aws-sdk-acmpca 1.24.0 → 1.29.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-acmpca.rb +5 -2
- data/lib/aws-sdk-acmpca/client.rb +728 -142
- data/lib/aws-sdk-acmpca/client_api.rb +80 -10
- data/lib/aws-sdk-acmpca/errors.rb +18 -0
- data/lib/aws-sdk-acmpca/resource.rb +2 -0
- data/lib/aws-sdk-acmpca/types.rb +475 -87
- data/lib/aws-sdk-acmpca/waiters.rb +2 -0
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 24ef41728a5b9602fb5acee2190b274b243fb63f72c7fbb778996857920c3b40
|
4
|
+
data.tar.gz: dd5566472ef96b36e4a56284573c516f9e5ab697c7012a6ff227a8c28222fc67
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 16606d3e3cf1065e7fd1e10c85965c598d64b087da311304969edac638f880206f7b1647c34aa2f627338ccfe1f48c5652e104afeb50cb4edcf4da75f960e709
|
7
|
+
data.tar.gz: 34c09ccf33cf377dbfca40b16b80378d62d2ee27acd154d4f238b08aaea273822e0560c31b212810042201536d6101182021136d603f9c46758f03d87478830c
|
data/lib/aws-sdk-acmpca.rb
CHANGED
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# WARNING ABOUT GENERATED CODE
|
2
4
|
#
|
3
5
|
# This file is generated. See the contributing guide for more information:
|
@@ -5,6 +7,7 @@
|
|
5
7
|
#
|
6
8
|
# WARNING ABOUT GENERATED CODE
|
7
9
|
|
10
|
+
|
8
11
|
require 'aws-sdk-core'
|
9
12
|
require 'aws-sigv4'
|
10
13
|
|
@@ -43,9 +46,9 @@ require_relative 'aws-sdk-acmpca/customizations'
|
|
43
46
|
#
|
44
47
|
# See {Errors} for more information.
|
45
48
|
#
|
46
|
-
#
|
49
|
+
# @!group service
|
47
50
|
module Aws::ACMPCA
|
48
51
|
|
49
|
-
GEM_VERSION = '1.
|
52
|
+
GEM_VERSION = '1.29.0'
|
50
53
|
|
51
54
|
end
|
@@ -1,3 +1,5 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
# WARNING ABOUT GENERATED CODE
|
2
4
|
#
|
3
5
|
# This file is generated. See the contributing guide for more information:
|
@@ -24,6 +26,7 @@ require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
|
|
24
26
|
require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
|
25
27
|
require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
26
28
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
29
|
+
require 'aws-sdk-core/plugins/http_checksum.rb'
|
27
30
|
require 'aws-sdk-core/plugins/signature_v4.rb'
|
28
31
|
require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
|
29
32
|
|
@@ -69,6 +72,7 @@ module Aws::ACMPCA
|
|
69
72
|
add_plugin(Aws::Plugins::ClientMetricsPlugin)
|
70
73
|
add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
|
71
74
|
add_plugin(Aws::Plugins::TransferEncoding)
|
75
|
+
add_plugin(Aws::Plugins::HttpChecksum)
|
72
76
|
add_plugin(Aws::Plugins::SignatureV4)
|
73
77
|
add_plugin(Aws::Plugins::Protocols::JsonRpc)
|
74
78
|
|
@@ -81,13 +85,28 @@ module Aws::ACMPCA
|
|
81
85
|
# * `Aws::Credentials` - Used for configuring static, non-refreshing
|
82
86
|
# credentials.
|
83
87
|
#
|
88
|
+
# * `Aws::SharedCredentials` - Used for loading static credentials from a
|
89
|
+
# shared file, such as `~/.aws/config`.
|
90
|
+
#
|
91
|
+
# * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
|
92
|
+
#
|
93
|
+
# * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
|
94
|
+
# assume a role after providing credentials via the web.
|
95
|
+
#
|
96
|
+
# * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
|
97
|
+
# access token generated from `aws login`.
|
98
|
+
#
|
99
|
+
# * `Aws::ProcessCredentials` - Used for loading credentials from a
|
100
|
+
# process that outputs to stdout.
|
101
|
+
#
|
84
102
|
# * `Aws::InstanceProfileCredentials` - Used for loading credentials
|
85
103
|
# from an EC2 IMDS on an EC2 instance.
|
86
104
|
#
|
87
|
-
# * `Aws::
|
88
|
-
#
|
105
|
+
# * `Aws::ECSCredentials` - Used for loading credentials from
|
106
|
+
# instances running in ECS.
|
89
107
|
#
|
90
|
-
# * `Aws::
|
108
|
+
# * `Aws::CognitoIdentityCredentials` - Used for loading credentials
|
109
|
+
# from the Cognito Identity service.
|
91
110
|
#
|
92
111
|
# When `:credentials` are not configured directly, the following
|
93
112
|
# locations will be searched for credentials:
|
@@ -97,10 +116,10 @@ module Aws::ACMPCA
|
|
97
116
|
# * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
|
98
117
|
# * `~/.aws/credentials`
|
99
118
|
# * `~/.aws/config`
|
100
|
-
# * EC2 IMDS instance profile - When used by default, the timeouts
|
101
|
-
# very aggressive. Construct and pass an instance of
|
102
|
-
# `Aws::InstanceProfileCredentails`
|
103
|
-
# timeouts.
|
119
|
+
# * EC2/ECS IMDS instance profile - When used by default, the timeouts
|
120
|
+
# are very aggressive. Construct and pass an instance of
|
121
|
+
# `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
122
|
+
# enable retries and extended timeouts.
|
104
123
|
#
|
105
124
|
# @option options [required, String] :region
|
106
125
|
# The AWS region to connect to. The configured `:region` is
|
@@ -161,7 +180,7 @@ module Aws::ACMPCA
|
|
161
180
|
# @option options [String] :endpoint
|
162
181
|
# The client endpoint is normally constructed from the `:region`
|
163
182
|
# option. You should only configure an `:endpoint` when connecting
|
164
|
-
# to test endpoints. This should be a valid HTTP(S) URI.
|
183
|
+
# to test or custom endpoints. This should be a valid HTTP(S) URI.
|
165
184
|
#
|
166
185
|
# @option options [Integer] :endpoint_cache_max_entries (1000)
|
167
186
|
# Used for the maximum size limit of the LRU cache storing endpoints data
|
@@ -331,6 +350,21 @@ module Aws::ACMPCA
|
|
331
350
|
# successful, this action returns the Amazon Resource Name (ARN) of the
|
332
351
|
# CA.
|
333
352
|
#
|
353
|
+
# ACM Private CAA assets that are stored in Amazon S3 can be protected
|
354
|
+
# with encryption. For more information, see [Encrypting Your CRLs][1].
|
355
|
+
#
|
356
|
+
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
357
|
+
# bucket that you specify. If the IAM principal making the call does not
|
358
|
+
# have permission to write to the bucket, then an exception is thrown.
|
359
|
+
# For more information, see [Configure Access to ACM Private CA][2].
|
360
|
+
#
|
361
|
+
# </note>
|
362
|
+
#
|
363
|
+
#
|
364
|
+
#
|
365
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption
|
366
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
|
367
|
+
#
|
334
368
|
# @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
|
335
369
|
# Name and bit size of the private key algorithm, the name of the
|
336
370
|
# signing algorithm, and X.500 certificate subject information.
|
@@ -341,27 +375,28 @@ module Aws::ACMPCA
|
|
341
375
|
# ACM Private CA will write the CRL, and an optional CNAME alias that
|
342
376
|
# you can use to hide the name of your bucket in the **CRL Distribution
|
343
377
|
# Points** extension of your CA certificate. For more information, see
|
344
|
-
# the CrlConfiguration structure.
|
378
|
+
# the [CrlConfiguration][1] structure.
|
379
|
+
#
|
380
|
+
#
|
381
|
+
#
|
382
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
|
345
383
|
#
|
346
384
|
# @option params [required, String] :certificate_authority_type
|
347
385
|
# The type of the certificate authority.
|
348
386
|
#
|
349
387
|
# @option params [String] :idempotency_token
|
350
388
|
# Alphanumeric string that can be used to distinguish between calls to
|
351
|
-
# **CreateCertificateAuthority**.
|
352
|
-
#
|
353
|
-
#
|
354
|
-
#
|
355
|
-
#
|
356
|
-
# change the idempotency token for each call, however, ACM Private CA
|
357
|
-
# recognizes that you are requesting multiple certificates.
|
389
|
+
# **CreateCertificateAuthority**. For a given token, ACM Private CA
|
390
|
+
# creates exactly one CA. If you issue a subsequent call using the same
|
391
|
+
# token, ACM Private CA returns the ARN of the existing CA and takes no
|
392
|
+
# further action. If you change the idempotency token across multiple
|
393
|
+
# calls, ACM Private CA creates a unique CA for each unique token.
|
358
394
|
#
|
359
395
|
# @option params [Array<Types::Tag>] :tags
|
360
396
|
# Key-value pairs that will be attached to the new private CA. You can
|
361
397
|
# associate up to 50 tags with a private CA. For information using tags
|
362
|
-
# with
|
363
|
-
#
|
364
|
-
# IAM to manage permissions, see [Controlling Access Using IAM Tags][1].
|
398
|
+
# with IAM to manage permissions, see [Controlling Access Using IAM
|
399
|
+
# Tags][1].
|
365
400
|
#
|
366
401
|
#
|
367
402
|
#
|
@@ -381,10 +416,10 @@ module Aws::ACMPCA
|
|
381
416
|
# country: "CountryCodeString",
|
382
417
|
# organization: "String64",
|
383
418
|
# organizational_unit: "String64",
|
384
|
-
# distinguished_name_qualifier: "
|
419
|
+
# distinguished_name_qualifier: "ASN1PrintableString64",
|
385
420
|
# state: "String128",
|
386
421
|
# common_name: "String64",
|
387
|
-
# serial_number: "
|
422
|
+
# serial_number: "ASN1PrintableString64",
|
388
423
|
# locality: "String128",
|
389
424
|
# title: "String64",
|
390
425
|
# surname: "String40",
|
@@ -427,8 +462,26 @@ module Aws::ACMPCA
|
|
427
462
|
|
428
463
|
# Creates an audit report that lists every time that your CA private key
|
429
464
|
# is used. The report is saved in the Amazon S3 bucket that you specify
|
430
|
-
# on input. The IssueCertificate and RevokeCertificate actions
|
431
|
-
# private key.
|
465
|
+
# on input. The [IssueCertificate][1] and [RevokeCertificate][2] actions
|
466
|
+
# use the private key.
|
467
|
+
#
|
468
|
+
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
469
|
+
# bucket that you specify. If the IAM principal making the call does not
|
470
|
+
# have permission to write to the bucket, then an exception is thrown.
|
471
|
+
# For more information, see [Configure Access to ACM Private CA][3].
|
472
|
+
#
|
473
|
+
# </note>
|
474
|
+
#
|
475
|
+
# ACM Private CAA assets that are stored in Amazon S3 can be protected
|
476
|
+
# with encryption. For more information, see [Encrypting Your Audit
|
477
|
+
# Reports][4].
|
478
|
+
#
|
479
|
+
#
|
480
|
+
#
|
481
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
|
482
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
|
483
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
|
484
|
+
# [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption
|
432
485
|
#
|
433
486
|
# @option params [required, String] :certificate_authority_arn
|
434
487
|
# The Amazon Resource Name (ARN) of the CA to be audited. This is of the
|
@@ -453,7 +506,7 @@ module Aws::ACMPCA
|
|
453
506
|
#
|
454
507
|
# resp = client.create_certificate_authority_audit_report({
|
455
508
|
# certificate_authority_arn: "Arn", # required
|
456
|
-
# s3_bucket_name: "
|
509
|
+
# s3_bucket_name: "S3BucketName", # required
|
457
510
|
# audit_report_response_format: "JSON", # required, accepts JSON, CSV
|
458
511
|
# })
|
459
512
|
#
|
@@ -471,26 +524,48 @@ module Aws::ACMPCA
|
|
471
524
|
req.send_request(options)
|
472
525
|
end
|
473
526
|
|
474
|
-
#
|
475
|
-
#
|
476
|
-
#
|
477
|
-
#
|
478
|
-
#
|
479
|
-
#
|
480
|
-
#
|
481
|
-
#
|
482
|
-
#
|
483
|
-
#
|
484
|
-
#
|
527
|
+
# Grants one or more permissions on a private CA to the AWS Certificate
|
528
|
+
# Manager (ACM) service principal (`acm.amazonaws.com`). These
|
529
|
+
# permissions allow ACM to issue and renew ACM certificates that reside
|
530
|
+
# in the same AWS account as the CA.
|
531
|
+
#
|
532
|
+
# You can list current permissions with the [ListPermissions][1] action
|
533
|
+
# and revoke them with the [DeletePermission][2] action.
|
534
|
+
#
|
535
|
+
# **About Permissions**
|
536
|
+
#
|
537
|
+
# * If the private CA and the certificates it issues reside in the same
|
538
|
+
# account, you can use `CreatePermission` to grant permissions for ACM
|
539
|
+
# to carry out automatic certificate renewals.
|
540
|
+
#
|
541
|
+
# * For automatic certificate renewal to succeed, the ACM service
|
542
|
+
# principal needs permissions to create, retrieve, and list
|
543
|
+
# certificates.
|
544
|
+
#
|
545
|
+
# * If the private CA and the ACM certificates reside in different
|
546
|
+
# accounts, then permissions cannot be used to enable automatic
|
547
|
+
# renewals. Instead, the ACM certificate owner must set up a
|
548
|
+
# resource-based policy to enable cross-account issuance and renewals.
|
549
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
550
|
+
# Private CA](acm-pca/latest/userguide/pca-rbp.html).
|
551
|
+
#
|
552
|
+
#
|
553
|
+
#
|
554
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
|
555
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
|
485
556
|
#
|
486
557
|
# @option params [required, String] :certificate_authority_arn
|
487
558
|
# The Amazon Resource Name (ARN) of the CA that grants the permissions.
|
488
|
-
# You can find the ARN by calling the ListCertificateAuthorities
|
489
|
-
# This must have the following form:
|
559
|
+
# You can find the ARN by calling the [ListCertificateAuthorities][1]
|
560
|
+
# action. This must have the following form:
|
490
561
|
#
|
491
562
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
492
563
|
# `.
|
493
564
|
#
|
565
|
+
#
|
566
|
+
#
|
567
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
568
|
+
#
|
494
569
|
# @option params [required, String] :principal
|
495
570
|
# The AWS service or identity that receives the permission. At this
|
496
571
|
# time, the only valid principal is `acm.amazonaws.com`.
|
@@ -524,7 +599,8 @@ module Aws::ACMPCA
|
|
524
599
|
|
525
600
|
# Deletes a private certificate authority (CA). You must provide the
|
526
601
|
# Amazon Resource Name (ARN) of the private CA that you want to delete.
|
527
|
-
# You can find the ARN by calling the ListCertificateAuthorities
|
602
|
+
# You can find the ARN by calling the [ListCertificateAuthorities][1]
|
603
|
+
# action.
|
528
604
|
#
|
529
605
|
# <note markdown="1"> Deleting a CA will invalidate other CAs and certificates below it in
|
530
606
|
# your CA hierarchy.
|
@@ -532,7 +608,7 @@ module Aws::ACMPCA
|
|
532
608
|
# </note>
|
533
609
|
#
|
534
610
|
# Before you can delete a CA that you have created and activated, you
|
535
|
-
# must disable it. To do this, call the UpdateCertificateAuthority
|
611
|
+
# must disable it. To do this, call the [UpdateCertificateAuthority][2]
|
536
612
|
# action and set the **CertificateAuthorityStatus** parameter to
|
537
613
|
# `DISABLED`.
|
538
614
|
#
|
@@ -542,22 +618,35 @@ module Aws::ACMPCA
|
|
542
618
|
# signed certificate into ACM Private CA (that is, the status of the CA
|
543
619
|
# is `PENDING_CERTIFICATE`).
|
544
620
|
#
|
545
|
-
# When you successfully call DeleteCertificateAuthority, the CA's
|
621
|
+
# When you successfully call [DeleteCertificateAuthority][3], the CA's
|
546
622
|
# status changes to `DELETED`. However, the CA won't be permanently
|
547
623
|
# deleted until the restoration period has passed. By default, if you do
|
548
624
|
# not set the `PermanentDeletionTimeInDays` parameter, the CA remains
|
549
625
|
# restorable for 30 days. You can set the parameter from 7 to 30 days.
|
550
|
-
# The DescribeCertificateAuthority action returns the time
|
551
|
-
# the restoration window of a private CA in the `DELETED`
|
552
|
-
# restore an eligible CA, call the
|
626
|
+
# The [DescribeCertificateAuthority][4] action returns the time
|
627
|
+
# remaining in the restoration window of a private CA in the `DELETED`
|
628
|
+
# state. To restore an eligible CA, call the
|
629
|
+
# [RestoreCertificateAuthority][5] action.
|
630
|
+
#
|
631
|
+
#
|
632
|
+
#
|
633
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
634
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
|
635
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html
|
636
|
+
# [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html
|
637
|
+
# [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RestoreCertificateAuthority.html
|
553
638
|
#
|
554
639
|
# @option params [required, String] :certificate_authority_arn
|
555
640
|
# The Amazon Resource Name (ARN) that was returned when you called
|
556
|
-
# CreateCertificateAuthority. This must have the following form:
|
641
|
+
# [CreateCertificateAuthority][1]. This must have the following form:
|
557
642
|
#
|
558
643
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
559
644
|
# `.
|
560
645
|
#
|
646
|
+
#
|
647
|
+
#
|
648
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
649
|
+
#
|
561
650
|
# @option params [Integer] :permanent_deletion_time_in_days
|
562
651
|
# The number of days to make a CA restorable after it has been deleted.
|
563
652
|
# This can be anywhere from 7 to 30 days, with 30 being the default.
|
@@ -580,18 +669,52 @@ module Aws::ACMPCA
|
|
580
669
|
req.send_request(options)
|
581
670
|
end
|
582
671
|
|
583
|
-
# Revokes permissions
|
584
|
-
#
|
585
|
-
#
|
672
|
+
# Revokes permissions on a private CA granted to the AWS Certificate
|
673
|
+
# Manager (ACM) service principal (acm.amazonaws.com).
|
674
|
+
#
|
675
|
+
# These permissions allow ACM to issue and renew ACM certificates that
|
676
|
+
# reside in the same AWS account as the CA. If you revoke these
|
677
|
+
# permissions, ACM will no longer renew the affected certificates
|
678
|
+
# automatically.
|
679
|
+
#
|
680
|
+
# Permissions can be granted with the [CreatePermission][1] action and
|
681
|
+
# listed with the [ListPermissions][2] action.
|
682
|
+
#
|
683
|
+
# **About Permissions**
|
684
|
+
#
|
685
|
+
# * If the private CA and the certificates it issues reside in the same
|
686
|
+
# account, you can use `CreatePermission` to grant permissions for ACM
|
687
|
+
# to carry out automatic certificate renewals.
|
688
|
+
#
|
689
|
+
# * For automatic certificate renewal to succeed, the ACM service
|
690
|
+
# principal needs permissions to create, retrieve, and list
|
691
|
+
# certificates.
|
692
|
+
#
|
693
|
+
# * If the private CA and the ACM certificates reside in different
|
694
|
+
# accounts, then permissions cannot be used to enable automatic
|
695
|
+
# renewals. Instead, the ACM certificate owner must set up a
|
696
|
+
# resource-based policy to enable cross-account issuance and renewals.
|
697
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
698
|
+
# Private CA](acm-pca/latest/userguide/pca-rbp.html).
|
699
|
+
#
|
700
|
+
#
|
701
|
+
#
|
702
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
|
703
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
|
586
704
|
#
|
587
705
|
# @option params [required, String] :certificate_authority_arn
|
588
706
|
# The Amazon Resource Number (ARN) of the private CA that issued the
|
589
707
|
# permissions. You can find the CA's ARN by calling the
|
590
|
-
# ListCertificateAuthorities action. This must have the following
|
708
|
+
# [ListCertificateAuthorities][1] action. This must have the following
|
709
|
+
# form:
|
591
710
|
#
|
592
711
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
593
712
|
# `.
|
594
713
|
#
|
714
|
+
#
|
715
|
+
#
|
716
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
717
|
+
#
|
595
718
|
# @option params [required, String] :principal
|
596
719
|
# The AWS service or identity that will have its CA permissions revoked.
|
597
720
|
# At this time, the only valid service principal is `acm.amazonaws.com`
|
@@ -618,10 +741,80 @@ module Aws::ACMPCA
|
|
618
741
|
req.send_request(options)
|
619
742
|
end
|
620
743
|
|
621
|
-
#
|
622
|
-
#
|
623
|
-
#
|
624
|
-
#
|
744
|
+
# Deletes the resource-based policy attached to a private CA. Deletion
|
745
|
+
# will remove any access that the policy has granted. If there is no
|
746
|
+
# policy attached to the private CA, this action will return successful.
|
747
|
+
#
|
748
|
+
# If you delete a policy that was applied through AWS Resource Access
|
749
|
+
# Manager (RAM), the CA will be removed from all shares in which it was
|
750
|
+
# included.
|
751
|
+
#
|
752
|
+
# The AWS Certificate Manager Service Linked Role that the policy
|
753
|
+
# supports is not affected when you delete the policy.
|
754
|
+
#
|
755
|
+
# The current policy can be shown with [GetPolicy][1] and updated with
|
756
|
+
# [PutPolicy][2].
|
757
|
+
#
|
758
|
+
# **About Policies**
|
759
|
+
#
|
760
|
+
# * A policy grants access on a private CA to an AWS customer account,
|
761
|
+
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
762
|
+
# under the control of a CA administrator. For more information, see
|
763
|
+
# [Using a Resource Based Policy with ACM Private
|
764
|
+
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
765
|
+
#
|
766
|
+
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
767
|
+
# ACM certificates signed by a CA in another account.
|
768
|
+
#
|
769
|
+
# * For ACM to manage automatic renewal of these certificates, the ACM
|
770
|
+
# user must configure a Service Linked Role (SLR). The SLR allows the
|
771
|
+
# ACM service to assume the identity of the user, subject to
|
772
|
+
# confirmation against the ACM Private CA policy. For more
|
773
|
+
# information, see [Using a Service Linked Role with ACM][3].
|
774
|
+
#
|
775
|
+
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
776
|
+
# policies. For more information, see [Using AWS Resource Access
|
777
|
+
# Manager (RAM) with ACM Private
|
778
|
+
# CA](acm-pca/latest/userguide/pca-ram.html).
|
779
|
+
#
|
780
|
+
#
|
781
|
+
#
|
782
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
|
783
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
|
784
|
+
# [3]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
785
|
+
#
|
786
|
+
# @option params [required, String] :resource_arn
|
787
|
+
# The Amazon Resource Number (ARN) of the private CA that will have its
|
788
|
+
# policy deleted. You can find the CA's ARN by calling the
|
789
|
+
# [ListCertificateAuthorities][1] action. The ARN value must have the
|
790
|
+
# form
|
791
|
+
# `arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab`.
|
792
|
+
#
|
793
|
+
#
|
794
|
+
#
|
795
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
796
|
+
#
|
797
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
798
|
+
#
|
799
|
+
# @example Request syntax with placeholder values
|
800
|
+
#
|
801
|
+
# resp = client.delete_policy({
|
802
|
+
# resource_arn: "Arn", # required
|
803
|
+
# })
|
804
|
+
#
|
805
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePolicy AWS API Documentation
|
806
|
+
#
|
807
|
+
# @overload delete_policy(params = {})
|
808
|
+
# @param [Hash] params ({})
|
809
|
+
def delete_policy(params = {}, options = {})
|
810
|
+
req = build_request(:delete_policy, params)
|
811
|
+
req.send_request(options)
|
812
|
+
end
|
813
|
+
|
814
|
+
# Lists information about your private certificate authority (CA) or one
|
815
|
+
# that has been shared with you. You specify the private CA on input by
|
816
|
+
# its ARN (Amazon Resource Name). The output contains the status of your
|
817
|
+
# CA. This can be any of the following:
|
625
818
|
#
|
626
819
|
# * `CREATING` - ACM Private CA is creating your private certificate
|
627
820
|
# authority.
|
@@ -647,11 +840,15 @@ module Aws::ACMPCA
|
|
647
840
|
#
|
648
841
|
# @option params [required, String] :certificate_authority_arn
|
649
842
|
# The Amazon Resource Name (ARN) that was returned when you called
|
650
|
-
# CreateCertificateAuthority. This must be of the form:
|
843
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
651
844
|
#
|
652
845
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
653
846
|
# `.
|
654
847
|
#
|
848
|
+
#
|
849
|
+
#
|
850
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
851
|
+
#
|
655
852
|
# @return [Types::DescribeCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
656
853
|
#
|
657
854
|
# * {Types::DescribeCertificateAuthorityResponse#certificate_authority #certificate_authority} => Types::CertificateAuthority
|
@@ -665,6 +862,7 @@ module Aws::ACMPCA
|
|
665
862
|
# @example Response structure
|
666
863
|
#
|
667
864
|
# resp.certificate_authority.arn #=> String
|
865
|
+
# resp.certificate_authority.owner_account #=> String
|
668
866
|
# resp.certificate_authority.created_at #=> Time
|
669
867
|
# resp.certificate_authority.last_state_change_at #=> Time
|
670
868
|
# resp.certificate_authority.type #=> String, one of "ROOT", "SUBORDINATE"
|
@@ -705,10 +903,16 @@ module Aws::ACMPCA
|
|
705
903
|
end
|
706
904
|
|
707
905
|
# Lists information about a specific audit report created by calling the
|
708
|
-
# CreateCertificateAuthorityAuditReport action. Audit information
|
709
|
-
# created every time the certificate authority (CA) private key is
|
710
|
-
# The private key is used when you call the IssueCertificate
|
711
|
-
# the RevokeCertificate action.
|
906
|
+
# [CreateCertificateAuthorityAuditReport][1] action. Audit information
|
907
|
+
# is created every time the certificate authority (CA) private key is
|
908
|
+
# used. The private key is used when you call the [IssueCertificate][2]
|
909
|
+
# action or the [RevokeCertificate][3] action.
|
910
|
+
#
|
911
|
+
#
|
912
|
+
#
|
913
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
914
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
|
915
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
|
712
916
|
#
|
713
917
|
# @option params [required, String] :certificate_authority_arn
|
714
918
|
# The Amazon Resource Name (ARN) of the private CA. This must be of the
|
@@ -719,7 +923,11 @@ module Aws::ACMPCA
|
|
719
923
|
#
|
720
924
|
# @option params [required, String] :audit_report_id
|
721
925
|
# The report ID returned by calling the
|
722
|
-
# CreateCertificateAuthorityAuditReport action.
|
926
|
+
# [CreateCertificateAuthorityAuditReport][1] action.
|
927
|
+
#
|
928
|
+
#
|
929
|
+
#
|
930
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
723
931
|
#
|
724
932
|
# @return [Types::DescribeCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
725
933
|
#
|
@@ -756,22 +964,32 @@ module Aws::ACMPCA
|
|
756
964
|
req.send_request(options)
|
757
965
|
end
|
758
966
|
|
759
|
-
# Retrieves a certificate from your private CA
|
760
|
-
# certificate is returned when you call
|
761
|
-
#
|
762
|
-
#
|
763
|
-
# retrieve the certificate if it is
|
764
|
-
#
|
765
|
-
#
|
766
|
-
#
|
967
|
+
# Retrieves a certificate from your private CA or one that has been
|
968
|
+
# shared with you. The ARN of the certificate is returned when you call
|
969
|
+
# the [IssueCertificate][1] action. You must specify both the ARN of
|
970
|
+
# your private CA and the ARN of the issued certificate when calling the
|
971
|
+
# **GetCertificate** action. You can retrieve the certificate if it is
|
972
|
+
# in the **ISSUED** state. You can call the
|
973
|
+
# [CreateCertificateAuthorityAuditReport][2] action to create a report
|
974
|
+
# that contains information about all of the certificates issued and
|
975
|
+
# revoked by your private CA.
|
976
|
+
#
|
977
|
+
#
|
978
|
+
#
|
979
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
|
980
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
767
981
|
#
|
768
982
|
# @option params [required, String] :certificate_authority_arn
|
769
983
|
# The Amazon Resource Name (ARN) that was returned when you called
|
770
|
-
# CreateCertificateAuthority. This must be of the form:
|
984
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
771
985
|
#
|
772
986
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
773
987
|
# `.
|
774
988
|
#
|
989
|
+
#
|
990
|
+
#
|
991
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
992
|
+
#
|
775
993
|
# @option params [required, String] :certificate_arn
|
776
994
|
# The ARN of the issued certificate. The ARN contains the certificate
|
777
995
|
# serial number and must be in the following form:
|
@@ -811,9 +1029,10 @@ module Aws::ACMPCA
|
|
811
1029
|
end
|
812
1030
|
|
813
1031
|
# Retrieves the certificate and certificate chain for your private
|
814
|
-
# certificate authority (CA)
|
815
|
-
# base64 PEM-encoded. The chain does
|
816
|
-
# Each certificate in the chain signs
|
1032
|
+
# certificate authority (CA) or one that has been shared with you. Both
|
1033
|
+
# the certificate and the chain are base64 PEM-encoded. The chain does
|
1034
|
+
# not include the CA certificate. Each certificate in the chain signs
|
1035
|
+
# the one before it.
|
817
1036
|
#
|
818
1037
|
# @option params [required, String] :certificate_authority_arn
|
819
1038
|
# The Amazon Resource Name (ARN) of your private CA. This is of the
|
@@ -849,19 +1068,28 @@ module Aws::ACMPCA
|
|
849
1068
|
|
850
1069
|
# Retrieves the certificate signing request (CSR) for your private
|
851
1070
|
# certificate authority (CA). The CSR is created when you call the
|
852
|
-
# CreateCertificateAuthority action. Sign the CSR with your ACM
|
853
|
-
# CA-hosted or on-premises root or subordinate CA. Then import
|
854
|
-
# signed certificate back into ACM Private CA by calling the
|
855
|
-
# ImportCertificateAuthorityCertificate action. The CSR is returned
|
856
|
-
# base64 PEM-encoded string.
|
1071
|
+
# [CreateCertificateAuthority][1] action. Sign the CSR with your ACM
|
1072
|
+
# Private CA-hosted or on-premises root or subordinate CA. Then import
|
1073
|
+
# the signed certificate back into ACM Private CA by calling the
|
1074
|
+
# [ImportCertificateAuthorityCertificate][2] action. The CSR is returned
|
1075
|
+
# as a base64 PEM-encoded string.
|
1076
|
+
#
|
1077
|
+
#
|
1078
|
+
#
|
1079
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1080
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
|
857
1081
|
#
|
858
1082
|
# @option params [required, String] :certificate_authority_arn
|
859
1083
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
860
|
-
# CreateCertificateAuthority action. This must be of the form:
|
1084
|
+
# [CreateCertificateAuthority][1] action. This must be of the form:
|
861
1085
|
#
|
862
1086
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
863
1087
|
# `
|
864
1088
|
#
|
1089
|
+
#
|
1090
|
+
#
|
1091
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1092
|
+
#
|
865
1093
|
# @return [Types::GetCertificateAuthorityCsrResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
866
1094
|
#
|
867
1095
|
# * {Types::GetCertificateAuthorityCsrResponse#csr #csr} => String
|
@@ -890,20 +1118,83 @@ module Aws::ACMPCA
|
|
890
1118
|
req.send_request(options)
