write

DeleteCertificateAuthority

Grants permission to delete an AWS Private CA and its associated private key and configuration

certificate-authority*

aws:ResourceTag/${TagKey}

Write

DeletePermission

Grants permission to delete a permission for an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Permissions management, Write

DeletePolicy

Grants permission to delete the policy for an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Permissions management, Write

DescribeCertificateAuthority

Grants permission to return a list of the configuration and status fields contained in the specified AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Read

DescribeCertificateAuthorityAuditReport

Grants permission to return the status and information about an AWS Private CA audit report

certificate-authority*

aws:ResourceTag/${TagKey}

Read

GetCertificate

Grants permission to retrieve an AWS Private CA certificate and certificate chain for the certificate authority specified by an ARN

certificate-authority*

aws:ResourceTag/${TagKey}

Read

GetCertificateAuthorityCertificate

Grants permission to retrieve an AWS Private CA certificate and certificate chain for the certificate authority specified by an ARN

certificate-authority*

aws:ResourceTag/${TagKey}

Read

GetCertificateAuthorityCsr

Grants permission to retrieve an AWS Private CA certificate signing request (CSR) for the certificate-authority specified by an ARN

certificate-authority*

aws:ResourceTag/${TagKey}

Read

GetPolicy

Grants permission to retrieve the policy on an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Read

ImportCertificateAuthorityCertificate

Grants permission to import an SSL/TLS certificate into AWS Private CA for use as the CA certificate of an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Write

IssueCertificate

Grants permission to issue an AWS Private CA certificate

certificate-authority*

acm-pca:TemplateArn

aws:ResourceTag/${TagKey}

Write

ListCertificateAuthorities

Grants permission to retrieve a list of the AWS Private CA certificate authority ARNs, and a summary of the status of each CA in the calling account

List

ListPermissions

Grants permission to list the permissions that have been applied to the AWS Private CA certificate authority

certificate-authority*

aws:ResourceTag/${TagKey}

Read

ListTags

Grants permission to list the tags that have been applied to the AWS Private CA certificate authority

certificate-authority*

aws:ResourceTag/${TagKey}

Read

PutPolicy

Grants permission to put a policy on an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Permissions management, Write

RestoreCertificateAuthority

Grants permission to restore an AWS Private CA from the deleted state to the state it was in when deleted

certificate-authority*

aws:ResourceTag/${TagKey}

Write

RevokeCertificate

Grants permission to revoke a certificate issued by an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Write

TagCertificateAuthority

Grants permission to add one or more tags to an AWS Private CA

certificate-authority*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagCertificateAuthority

Grants permission to remove one or more tags from an AWS Private CA

certificate-authority*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UpdateCertificateAuthority

Grants permission to update the configuration of an AWS Private CA

certificate-authority*

aws:ResourceTag/${TagKey}

Write

Resource types defined by AWS Private Certificate Authority

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

certificate-authority

arn:${Partition}:acm-pca:${Region}:${Account}:certificate-authority/${CertificateAuthorityId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Private Certificate Authority

AWS Private Certificate Authority defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

acm-pca:TemplateArn

Filters access by the arn of the certificate template used in Issue Certificate request

ARN

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString