aws-sdk-acmpca 1.24.0 → 1.29.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ea7e07c318f6eaa0d1d2b081bf025d02a5500b921f4c7a6ba17a341a3b7d5a88
4
- data.tar.gz: 772eefc34df26f5bee50a23427e203efa6010935a375afde74ef74d4db3f0d06
3
+ metadata.gz: 24ef41728a5b9602fb5acee2190b274b243fb63f72c7fbb778996857920c3b40
4
+ data.tar.gz: dd5566472ef96b36e4a56284573c516f9e5ab697c7012a6ff227a8c28222fc67
5
5
  SHA512:
6
- metadata.gz: a5e299a21a0bf60d934f11b8c0456bc0c97a3302363b9efdfac0796596663684aabeedc0b2a9f076f1eda302fbc134bb0932a4e2b2f5f8f52e144a880233f6f4
7
- data.tar.gz: bbc403fe4aa1fbe2c9f358289c2e7423b813d5e14b1ecbc61216243a7ce016afb562202363c3f8e28b65ecf53c9561a43b44e155f58e8c41235fe9800f4aa825
6
+ metadata.gz: 16606d3e3cf1065e7fd1e10c85965c598d64b087da311304969edac638f880206f7b1647c34aa2f627338ccfe1f48c5652e104afeb50cb4edcf4da75f960e709
7
+ data.tar.gz: 34c09ccf33cf377dbfca40b16b80378d62d2ee27acd154d4f238b08aaea273822e0560c31b212810042201536d6101182021136d603f9c46758f03d87478830c
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  # WARNING ABOUT GENERATED CODE
2
4
  #
3
5
  # This file is generated. See the contributing guide for more information:
@@ -5,6 +7,7 @@
5
7
  #
6
8
  # WARNING ABOUT GENERATED CODE
7
9
 
10
+
8
11
  require 'aws-sdk-core'
9
12
  require 'aws-sigv4'
10
13
 
@@ -43,9 +46,9 @@ require_relative 'aws-sdk-acmpca/customizations'
43
46
  #
44
47
  # See {Errors} for more information.
45
48
  #
46
- # @service
49
+ # @!group service
47
50
  module Aws::ACMPCA
48
51
 
49
- GEM_VERSION = '1.24.0'
52
+ GEM_VERSION = '1.29.0'
50
53
 
51
54
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  # WARNING ABOUT GENERATED CODE
2
4
  #
3
5
  # This file is generated. See the contributing guide for more information:
@@ -24,6 +26,7 @@ require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
24
26
  require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
25
27
  require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
26
28
  require 'aws-sdk-core/plugins/transfer_encoding.rb'
29
+ require 'aws-sdk-core/plugins/http_checksum.rb'
27
30
  require 'aws-sdk-core/plugins/signature_v4.rb'
28
31
  require 'aws-sdk-core/plugins/protocols/json_rpc.rb'
29
32
 
@@ -69,6 +72,7 @@ module Aws::ACMPCA
69
72
  add_plugin(Aws::Plugins::ClientMetricsPlugin)
70
73
  add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
71
74
  add_plugin(Aws::Plugins::TransferEncoding)
75
+ add_plugin(Aws::Plugins::HttpChecksum)
72
76
  add_plugin(Aws::Plugins::SignatureV4)
73
77
  add_plugin(Aws::Plugins::Protocols::JsonRpc)
74
78
 