|
891
1119
|
end
|
892
1120
|
|
1121
|
+
# Retrieves the resource-based policy attached to a private CA. If
|
1122
|
+
# either the private CA resource or the policy cannot be found, this
|
1123
|
+
# action returns a `ResourceNotFoundException`.
|
1124
|
+
#
|
1125
|
+
# The policy can be attached or updated with [PutPolicy][1] and removed
|
1126
|
+
# with
|
1127
|
+
# [DeletePolicy](acm-pca/latest/APIReference/API_DeletePolicy.html).
|
1128
|
+
#
|
1129
|
+
# **About Policies**
|
1130
|
+
#
|
1131
|
+
# * A policy grants access on a private CA to an AWS customer account,
|
1132
|
+
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
1133
|
+
# under the control of a CA administrator. For more information, see
|
1134
|
+
# [Using a Resource Based Policy with ACM Private
|
1135
|
+
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
1136
|
+
#
|
1137
|
+
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
1138
|
+
# ACM certificates signed by a CA in another account.
|
1139
|
+
#
|
1140
|
+
# * For ACM to manage automatic renewal of these certificates, the ACM
|
1141
|
+
# user must configure a Service Linked Role (SLR). The SLR allows the
|
1142
|
+
# ACM service to assume the identity of the user, subject to
|
1143
|
+
# confirmation against the ACM Private CA policy. For more
|
1144
|
+
# information, see [Using a Service Linked Role with ACM][2].
|
1145
|
+
#
|
1146
|
+
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
1147
|
+
# policies. For more information, see [Using AWS Resource Access
|
1148
|
+
# Manager (RAM) with ACM Private
|
1149
|
+
# CA](acm-pca/latest/userguide/pca-ram.html).
|
1150
|
+
#
|
1151
|
+
#
|
1152
|
+
#
|
1153
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
|
1154
|
+
# [2]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
1155
|
+
#
|
1156
|
+
# @option params [required, String] :resource_arn
|
1157
|
+
# The Amazon Resource Number (ARN) of the private CA that will have its
|
1158
|
+
# policy retrieved. You can find the CA's ARN by calling the
|
1159
|
+
# ListCertificateAuthorities action.
|
1160
|
+
#
|
1161
|
+
# @return [Types::GetPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1162
|
+
#
|
1163
|
+
# * {Types::GetPolicyResponse#policy #policy} => String
|
1164
|
+
#
|
1165
|
+
# @example Request syntax with placeholder values
|
1166
|
+
#
|
1167
|
+
# resp = client.get_policy({
|
1168
|
+
# resource_arn: "Arn", # required
|
1169
|
+
# })
|
1170
|
+
#
|
1171
|
+
# @example Response structure
|
1172
|
+
#
|
1173
|
+
# resp.policy #=> String
|
1174
|
+
#
|
1175
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicy AWS API Documentation
|
1176
|
+
#
|
1177
|
+
# @overload get_policy(params = {})
|
1178
|
+
# @param [Hash] params ({})
|
1179
|
+
def get_policy(params = {}, options = {})
|
1180
|
+
req = build_request(:get_policy, params)
|
1181
|
+
req.send_request(options)
|
1182
|
+
end
|
1183
|
+
|
893
1184
|
# Imports a signed private CA certificate into ACM Private CA. This
|
894
1185
|
# action is used when you are using a chain of trust whose root is
|
895
1186
|
# located outside ACM Private CA. Before you can call this action, the
|
896
1187
|
# following preparations must in place:
|
897
1188
|
#
|
898
|
-
# 1. In ACM Private CA, call the CreateCertificateAuthority action
|
899
|
-
# create the private CA that that you plan to back with the
|
900
|
-
# certificate.
|
1189
|
+
# 1. In ACM Private CA, call the [CreateCertificateAuthority][1] action
|
1190
|
+
# to create the private CA that that you plan to back with the
|
1191
|
+
# imported certificate.
|
901
1192
|
#
|
902
|
-
# 2. Call the GetCertificateAuthorityCsr action to generate a
|
1193
|
+
# 2. Call the [GetCertificateAuthorityCsr][2] action to generate a
|
903
1194
|
# certificate signing request (CSR).
|
904
1195
|
#
|
905
|
-
# 3. Sign the CSR using a root or intermediate CA hosted either
|
906
|
-
# on-premises PKI hierarchy or a commercial CA
|
1196
|
+
# 3. Sign the CSR using a root or intermediate CA hosted by either an
|
1197
|
+
# on-premises PKI hierarchy or by a commercial CA.
|
907
1198
|
#
|
908
1199
|
# 4. Create a certificate chain and copy the signed certificate and the
|
909
1200
|
# certificate chain to your working directory.
|
@@ -927,19 +1218,76 @@ module Aws::ACMPCA
|
|
927
1218
|
#
|
928
1219
|
# * The chain must be PEM-encoded.
|
929
1220
|
#
|
1221
|
+
# * The maximum allowed size of a certificate is 32 KB.
|
1222
|
+
#
|
1223
|
+
# * The maximum allowed size of a certificate chain is 2 MB.
|
1224
|
+
#
|
1225
|
+
# *Enforcement of Critical Constraints*
|
1226
|
+
#
|
1227
|
+
# ACM Private CA allows the following extensions to be marked critical
|
1228
|
+
# in the imported CA certificate or chain.
|
1229
|
+
#
|
1230
|
+
# * Basic constraints (*must* be marked critical)
|
1231
|
+
#
|
1232
|
+
# * Subject alternative names
|
1233
|
+
#
|
1234
|
+
# * Key usage
|
1235
|
+
#
|
1236
|
+
# * Extended key usage
|
1237
|
+
#
|
1238
|
+
# * Authority key identifier
|
1239
|
+
#
|
1240
|
+
# * Subject key identifier
|
1241
|
+
#
|
1242
|
+
# * Issuer alternative name
|
1243
|
+
#
|
1244
|
+
# * Subject directory attributes
|
1245
|
+
#
|
1246
|
+
# * Subject information access
|
1247
|
+
#
|
1248
|
+
# * Certificate policies
|
1249
|
+
#
|
1250
|
+
# * Policy mappings
|
1251
|
+
#
|
1252
|
+
# * Inhibit anyPolicy
|
1253
|
+
#
|
1254
|
+
# ACM Private CA rejects the following extensions when they are marked
|
1255
|
+
# critical in an imported CA certificate or chain.
|
1256
|
+
#
|
1257
|
+
# * Name constraints
|
1258
|
+
#
|
1259
|
+
# * Policy constraints
|
1260
|
+
#
|
1261
|
+
# * CRL distribution points
|
1262
|
+
#
|
1263
|
+
# * Authority information access
|
1264
|
+
#
|
1265
|
+
# * Freshest CRL
|
1266
|
+
#
|
1267
|
+
# * Any other extension
|
1268
|
+
#
|
1269
|
+
#
|
1270
|
+
#
|
1271
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1272
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificateAuthorityCsr.html
|
1273
|
+
#
|
930
1274
|
# @option params [required, String] :certificate_authority_arn
|
931
1275
|
# The Amazon Resource Name (ARN) that was returned when you called
|
932
|
-
# CreateCertificateAuthority. This must be of the form:
|
1276
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
933
1277
|
#
|
934
1278
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
935
1279
|
# `
|
936
1280
|
#
|
937
|
-
#
|
1281
|
+
#
|
1282
|
+
#
|
1283
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1284
|
+
#
|
1285
|
+
# @option params [required, String, StringIO, File] :certificate
|
938
1286
|
# The PEM-encoded certificate for a private CA. This may be a
|
939
1287
|
# self-signed certificate in the case of a root CA, or it may be signed
|
940
1288
|
# by another CA that you control.
|
941
1289
|
#
|
942
|
-
# @option params [String,
|
1290
|
+
# @option params [String, StringIO, File] :certificate_chain
|
943
1291
|
# A PEM-encoded file that contains all of your certificates, other than
|
944
1292
|
# the certificate you're importing, chaining up to your root CA. Your
|
945
1293
|
# ACM Private CA-hosted or on-premises root certificate is the last in
|
@@ -967,10 +1315,11 @@ module Aws::ACMPCA
|
|
967
1315
|
req.send_request(options)
|
968
1316
|
end
|
969
1317
|
|
970
|
-
# Uses your private certificate authority (CA)
|
971
|
-
#
|
972
|
-
#
|
973
|
-
#
|
1318
|
+
# Uses your private certificate authority (CA), or one that has been
|
1319
|
+
# shared with you, to issue a client certificate. This action returns
|
1320
|
+
# the Amazon Resource Name (ARN) of the certificate. You can retrieve
|
1321
|
+
# the certificate by calling the [GetCertificate][1] action and
|
1322
|
+
# specifying the ARN.
|
974
1323
|
#
|
975
1324
|
# <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
|
976
1325
|
# retrieve the ARNs of the certificates that you issue by using ACM
|
@@ -978,14 +1327,22 @@ module Aws::ACMPCA
|
|
978
1327
|
#
|
979
1328
|
# </note>
|
980
1329
|
#
|
1330
|
+
#
|
1331
|
+
#
|
1332
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
|
1333
|
+
#
|
981
1334
|
# @option params [required, String] :certificate_authority_arn
|
982
1335
|
# The Amazon Resource Name (ARN) that was returned when you called
|
983
|
-
# CreateCertificateAuthority. This must be of the form:
|
1336
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
984
1337
|
#
|
985
1338
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
986
1339
|
# `
|
987
1340
|
#
|
988
|
-
#
|
1341
|
+
#
|
1342
|
+
#
|
1343
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1344
|
+
#
|
1345
|
+
# @option params [required, String, StringIO, File] :csr
|
989
1346
|
# The certificate signing request (CSR) for the certificate you want to
|
990
1347
|
# issue. You can use the following OpenSSL command to create the CSR and
|
991
1348
|
# a 2048 bit RSA private key.
|
@@ -1001,20 +1358,52 @@ module Aws::ACMPCA
|
|
1001
1358
|
# rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
|
1002
1359
|
# csr/test_cert_.csr`
|
1003
1360
|
#
|
1361
|
+
# Note: A CSR must provide either a *subject name* or a *subject
|
1362
|
+
# alternative name* or the request will be rejected.
|
1363
|
+
#
|
1004
1364
|
# @option params [required, String] :signing_algorithm
|
1005
1365
|
# The name of the algorithm that will be used to sign the certificate to
|
1006
1366
|
# be issued.
|
1007
1367
|
#
|
1368
|
+
# This parameter should not be confused with the `SigningAlgorithm`
|
1369
|
+
# parameter used to sign a CSR.
|
1370
|
+
#
|
1008
1371
|
# @option params [String] :template_arn
|
1009
1372
|
# Specifies a custom configuration template to use when issuing a
|
1010
1373
|
# certificate. If this parameter is not provided, ACM Private CA
|
1011
|
-
# defaults to the `EndEntityCertificate/V1` template.
|
1374
|
+
# defaults to the `EndEntityCertificate/V1` template. For CA
|
1375
|
+
# certificates, you should choose the shortest path length that meets
|
1376
|
+
# your needs. The path length is indicated by the PathLen*N* portion of
|
1377
|
+
# the ARN, where *N* is the [CA depth][1].
|
1378
|
+
#
|
1379
|
+
# Note: The CA depth configured on a subordinate CA certificate must not
|
1380
|
+
# exceed the limit set by its parents in the CA hierarchy.
|
1012
1381
|
#
|
1013
1382
|
# The following service-owned `TemplateArn` values are supported by ACM
|
1014
1383
|
# Private CA:
|
1015
1384
|
#
|
1385
|
+
# * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
|
1386
|
+
#
|
1387
|
+
# * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
|
1388
|
+
#
|
1016
1389
|
# * arn:aws:acm-pca:::template/EndEntityCertificate/V1
|
1017
1390
|
#
|
1391
|
+
# * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
|
1392
|
+
#
|
1393
|
+
# * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
|
1394
|
+
#
|
1395
|
+
# * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
|
1396
|
+
#
|
1397
|
+
# * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
|
1398
|
+
#
|
1399
|
+
# * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
|
1400
|
+
#
|
1401
|
+
# * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
|
1402
|
+
#
|
1403
|
+
# * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
|
1404
|
+
#
|
1405
|
+
# * arn:aws:acm-pca:::template/RootCACertificate/V1
|
1406
|
+
#
|
1018
1407
|
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
|
1019
1408
|
#
|
1020
1409
|
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
|
@@ -1023,16 +1412,23 @@ module Aws::ACMPCA
|
|
1023
1412
|
#
|
1024
1413
|
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
|
1025
1414
|
#
|
1026
|
-
#
|
1027
|
-
#
|
1028
|
-
# For more information, see [Using Templates][1].
|
1415
|
+
# For more information, see [Using Templates][2].
|
1029
1416
|
#
|
1030
1417
|
#
|
1031
1418
|
#
|
1032
|
-
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/
|
1419
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
|
1420
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
|
1033
1421
|
#
|
1034
1422
|
# @option params [required, Types::Validity] :validity
|
1035
|
-
#
|
1423
|
+
# Information describing the validity period of the certificate.
|
1424
|
+
#
|
1425
|
+
# When issuing a certificate, ACM Private CA sets the "Not Before"
|
1426
|
+
# date in the validity field to date and time minus 60 minutes. This is
|
1427
|
+
# intended to compensate for time inconsistencies across systems of 60
|
1428
|
+
# minutes or less.
|
1429
|
+
#
|
1430
|
+
# The validity period configured on a certificate must not exceed the
|
1431
|
+
# limit set by its parents in the CA hierarchy.
|
1036
1432
|
#
|
1037
1433
|
# @option params [String] :idempotency_token
|
1038
1434
|
# Custom string that can be used to distinguish between calls to the
|
@@ -1075,7 +1471,11 @@ module Aws::ACMPCA
|
|
1075
1471
|
end
|
1076
1472
|
|
1077
1473
|
# Lists the private certificate authorities that you created by using
|
1078
|
-
# the CreateCertificateAuthority action.
|
1474
|
+
# the [CreateCertificateAuthority][1] action.
|
1475
|
+
#
|
1476
|
+
#
|
1477
|
+
#
|
1478
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1079
1479
|
#
|
1080
1480
|
# @option params [String] :next_token
|
1081
1481
|
# Use this parameter when paginating results in a subsequent request
|
@@ -1090,6 +1490,10 @@ module Aws::ACMPCA
|
|
1090
1490
|
# sent in the response. Use this `NextToken` value in a subsequent
|
1091
1491
|
# request to retrieve additional items.
|
1092
1492
|
#
|
1493
|
+
# @option params [String] :resource_owner
|
1494
|
+
# Use this parameter to filter the returned set of certificate
|
1495
|
+
# authorities based on their owner. The default is SELF.
|
1496
|
+
#
|
1093
1497
|
# @return [Types::ListCertificateAuthoritiesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1094
1498
|
#
|
1095
1499
|
# * {Types::ListCertificateAuthoritiesResponse#certificate_authorities #certificate_authorities} => Array<Types::CertificateAuthority>
|
@@ -1102,12 +1506,14 @@ module Aws::ACMPCA
|
|
1102
1506
|
# resp = client.list_certificate_authorities({
|
1103
1507
|
# next_token: "NextToken",
|
1104
1508
|
# max_results: 1,
|
1509
|
+
# resource_owner: "SELF", # accepts SELF, OTHER_ACCOUNTS
|
1105
1510
|
# })
|
1106
1511
|
#
|
1107
1512
|
# @example Response structure
|
1108
1513
|
#
|
1109
1514
|
# resp.certificate_authorities #=> Array
|
1110
1515
|
# resp.certificate_authorities[0].arn #=> String
|
1516
|
+
# resp.certificate_authorities[0].owner_account #=> String
|
1111
1517
|
# resp.certificate_authorities[0].created_at #=> Time
|
1112
1518
|
# resp.certificate_authorities[0].last_state_change_at #=> Time
|
1113
1519
|
# resp.certificate_authorities[0].type #=> String, one of "ROOT", "SUBORDINATE"
|
@@ -1148,17 +1554,48 @@ module Aws::ACMPCA
|
|
1148
1554
|
req.send_request(options)