@@ -81,13 +85,28 @@ module Aws::ACMPCA
81
85
  # * `Aws::Credentials` - Used for configuring static, non-refreshing
82
86
  # credentials.
83
87
  #
88
+ # * `Aws::SharedCredentials` - Used for loading static credentials from a
89
+ # shared file, such as `~/.aws/config`.
90
+ #
91
+ # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
92
+ #
93
+ # * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
94
+ # assume a role after providing credentials via the web.
95
+ #
96
+ # * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
97
+ # access token generated from `aws login`.
98
+ #
99
+ # * `Aws::ProcessCredentials` - Used for loading credentials from a
100
+ # process that outputs to stdout.
101
+ #
84
102
  # * `Aws::InstanceProfileCredentials` - Used for loading credentials
85
103
  # from an EC2 IMDS on an EC2 instance.
86
104
  #
87
- # * `Aws::SharedCredentials` - Used for loading credentials from a
88
- # shared file, such as `~/.aws/config`.
105
+ # * `Aws::ECSCredentials` - Used for loading credentials from
106
+ # instances running in ECS.
89
107
  #
90
- # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
108
+ # * `Aws::CognitoIdentityCredentials` - Used for loading credentials
109
+ # from the Cognito Identity service.
91
110
  #
92
111
  # When `:credentials` are not configured directly, the following
93
112
  # locations will be searched for credentials:
@@ -97,10 +116,10 @@ module Aws::ACMPCA
97
116
  # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
98
117
  # * `~/.aws/credentials`
99
118
  # * `~/.aws/config`
100
- # * EC2 IMDS instance profile - When used by default, the timeouts are
101
- # very aggressive. Construct and pass an instance of
102
- # `Aws::InstanceProfileCredentails` to enable retries and extended
103
- # timeouts.
119
+ # * EC2/ECS IMDS instance profile - When used by default, the timeouts
120
+ # are very aggressive. Construct and pass an instance of
121
+ # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
122
+ # enable retries and extended timeouts.
104
123
  #
105
124
  # @option options [required, String] :region
106
125
  # The AWS region to connect to. The configured `:region` is
@@ -161,7 +180,7 @@ module Aws::ACMPCA
161
180
  # @option options [String] :endpoint
162
181
  # The client endpoint is normally constructed from the `:region`
163
182
  # option. You should only configure an `:endpoint` when connecting
164
- # to test endpoints. This should be a valid HTTP(S) URI.
183
+ # to test or custom endpoints. This should be a valid HTTP(S) URI.
165
184
  #
166
185
  # @option options [Integer] :endpoint_cache_max_entries (1000)
167
186
  # Used for the maximum size limit of the LRU cache storing endpoints data
@@ -331,6 +350,21 @@ module Aws::ACMPCA
331
350
  # successful, this action returns the Amazon Resource Name (ARN) of the
332
351
  # CA.
333
352
  #
353
+ # ACM Private CAA assets that are stored in Amazon S3 can be protected
354
+ # with encryption. For more information, see [Encrypting Your CRLs][1].
355
+ #
356
+ # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
357
+ # bucket that you specify. If the IAM principal making the call does not
358
+ # have permission to write to the bucket, then an exception is thrown.
359
+ # For more information, see [Configure Access to ACM Private CA][2].
360
+ #
361
+ # </note>
362
+ #
363
+ #
364
+ #
365
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption
366
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
367
+ #
334
368
  # @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
335
369
  # Name and bit size of the private key algorithm, the name of the
336
370
  # signing algorithm, and X.500 certificate subject information.
@@ -341,27 +375,28 @@ module Aws::ACMPCA
341
375
  # ACM Private CA will write the CRL, and an optional CNAME alias that
342
376
  # you can use to hide the name of your bucket in the **CRL Distribution
343
377
  # Points** extension of your CA certificate. For more information, see
344
- # the CrlConfiguration structure.
378
+ # the [CrlConfiguration][1] structure.
379
+ #
380
+ #
381
+ #
382
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
345
383
  #
346
384
  # @option params [required, String] :certificate_authority_type
347
385
  # The type of the certificate authority.
348
386
  #
349
387
  # @option params [String] :idempotency_token
350
388
  # Alphanumeric string that can be used to distinguish between calls to
351
- # **CreateCertificateAuthority**. Idempotency tokens time out after five
352
- # minutes. Therefore, if you call **CreateCertificateAuthority**
353
- # multiple times with the same idempotency token within a five minute
354
- # period, ACM Private CA recognizes that you are requesting only one
355
- # certificate. As a result, ACM Private CA issues only one. If you
356
- # change the idempotency token for each call, however, ACM Private CA
357
- # recognizes that you are requesting multiple certificates.
389
+ # **CreateCertificateAuthority**. For a given token, ACM Private CA
390
+ # creates exactly one CA. If you issue a subsequent call using the same
391
+ # token, ACM Private CA returns the ARN of the existing CA and takes no
392
+ # further action. If you change the idempotency token across multiple
393
+ # calls, ACM Private CA creates a unique CA for each unique token.
358
394
  #
359
395
  # @option params [Array<Types::Tag>] :tags
360
396
  # Key-value pairs that will be attached to the new private CA. You can
361
397
  # associate up to 50 tags with a private CA. For information using tags
362
- # with
363
- #
364
- # IAM to manage permissions, see [Controlling Access Using IAM Tags][1].
398
+ # with IAM to manage permissions, see [Controlling Access Using IAM
399
+ # Tags][1].
365
400
  #
366
401
  #
367
402
  #
@@ -381,10 +416,10 @@ module Aws::ACMPCA
381
416
  # country: "CountryCodeString",
382
417
  # organization: "String64",
383
418
  # organizational_unit: "String64",
384
- # distinguished_name_qualifier: "DistinguishedNameQualifierString",
419
+ # distinguished_name_qualifier: "ASN1PrintableString64",
385
420
  # state: "String128",
386
421
  # common_name: "String64",
387
- # serial_number: "String64",
422
+ # serial_number: "ASN1PrintableString64",
388
423
  # locality: "String128",
389
424
  # title: "String64",
390
425
  # surname: "String40",
@@ -427,8 +462,26 @@ module Aws::ACMPCA
427
462
 
428
463
  # Creates an audit report that lists every time that your CA private key
429
464
  # is used. The report is saved in the Amazon S3 bucket that you specify
430
- # on input. The IssueCertificate and RevokeCertificate actions use the
431
- # private key.
465
+ # on input. The [IssueCertificate][1] and [RevokeCertificate][2] actions
466
+ # use the private key.
467
+ #
468
+ # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
469
+ # bucket that you specify. If the IAM principal making the call does not
470
+ # have permission to write to the bucket, then an exception is thrown.
471
+ # For more information, see [Configure Access to ACM Private CA][3].
472
+ #
473
+ # </note>
474
+ #
475
+ # ACM Private CAA assets that are stored in Amazon S3 can be protected
476
+ # with encryption. For more information, see [Encrypting Your Audit
477
+ # Reports][4].
478
+ #
479
+ #
480
+ #
481
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
482
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
483
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
484
+ # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption
432
485
  #
433
486
  # @option params [required, String] :certificate_authority_arn
434
487
  # The Amazon Resource Name (ARN) of the CA to be audited. This is of the
@@ -453,7 +506,7 @@ module Aws::ACMPCA
453
506
  #
454
507
  # resp = client.create_certificate_authority_audit_report({
455
508
  # certificate_authority_arn: "Arn", # required
456
- # s3_bucket_name: "String", # required
509
+ # s3_bucket_name: "S3BucketName", # required
457
510
  # audit_report_response_format: "JSON", # required, accepts JSON, CSV
458
511
  # })
459
512
  #
@@ -471,26 +524,48 @@ module Aws::ACMPCA
471
524
  req.send_request(options)
472
525
  end
473
526
 
474
- # Assigns permissions from a private CA to a designated AWS service.
475
- # Services are specified by their service principals and can be given
476
- # permission to create and retrieve certificates on a private CA.
477
- # Services can also be given permission to list the active permissions
478
- # that the private CA has granted. For ACM to automatically renew your
479
- # private CA's certificates, you must assign all possible permissions
480
- # from the CA to the ACM service principal.
481
- #
482
- # At this time, you can only assign permissions to ACM
483
- # (`acm.amazonaws.com`). Permissions can be revoked with the
484
- # DeletePermission action and listed with the ListPermissions action.
527
+ # Grants one or more permissions on a private CA to the AWS Certificate
528
+ # Manager (ACM) service principal (`acm.amazonaws.com`). These
529
+ # permissions allow ACM to issue and renew ACM certificates that reside
530
+ # in the same AWS account as the CA.
531
+ #
532
+ # You can list current permissions with the [ListPermissions][1] action
533
+ # and revoke them with the [DeletePermission][2] action.
534
+ #
535
+ # **About Permissions**
536
+ #
537
+ # * If the private CA and the certificates it issues reside in the same
538
+ # account, you can use `CreatePermission` to grant permissions for ACM
539
+ # to carry out automatic certificate renewals.
540
+ #
541
+ # * For automatic certificate renewal to succeed, the ACM service
542
+ # principal needs permissions to create, retrieve, and list
543
+ # certificates.
544
+ #
545
+ # * If the private CA and the ACM certificates reside in different
546
+ # accounts, then permissions cannot be used to enable automatic
547
+ # renewals. Instead, the ACM certificate owner must set up a
548
+ # resource-based policy to enable cross-account issuance and renewals.
549
+ # For more information, see [Using a Resource Based Policy with ACM
550
+ # Private CA](acm-pca/latest/userguide/pca-rbp.html).
551
+ #
552
+ #
553
+ #
554
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
555
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
485
556
  #
486
557
  # @option params [required, String] :certificate_authority_arn
487
558
  # The Amazon Resource Name (ARN) of the CA that grants the permissions.
488
- # You can find the ARN by calling the ListCertificateAuthorities action.
489
- # This must have the following form:
559
+ # You can find the ARN by calling the [ListCertificateAuthorities][1]
560
+ # action. This must have the following form:
490
561
  #
491
562
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
492
563
  # `.
493
564
  #
565
+ #
566
+ #
567
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
568
+ #
494
569
  # @option params [required, String] :principal
495
570
  # The AWS service or identity that receives the permission. At this
496
571
  # time, the only valid principal is `acm.amazonaws.com`.
@@ -524,7 +599,8 @@ module Aws::ACMPCA
524
599
 