|
1149
1555
|
end
|
1150
1556
|
|
1151
|
-
#
|
1152
|
-
#
|
1153
|
-
#
|
1557
|
+
# List all permissions on a private CA, if any, granted to the AWS
|
1558
|
+
# Certificate Manager (ACM) service principal (acm.amazonaws.com).
|
1559
|
+
#
|
1560
|
+
# These permissions allow ACM to issue and renew ACM certificates that
|
1561
|
+
# reside in the same AWS account as the CA.
|
1562
|
+
#
|
1563
|
+
# Permissions can be granted with the [CreatePermission][1] action and
|
1564
|
+
# revoked with the [DeletePermission][2] action.
|
1565
|
+
#
|
1566
|
+
# **About Permissions**
|
1567
|
+
#
|
1568
|
+
# * If the private CA and the certificates it issues reside in the same
|
1569
|
+
# account, you can use `CreatePermission` to grant permissions for ACM
|
1570
|
+
# to carry out automatic certificate renewals.
|
1571
|
+
#
|
1572
|
+
# * For automatic certificate renewal to succeed, the ACM service
|
1573
|
+
# principal needs permissions to create, retrieve, and list
|
1574
|
+
# certificates.
|
1575
|
+
#
|
1576
|
+
# * If the private CA and the ACM certificates reside in different
|
1577
|
+
# accounts, then permissions cannot be used to enable automatic
|
1578
|
+
# renewals. Instead, the ACM certificate owner must set up a
|
1579
|
+
# resource-based policy to enable cross-account issuance and renewals.
|
1580
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
1581
|
+
# Private CA](acm-pca/latest/userguide/pca-rbp.html).
|
1582
|
+
#
|
1583
|
+
#
|
1584
|
+
#
|
1585
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
|
1586
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
|
1154
1587
|
#
|
1155
1588
|
# @option params [required, String] :certificate_authority_arn
|
1156
1589
|
# The Amazon Resource Number (ARN) of the private CA to inspect. You can
|
1157
|
-
# find the ARN by calling the ListCertificateAuthorities action.
|
1158
|
-
# must be of the form:
|
1590
|
+
# find the ARN by calling the [ListCertificateAuthorities][1] action.
|
1591
|
+
# This must be of the form:
|
1159
1592
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
|
1160
1593
|
# You can get a private CA's ARN by running the
|
1161
|
-
# ListCertificateAuthorities action.
|
1594
|
+
# [ListCertificateAuthorities][1] action.
|
1595
|
+
#
|
1596
|
+
#
|
1597
|
+
#
|
1598
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
1162
1599
|
#
|
1163
1600
|
# @option params [String] :next_token
|
1164
1601
|
# When paginating results, use this parameter in a subsequent request
|
@@ -1208,19 +1645,29 @@ module Aws::ACMPCA
|
|
1208
1645
|
req.send_request(options)
|
1209
1646
|
end
|
1210
1647
|
|
1211
|
-
# Lists the tags, if any, that are associated with your private CA
|
1212
|
-
# are labels that you can use to
|
1213
|
-
# tag consists of a key and an
|
1214
|
-
#
|
1215
|
-
#
|
1648
|
+
# Lists the tags, if any, that are associated with your private CA or
|
1649
|
+
# one that has been shared with you. Tags are labels that you can use to
|
1650
|
+
# identify and organize your CAs. Each tag consists of a key and an
|
1651
|
+
# optional value. Call the [TagCertificateAuthority][1] action to add
|
1652
|
+
# one or more tags to your CA. Call the [UntagCertificateAuthority][2]
|
1653
|
+
# action to remove tags.
|
1654
|
+
#
|
1655
|
+
#
|
1656
|
+
#
|
1657
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
|
1658
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
|
1216
1659
|
#
|
1217
1660
|
# @option params [required, String] :certificate_authority_arn
|
1218
1661
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
1219
|
-
# CreateCertificateAuthority action. This must be of the form:
|
1662
|
+
# [CreateCertificateAuthority][1] action. This must be of the form:
|
1220
1663
|
#
|
1221
1664
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1222
1665
|
# `
|
1223
1666
|
#
|
1667
|
+
#
|
1668
|
+
#
|
1669
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1670
|
+
#
|
1224
1671
|
# @option params [String] :next_token
|
1225
1672
|
# Use this parameter when paginating results in a subsequent request
|
1226
1673
|
# after you receive a response with truncated results. Set it to the
|
@@ -1264,30 +1711,121 @@ module Aws::ACMPCA
|
|
1264
1711
|
req.send_request(options)
|
1265
1712
|
end
|
1266
1713
|
|
1714
|
+
# Attaches a resource-based policy to a private CA.
|
1715
|
+
#
|
1716
|
+
# A policy can also be applied by [sharing][1] a private CA through AWS
|
1717
|
+
# Resource Access Manager (RAM).
|
1718
|
+
#
|
1719
|
+
# The policy can be displayed with [GetPolicy][2] and removed with
|
1720
|
+
# [DeletePolicy][3].
|
1721
|
+
#
|
1722
|
+
# **About Policies**
|
1723
|
+
#
|
1724
|
+
# * A policy grants access on a private CA to an AWS customer account,
|
1725
|
+
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
1726
|
+
# under the control of a CA administrator. For more information, see
|
1727
|
+
# [Using a Resource Based Policy with ACM Private
|
1728
|
+
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
1729
|
+
#
|
1730
|
+
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
1731
|
+
# ACM certificates signed by a CA in another account.
|
1732
|
+
#
|
1733
|
+
# * For ACM to manage automatic renewal of these certificates, the ACM
|
1734
|
+
# user must configure a Service Linked Role (SLR). The SLR allows the
|
1735
|
+
# ACM service to assume the identity of the user, subject to
|
1736
|
+
# confirmation against the ACM Private CA policy. For more
|
1737
|
+
# information, see [Using a Service Linked Role with ACM][4].
|
1738
|
+
#
|
1739
|
+
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
1740
|
+
# policies. For more information, see [Using AWS Resource Access
|
1741
|
+
# Manager (RAM) with ACM Private
|
1742
|
+
# CA](acm-pca/latest/userguide/pca-ram.html).
|
1743
|
+
#
|
1744
|
+
#
|
1745
|
+
#
|
1746
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
|
1747
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
|
1748
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
|
1749
|
+
# [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
1750
|
+
#
|
1751
|
+
# @option params [required, String] :resource_arn
|
1752
|
+
# The Amazon Resource Number (ARN) of the private CA to associate with
|
1753
|
+
# the policy. The ARN of the CA can be found by calling the
|
1754
|
+
# [ListCertificateAuthorities][1] action.
|
1755
|
+
#
|
1756
|
+
#
|
1757
|
+
#
|
1758
|
+
#
|
1759
|
+
#
|
1760
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
1761
|
+
#
|
1762
|
+
# @option params [required, String] :policy
|
1763
|
+
# The path and filename of a JSON-formatted IAM policy to attach to the
|
1764
|
+
# specified private CA resource. If this policy does not contain all
|
1765
|
+
# required statements or if it includes any statement that is not
|
1766
|
+
# allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
|
1767
|
+
# For information about IAM policy and statement structure, see
|
1768
|
+
# [Overview of JSON Policies][1].
|
1769
|
+
#
|
1770
|
+
#
|
1771
|
+
#
|
1772
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
|
1773
|
+
#
|
1774
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1775
|
+
#
|
1776
|
+
# @example Request syntax with placeholder values
|
1777
|
+
#
|
1778
|
+
# resp = client.put_policy({
|
1779
|
+
# resource_arn: "Arn", # required
|
1780
|
+
# policy: "AWSPolicy", # required
|
1781
|
+
# })
|
1782
|
+
#
|
1783
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PutPolicy AWS API Documentation
|
1784
|
+
#
|
1785
|
+
# @overload put_policy(params = {})
|
1786
|
+
# @param [Hash] params ({})
|
1787
|
+
def put_policy(params = {}, options = {})
|
1788
|
+
req = build_request(:put_policy, params)
|
1789
|
+
req.send_request(options)