525
600
  # Deletes a private certificate authority (CA). You must provide the
526
601
  # Amazon Resource Name (ARN) of the private CA that you want to delete.
527
- # You can find the ARN by calling the ListCertificateAuthorities action.
602
+ # You can find the ARN by calling the [ListCertificateAuthorities][1]
603
+ # action.
528
604
  #
529
605
  # <note markdown="1"> Deleting a CA will invalidate other CAs and certificates below it in
530
606
  # your CA hierarchy.
@@ -532,7 +608,7 @@ module Aws::ACMPCA
532
608
  # </note>
533
609
  #
534
610
  # Before you can delete a CA that you have created and activated, you
535
- # must disable it. To do this, call the UpdateCertificateAuthority
611
+ # must disable it. To do this, call the [UpdateCertificateAuthority][2]
536
612
  # action and set the **CertificateAuthorityStatus** parameter to
537
613
  # `DISABLED`.
538
614
  #
@@ -542,22 +618,35 @@ module Aws::ACMPCA
542
618
  # signed certificate into ACM Private CA (that is, the status of the CA
543
619
  # is `PENDING_CERTIFICATE`).
544
620
  #
545
- # When you successfully call DeleteCertificateAuthority, the CA's
621
+ # When you successfully call [DeleteCertificateAuthority][3], the CA's
546
622
  # status changes to `DELETED`. However, the CA won't be permanently
547
623
  # deleted until the restoration period has passed. By default, if you do
548
624
  # not set the `PermanentDeletionTimeInDays` parameter, the CA remains
549
625
  # restorable for 30 days. You can set the parameter from 7 to 30 days.
550
- # The DescribeCertificateAuthority action returns the time remaining in
551
- # the restoration window of a private CA in the `DELETED` state. To
552
- # restore an eligible CA, call the RestoreCertificateAuthority action.
626
+ # The [DescribeCertificateAuthority][4] action returns the time
627
+ # remaining in the restoration window of a private CA in the `DELETED`
628
+ # state. To restore an eligible CA, call the
629
+ # [RestoreCertificateAuthority][5] action.
630
+ #
631
+ #
632
+ #
633
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
634
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
635
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html
636
+ # [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html
637
+ # [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RestoreCertificateAuthority.html
553
638
  #
554
639
  # @option params [required, String] :certificate_authority_arn
555
640
  # The Amazon Resource Name (ARN) that was returned when you called
556
- # CreateCertificateAuthority. This must have the following form:
641
+ # [CreateCertificateAuthority][1]. This must have the following form:
557
642
  #
558
643
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
559
644
  # `.
560
645
  #
646
+ #
647
+ #
648
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
649
+ #
561
650
  # @option params [Integer] :permanent_deletion_time_in_days
562
651
  # The number of days to make a CA restorable after it has been deleted.
563
652
  # This can be anywhere from 7 to 30 days, with 30 being the default.
@@ -580,18 +669,52 @@ module Aws::ACMPCA
580
669
  req.send_request(options)
581
670
  end
582
671
 
583
- # Revokes permissions that a private CA assigned to a designated AWS
584
- # service. Permissions can be created with the CreatePermission action
585
- # and listed with the ListPermissions action.
672
+ # Revokes permissions on a private CA granted to the AWS Certificate
673
+ # Manager (ACM) service principal (acm.amazonaws.com).
674
+ #
675
+ # These permissions allow ACM to issue and renew ACM certificates that
676
+ # reside in the same AWS account as the CA. If you revoke these
677
+ # permissions, ACM will no longer renew the affected certificates
678
+ # automatically.
679
+ #
680
+ # Permissions can be granted with the [CreatePermission][1] action and
681
+ # listed with the [ListPermissions][2] action.
682
+ #
683
+ # **About Permissions**
684
+ #
685
+ # * If the private CA and the certificates it issues reside in the same
686
+ # account, you can use `CreatePermission` to grant permissions for ACM
687
+ # to carry out automatic certificate renewals.
688
+ #
689
+ # * For automatic certificate renewal to succeed, the ACM service
690
+ # principal needs permissions to create, retrieve, and list
691
+ # certificates.
692
+ #
693
+ # * If the private CA and the ACM certificates reside in different
694
+ # accounts, then permissions cannot be used to enable automatic
695
+ # renewals. Instead, the ACM certificate owner must set up a
696
+ # resource-based policy to enable cross-account issuance and renewals.
697
+ # For more information, see [Using a Resource Based Policy with ACM
698
+ # Private CA](acm-pca/latest/userguide/pca-rbp.html).
699
+ #
700
+ #
701
+ #
702
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
703
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
586
704
  #
587
705
  # @option params [required, String] :certificate_authority_arn
588
706
  # The Amazon Resource Number (ARN) of the private CA that issued the
589
707
  # permissions. You can find the CA's ARN by calling the
590
- # ListCertificateAuthorities action. This must have the following form:
708
+ # [ListCertificateAuthorities][1] action. This must have the following
709
+ # form:
591
710
  #
592
711
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
593
712
  # `.
594
713
  #
714
+ #
715
+ #
716
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
717
+ #
595
718
  # @option params [required, String] :principal
596
719
  # The AWS service or identity that will have its CA permissions revoked.
597
720
  # At this time, the only valid service principal is `acm.amazonaws.com`
@@ -618,10 +741,80 @@ module Aws::ACMPCA
618
741
  req.send_request(options)
619
742
  end
620
743
 
621
- # Lists information about your private certificate authority (CA). You
622
- # specify the private CA on input by its ARN (Amazon Resource Name). The
623
- # output contains the status of your CA. This can be any of the
624
- # following:
744
+ # Deletes the resource-based policy attached to a private CA. Deletion
745
+ # will remove any access that the policy has granted. If there is no
746
+ # policy attached to the private CA, this action will return successful.
747
+ #
748
+ # If you delete a policy that was applied through AWS Resource Access
749
+ # Manager (RAM), the CA will be removed from all shares in which it was
750
+ # included.
751
+ #
752
+ # The AWS Certificate Manager Service Linked Role that the policy
753
+ # supports is not affected when you delete the policy.
754
+ #
755
+ # The current policy can be shown with [GetPolicy][1] and updated with
756
+ # [PutPolicy][2].
757
+ #
758
+ # **About Policies**
759
+ #
760
+ # * A policy grants access on a private CA to an AWS customer account,
761
+ # to AWS Organizations, or to an AWS Organizations unit. Policies are
762
+ # under the control of a CA administrator. For more information, see
763
+ # [Using a Resource Based Policy with ACM Private
764
+ # CA](acm-pca/latest/userguide/pca-rbp.html).
765
+ #
766
+ # * A policy permits a user of AWS Certificate Manager (ACM) to issue
767
+ # ACM certificates signed by a CA in another account.
768
+ #
769
+ # * For ACM to manage automatic renewal of these certificates, the ACM
770
+ # user must configure a Service Linked Role (SLR). The SLR allows the
771
+ # ACM service to assume the identity of the user, subject to
772
+ # confirmation against the ACM Private CA policy. For more
773
+ # information, see [Using a Service Linked Role with ACM][3].
774
+ #
775
+ # * Updates made in AWS Resource Manager (RAM) are reflected in
776
+ # policies. For more information, see [Using AWS Resource Access
777
+ # Manager (RAM) with ACM Private
778
+ # CA](acm-pca/latest/userguide/pca-ram.html).
779
+ #
780
+ #
781
+ #
782
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
783
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
784
+ # [3]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
785
+ #
786
+ # @option params [required, String] :resource_arn
787
+ # The Amazon Resource Number (ARN) of the private CA that will have its
788
+ # policy deleted. You can find the CA's ARN by calling the
789
+ # [ListCertificateAuthorities][1] action. The ARN value must have the
790
+ # form
791
+ # `arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab`.
792
+ #
793
+ #
794
+ #
795
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
796
+ #
797
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
798
+ #
799
+ # @example Request syntax with placeholder values
800
+ #
801
+ # resp = client.delete_policy({
802
+ # resource_arn: "Arn", # required
803
+ # })
804
+ #
805
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePolicy AWS API Documentation
806
+ #
807
+ # @overload delete_policy(params = {})
808
+ # @param [Hash] params ({})
809
+ def delete_policy(params = {}, options = {})
810
+ req = build_request(:delete_policy, params)
811
+ req.send_request(options)
812
+ end
813
+
814
+ # Lists information about your private certificate authority (CA) or one
815
+ # that has been shared with you. You specify the private CA on input by
816
+ # its ARN (Amazon Resource Name). The output contains the status of your
817
+ # CA. This can be any of the following:
625
818
  #
626
819
  # * `CREATING` - ACM Private CA is creating your private certificate
627
820
  # authority.
@@ -647,11 +840,15 @@ module Aws::ACMPCA
647
840
  #
648
841
  # @option params [required, String] :certificate_authority_arn
649
842
  # The Amazon Resource Name (ARN) that was returned when you called
650
- # CreateCertificateAuthority. This must be of the form:
843
+ # [CreateCertificateAuthority][1]. This must be of the form:
651
844
  #
652
845
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
653
846
  # `.
654
847
  #
848
+ #
849
+ #
850
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
851
+ #
655
852
  # @return [Types::DescribeCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
656
853
  #
657
854
  # * {Types::DescribeCertificateAuthorityResponse#certificate_authority #certificate_authority} => Types::CertificateAuthority
@@ -665,6 +862,7 @@ module Aws::ACMPCA
665
862
  # @example Response structure
666
863
  #
667
864
  # resp.certificate_authority.arn #=> String
865
+ # resp.certificate_authority.owner_account #=> String
668
866
  # resp.certificate_authority.created_at #=> Time
669
867
  # resp.certificate_authority.last_state_change_at #=> Time
670
868
  # resp.certificate_authority.type #=> String, one of "ROOT", "SUBORDINATE"
@@ -705,10 +903,16 @@ module Aws::ACMPCA
705
903
  end
706
904
 