|
1790
|
+
end
|
1791
|
+
|
1267
1792
|
# Restores a certificate authority (CA) that is in the `DELETED` state.
|
1268
1793
|
# You can restore a CA during the period that you defined in the
|
1269
1794
|
# **PermanentDeletionTimeInDays** parameter of the
|
1270
|
-
# DeleteCertificateAuthority action. Currently, you can specify 7
|
1271
|
-
# days. If you did not specify a **PermanentDeletionTimeInDays**
|
1272
|
-
# by default you can restore the CA at any time in a 30 day
|
1273
|
-
# can check the time remaining in the restoration period of
|
1274
|
-
# in the `DELETED` state by calling the
|
1275
|
-
#
|
1276
|
-
# to its pre-deletion status
|
1277
|
-
# action returns. To change its
|
1278
|
-
#
|
1279
|
-
# `PENDING_CERTIFICATE` state at deletion,
|
1280
|
-
# ImportCertificateAuthorityCertificate action to
|
1281
|
-
# authority into the private CA before it can be
|
1282
|
-
# restore a CA after the restoration period has
|
1795
|
+
# [DeleteCertificateAuthority][1] action. Currently, you can specify 7
|
1796
|
+
# to 30 days. If you did not specify a **PermanentDeletionTimeInDays**
|
1797
|
+
# value, by default you can restore the CA at any time in a 30 day
|
1798
|
+
# period. You can check the time remaining in the restoration period of
|
1799
|
+
# a private CA in the `DELETED` state by calling the
|
1800
|
+
# [DescribeCertificateAuthority][2] or [ListCertificateAuthorities][3]
|
1801
|
+
# actions. The status of a restored CA is set to its pre-deletion status
|
1802
|
+
# when the **RestoreCertificateAuthority** action returns. To change its
|
1803
|
+
# status to `ACTIVE`, call the [UpdateCertificateAuthority][4] action.
|
1804
|
+
# If the private CA was in the `PENDING_CERTIFICATE` state at deletion,
|
1805
|
+
# you must use the [ImportCertificateAuthorityCertificate][5] action to
|
1806
|
+
# import a certificate authority into the private CA before it can be
|
1807
|
+
# activated. You cannot restore a CA after the restoration period has
|
1808
|
+
# ended.
|
1809
|
+
#
|
1810
|
+
#
|
1811
|
+
#
|
1812
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html
|
1813
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html
|
1814
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
1815
|
+
# [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
|
1816
|
+
# [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
|
1283
1817
|
#
|
1284
1818
|
# @option params [required, String] :certificate_authority_arn
|
1285
1819
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
1286
|
-
# CreateCertificateAuthority action. This must be of the form:
|
1820
|
+
# [CreateCertificateAuthority][1] action. This must be of the form:
|
1287
1821
|
#
|
1288
1822
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1289
1823
|
# `
|
1290
1824
|
#
|
1825
|
+
#
|
1826
|
+
#
|
1827
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1828
|
+
#
|
1291
1829
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1292
1830
|
#
|
1293
1831
|
# @example Request syntax with placeholder values
|
@@ -1309,15 +1847,33 @@ module Aws::ACMPCA
|
|
1309
1847
|
# enable a certificate revocation list (CRL) when you create or update
|
1310
1848
|
# your private CA, information about the revoked certificates will be
|
1311
1849
|
# included in the CRL. ACM Private CA writes the CRL to an S3 bucket
|
1312
|
-
# that you specify.
|
1313
|
-
#
|
1314
|
-
#
|
1315
|
-
#
|
1850
|
+
# that you specify. A CRL is typically updated approximately 30 minutes
|
1851
|
+
# after a certificate is revoked. If for any reason the CRL update
|
1852
|
+
# fails, ACM Private CA attempts makes further attempts every 15
|
1853
|
+
# minutes. With Amazon CloudWatch, you can create alarms for the metrics
|
1854
|
+
# `CRLGenerated` and `MisconfiguredCRLBucket`. For more information, see
|
1855
|
+
# [Supported CloudWatch Metrics][1].
|
1856
|
+
#
|
1857
|
+
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
1858
|
+
# bucket that you specify. If the IAM principal making the call does not
|
1859
|
+
# have permission to write to the bucket, then an exception is thrown.
|
1860
|
+
# For more information, see [Configure Access to ACM Private CA][2].
|
1861
|
+
#
|
1862
|
+
# </note>
|
1863
|
+
#
|
1864
|
+
# ACM Private CA also writes revocation information to the audit report.
|
1865
|
+
# For more information, see [CreateCertificateAuthorityAuditReport][3].
|
1316
1866
|
#
|
1317
1867
|
# <note markdown="1"> You cannot revoke a root CA self-signed certificate.
|
1318
1868
|
#
|
1319
1869
|
# </note>
|
1320
1870
|
#
|
1871
|
+
#
|
1872
|
+
#
|
1873
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html
|
1874
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
|
1875
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
1876
|
+
#
|
1321
1877
|
# @option params [required, String] :certificate_authority_arn
|
1322
1878
|
# Amazon Resource Name (ARN) of the private CA that issued the
|
1323
1879
|
# certificate to be revoked. This must be of the form:
|
@@ -1328,21 +1884,22 @@ module Aws::ACMPCA
|
|
1328
1884
|
# @option params [required, String] :certificate_serial
|
1329
1885
|
# Serial number of the certificate to be revoked. This must be in
|
1330
1886
|
# hexadecimal format. You can retrieve the serial number by calling
|
1331
|
-
# GetCertificate with the Amazon Resource Name (ARN) of the
|
1332
|
-
# you want and the ARN of your private CA. The
|
1333
|
-
# retrieves the certificate in the PEM format.
|
1334
|
-
# OpenSSL command to list the certificate in
|
1335
|
-
# hexadecimal serial number.
|
1887
|
+
# [GetCertificate][1] with the Amazon Resource Name (ARN) of the
|
1888
|
+
# certificate you want and the ARN of your private CA. The
|
1889
|
+
# **GetCertificate** action retrieves the certificate in the PEM format.
|
1890
|
+
# You can use the following OpenSSL command to list the certificate in
|
1891
|
+
# text format and copy the hexadecimal serial number.
|
1336
1892
|
#
|
1337
1893
|
# `openssl x509 -in file_path -text -noout`
|
1338
1894
|
#
|
1339
1895
|
# You can also copy the serial number from the console or use the
|
1340
|
-
# [DescribeCertificate][
|
1896
|
+
# [DescribeCertificate][2] action in the *AWS Certificate Manager API
|
1341
1897
|
# Reference*.
|
1342
1898
|
#
|
1343
1899
|
#
|
1344
1900
|
#
|
1345
|
-
# [1]: https://docs.aws.amazon.com/acm/latest/APIReference/
|
1901
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
|
1902
|
+
# [2]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
|
1346
1903
|
#
|
1347
1904
|
# @option params [required, String] :revocation_reason
|
1348
1905
|
# Specifies why you revoked the certificate.
|
@@ -1374,16 +1931,25 @@ module Aws::ACMPCA
|
|
1374
1931
|
# to identify a specific characteristic of that CA, or you can apply the
|
1375
1932
|
# same tag to multiple private CAs if you want to filter for a common
|
1376
1933
|
# relationship among those CAs. To remove one or more tags, use the
|
1377
|
-
# UntagCertificateAuthority action. Call the ListTags action
|
1378
|
-
# tags are associated with your CA.
|
1934
|
+
# [UntagCertificateAuthority][1] action. Call the [ListTags][2] action
|
1935
|
+
# to see what tags are associated with your CA.
|
1936
|
+
#
|
1937
|
+
#
|
1938
|
+
#
|
1939
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
|
1940
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html
|
1379
1941
|
#
|
1380
1942
|
# @option params [required, String] :certificate_authority_arn
|
1381
1943
|
# The Amazon Resource Name (ARN) that was returned when you called
|
1382
|
-
# CreateCertificateAuthority. This must be of the form:
|
1944
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
1383
1945
|
#
|
1384
1946
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1385
1947
|
# `
|
1386
1948
|
#
|
1949
|
+
#
|
1950
|
+
#
|
1951
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1952
|
+
#
|
1387
1953
|
# @option params [required, Array<Types::Tag>] :tags
|
1388
1954
|
# List of tags to be associated with the CA.
|
1389
1955
|
#
|
@@ -1415,16 +1981,25 @@ module Aws::ACMPCA
|
|
1415
1981
|
# when calling this action, the tag will be removed regardless of value.
|
1416
1982
|
# If you specify a value, the tag is removed only if it is associated
|
1417
1983
|
# with the specified value. To add tags to a private CA, use the
|
1418
|
-
# TagCertificateAuthority. Call the ListTags action to see
|
1419
|
-
# associated with your CA.
|
1984
|
+
# [TagCertificateAuthority][1]. Call the [ListTags][2] action to see
|
1985
|
+
# what tags are associated with your CA.
|
1986
|
+
#
|
1987
|
+
#
|
1988
|
+
#
|
1989
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
|
1990
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html
|
1420
1991
|
#
|
1421
1992
|
# @option params [required, String] :certificate_authority_arn
|
1422
1993
|
# The Amazon Resource Name (ARN) that was returned when you called
|
1423
|
-
# CreateCertificateAuthority. This must be of the form:
|
1994
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
1424
1995
|
#
|
1425
1996
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1426
1997
|
# `
|
1427
1998
|
#
|
1999
|
+
#
|
2000
|
+
#
|
2001
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
2002
|
+
#
|
1428
2003
|
# @option params [required, Array<Types::Tag>] :tags
|
1429
2004
|
# List of tags to be removed from the CA.
|
1430
2005
|
#
|
@@ -1457,6 +2032,17 @@ module Aws::ACMPCA
|
|
1457
2032
|
# `ACTIVE` state or make a CA that is in the `DISABLED` state active
|
1458
2033
|
# again.
|
1459
2034
|
#
|
2035
|
+
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
2036
|
+
# bucket that you specify. If the IAM principal making the call does not
|
2037
|
+
# have permission to write to the bucket, then an exception is thrown.
|
2038
|
+
# For more information, see [Configure Access to ACM Private CA][1].
|
2039
|
+
#
|
2040
|
+
# </note>
|
2041
|
+
#
|
2042
|
+
#
|
2043
|
+
#
|
2044
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
|
2045
|
+
#
|
1460
2046
|
# @option params [required, String] :certificate_authority_arn
|
1461
2047
|
# Amazon Resource Name (ARN) of the private CA that issued the
|
1462
2048
|
# certificate to be revoked. This must be of the form:
|
@@ -1509,7 +2095,7 @@ module Aws::ACMPCA
|
|
1509
2095
|
params: params,
|
1510
2096
|
config: config)
|
1511
2097
|
context[:gem_name] = 'aws-sdk-acmpca'
|
1512
|
-
context[:gem_version] = '1.
|
2098
|
+
context[:gem_version] = '1.29.0'
|
1513
2099
|
Seahorse::Client::Request.new(handlers, context)
|
1514
2100
|
end
|
1515
2101
|
|