707
905
  # Lists information about a specific audit report created by calling the
708
- # CreateCertificateAuthorityAuditReport action. Audit information is
709
- # created every time the certificate authority (CA) private key is used.
710
- # The private key is used when you call the IssueCertificate action or
711
- # the RevokeCertificate action.
906
+ # [CreateCertificateAuthorityAuditReport][1] action. Audit information
907
+ # is created every time the certificate authority (CA) private key is
908
+ # used. The private key is used when you call the [IssueCertificate][2]
909
+ # action or the [RevokeCertificate][3] action.
910
+ #
911
+ #
912
+ #
913
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
914
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
915
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
712
916
  #
713
917
  # @option params [required, String] :certificate_authority_arn
714
918
  # The Amazon Resource Name (ARN) of the private CA. This must be of the
@@ -719,7 +923,11 @@ module Aws::ACMPCA
719
923
  #
720
924
  # @option params [required, String] :audit_report_id
721
925
  # The report ID returned by calling the
722
- # CreateCertificateAuthorityAuditReport action.
926
+ # [CreateCertificateAuthorityAuditReport][1] action.
927
+ #
928
+ #
929
+ #
930
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
723
931
  #
724
932
  # @return [Types::DescribeCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
725
933
  #
@@ -756,22 +964,32 @@ module Aws::ACMPCA
756
964
  req.send_request(options)
757
965
  end
758
966
 
759
- # Retrieves a certificate from your private CA. The ARN of the
760
- # certificate is returned when you call the IssueCertificate action. You
761
- # must specify both the ARN of your private CA and the ARN of the issued
762
- # certificate when calling the **GetCertificate** action. You can
763
- # retrieve the certificate if it is in the **ISSUED** state. You can
764
- # call the CreateCertificateAuthorityAuditReport action to create a
765
- # report that contains information about all of the certificates issued
766
- # and revoked by your private CA.
967
+ # Retrieves a certificate from your private CA or one that has been
968
+ # shared with you. The ARN of the certificate is returned when you call
969
+ # the [IssueCertificate][1] action. You must specify both the ARN of
970
+ # your private CA and the ARN of the issued certificate when calling the
971
+ # **GetCertificate** action. You can retrieve the certificate if it is
972
+ # in the **ISSUED** state. You can call the
973
+ # [CreateCertificateAuthorityAuditReport][2] action to create a report
974
+ # that contains information about all of the certificates issued and
975
+ # revoked by your private CA.
976
+ #
977
+ #
978
+ #
979
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
980
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
767
981
  #
768
982
  # @option params [required, String] :certificate_authority_arn
769
983
  # The Amazon Resource Name (ARN) that was returned when you called
770
- # CreateCertificateAuthority. This must be of the form:
984
+ # [CreateCertificateAuthority][1]. This must be of the form:
771
985
  #
772
986
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
773
987
  # `.
774
988
  #
989
+ #
990
+ #
991
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
992
+ #
775
993
  # @option params [required, String] :certificate_arn
776
994
  # The ARN of the issued certificate. The ARN contains the certificate
777
995
  # serial number and must be in the following form:
@@ -811,9 +1029,10 @@ module Aws::ACMPCA
811
1029
  end
812
1030
 
813
1031
  # Retrieves the certificate and certificate chain for your private
814
- # certificate authority (CA). Both the certificate and the chain are
815
- # base64 PEM-encoded. The chain does not include the CA certificate.
816
- # Each certificate in the chain signs the one before it.
1032
+ # certificate authority (CA) or one that has been shared with you. Both
1033
+ # the certificate and the chain are base64 PEM-encoded. The chain does
1034
+ # not include the CA certificate. Each certificate in the chain signs
1035
+ # the one before it.
817
1036
  #
818
1037
  # @option params [required, String] :certificate_authority_arn
819
1038
  # The Amazon Resource Name (ARN) of your private CA. This is of the
@@ -849,19 +1068,28 @@ module Aws::ACMPCA
849
1068
 
850
1069
  # Retrieves the certificate signing request (CSR) for your private
851
1070
  # certificate authority (CA). The CSR is created when you call the
852
- # CreateCertificateAuthority action. Sign the CSR with your ACM Private
853
- # CA-hosted or on-premises root or subordinate CA. Then import the
854
- # signed certificate back into ACM Private CA by calling the
855
- # ImportCertificateAuthorityCertificate action. The CSR is returned as a
856
- # base64 PEM-encoded string.
1071
+ # [CreateCertificateAuthority][1] action. Sign the CSR with your ACM
1072
+ # Private CA-hosted or on-premises root or subordinate CA. Then import
1073
+ # the signed certificate back into ACM Private CA by calling the
1074
+ # [ImportCertificateAuthorityCertificate][2] action. The CSR is returned
1075
+ # as a base64 PEM-encoded string.
1076
+ #
1077
+ #
1078
+ #
1079
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1080
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
857
1081
  #
858
1082
  # @option params [required, String] :certificate_authority_arn
859
1083
  # The Amazon Resource Name (ARN) that was returned when you called the
860
- # CreateCertificateAuthority action. This must be of the form:
1084
+ # [CreateCertificateAuthority][1] action. This must be of the form:
861
1085
  #
862
1086
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
863
1087
  # `
864
1088
  #
1089
+ #
1090
+ #
1091
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1092
+ #
865
1093
  # @return [Types::GetCertificateAuthorityCsrResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
866
1094
  #
867
1095
  # * {Types::GetCertificateAuthorityCsrResponse#csr #csr} => String
@@ -890,20 +1118,83 @@ module Aws::ACMPCA
890
1118
  req.send_request(options)
891
1119
  end
892
1120
 
1121
+ # Retrieves the resource-based policy attached to a private CA. If
1122
+ # either the private CA resource or the policy cannot be found, this
1123
+ # action returns a `ResourceNotFoundException`.
1124
+ #
1125
+ # The policy can be attached or updated with [PutPolicy][1] and removed
1126
+ # with
1127
+ # [DeletePolicy](acm-pca/latest/APIReference/API_DeletePolicy.html).
1128
+ #
1129
+ # **About Policies**
1130
+ #
1131
+ # * A policy grants access on a private CA to an AWS customer account,
1132
+ # to AWS Organizations, or to an AWS Organizations unit. Policies are
1133
+ # under the control of a CA administrator. For more information, see
1134
+ # [Using a Resource Based Policy with ACM Private
1135
+ # CA](acm-pca/latest/userguide/pca-rbp.html).
1136
+ #
1137
+ # * A policy permits a user of AWS Certificate Manager (ACM) to issue
1138
+ # ACM certificates signed by a CA in another account.
1139
+ #
1140
+ # * For ACM to manage automatic renewal of these certificates, the ACM
1141
+ # user must configure a Service Linked Role (SLR). The SLR allows the
1142
+ # ACM service to assume the identity of the user, subject to
1143
+ # confirmation against the ACM Private CA policy. For more
1144
+ # information, see [Using a Service Linked Role with ACM][2].
1145
+ #
1146
+ # * Updates made in AWS Resource Manager (RAM) are reflected in
1147
+ # policies. For more information, see [Using AWS Resource Access
1148
+ # Manager (RAM) with ACM Private
1149
+ # CA](acm-pca/latest/userguide/pca-ram.html).
1150
+ #
1151
+ #
1152
+ #
1153
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
1154
+ # [2]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
1155
+ #
1156
+ # @option params [required, String] :resource_arn
1157
+ # The Amazon Resource Number (ARN) of the private CA that will have its
1158
+ # policy retrieved. You can find the CA's ARN by calling the
1159
+ # ListCertificateAuthorities action.
1160
+ #
1161
+ # @return [Types::GetPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1162
+ #
1163
+ # * {Types::GetPolicyResponse#policy #policy} => String
1164
+ #
1165
+ # @example Request syntax with placeholder values
1166
+ #
1167
+ # resp = client.get_policy({
1168
+ # resource_arn: "Arn", # required
1169
+ # })
1170
+ #
1171
+ # @example Response structure
1172
+ #
1173
+ # resp.policy #=> String
1174
+ #
1175
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicy AWS API Documentation
1176
+ #
1177
+ # @overload get_policy(params = {})
1178
+ # @param [Hash] params ({})
1179
+ def get_policy(params = {}, options = {})
1180
+ req = build_request(:get_policy, params)
1181
+ req.send_request(options)
1182
+ end
1183
+
893
1184
  # Imports a signed private CA certificate into ACM Private CA. This
894
1185
  # action is used when you are using a chain of trust whose root is
895
1186
  # located outside ACM Private CA. Before you can call this action, the
896
1187
  # following preparations must in place:
897
1188
  #
898
- # 1. In ACM Private CA, call the CreateCertificateAuthority action to
899
- # create the private CA that that you plan to back with the imported
900
- # certificate.
1189
+ # 1. In ACM Private CA, call the [CreateCertificateAuthority][1] action
1190
+ # to create the private CA that that you plan to back with the
1191
+ # imported certificate.
901
1192
  #
902
- # 2. Call the GetCertificateAuthorityCsr action to generate a
1193
+ # 2. Call the [GetCertificateAuthorityCsr][2] action to generate a
903
1194
  # certificate signing request (CSR).
904
1195
  #
905
- # 3. Sign the CSR using a root or intermediate CA hosted either by an
906
- # on-premises PKI hierarchy or a commercial CA..
1196
+ # 3. Sign the CSR using a root or intermediate CA hosted by either an
1197
+ # on-premises PKI hierarchy or by a commercial CA.
907
1198
  #
908
1199
  # 4. Create a certificate chain and copy the signed certificate and the
909
1200
  # certificate chain to your working directory.
@@ -927,19 +1218,76 @@ module Aws::ACMPCA
927
1218
  #
928
1219
  # * The chain must be PEM-encoded.
929
1220
  #
1221
+ # * The maximum allowed size of a certificate is 32 KB.
1222
+ #
1223
+ # * The maximum allowed size of a certificate chain is 2 MB.
1224
+ #
1225
+ # *Enforcement of Critical Constraints*
1226
+ #
1227
+ # ACM Private CA allows the following extensions to be marked critical
1228
+ # in the imported CA certificate or chain.
1229
+ #
1230
+ # * Basic constraints (*must* be marked critical)
1231
+ #
1232
+ # * Subject alternative names
1233
+ #
1234
+ # * Key usage
1235
+ #
1236
+ # * Extended key usage
1237
+ #
1238
+ # * Authority key identifier
1239
+ #
1240
+ # * Subject key identifier
1241
+ #
1242
+ # * Issuer alternative name
1243
+ #
1244
+ # * Subject directory attributes
1245
+ #
1246
+ # * Subject information access
1247
+ #
1248
+ # * Certificate policies
1249
+ #
1250
+ # * Policy mappings
1251
+ #
1252
+ # * Inhibit anyPolicy
1253
+ #
1254
+ # ACM Private CA rejects the following extensions when they are marked
1255
+ # critical in an imported CA certificate or chain.
1256
+ #
1257
+ # * Name constraints
1258
+ #
1259
+ # * Policy constraints
1260
+ #
1261
+ # * CRL distribution points
1262
+ #
1263
+ # * Authority information access
1264
+ #
1265
+ # * Freshest CRL
1266
+ #
1267
+ # * Any other extension
1268
+ #
1269
+ #
1270
+ #
1271
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1272
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificateAuthorityCsr.html
1273
+ #
930
1274
  # @option params [required, String] :certificate_authority_arn
931
1275
  # The Amazon Resource Name (ARN) that was returned when you called
932
- # CreateCertificateAuthority. This must be of the form:
1276
+ # [CreateCertificateAuthority][1]. This must be of the form:
933
1277
  #
934
1278
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
935
1279
  # `
936
1280
  #
937
- # @option params [required, String, IO] :certificate
1281
+ #
1282
+ #
1283
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1284
+ #
1285
+ # @option params [required, String, StringIO, File] :certificate
938
1286
  # The PEM-encoded certificate for a private CA. This may be a
939
1287
  # self-signed certificate in the case of a root CA, or it may be signed
940
1288
  # by another CA that you control.
941
1289
  #
942
- # @option params [String, IO] :certificate_chain
1290
+ # @option params [String, StringIO, File] :certificate_chain
943
1291
  # A PEM-encoded file that contains all of your certificates, other than
944
1292
  # the certificate you're importing, chaining up to your root CA. Your
945
1293
  # ACM Private CA-hosted or on-premises root certificate is the last in
@@ -967,10 +1315,11 @@ module Aws::ACMPCA
967
1315
  req.send_request(options)
968
1316
  end
969
1317
 
970
- # Uses your private certificate authority (CA) to issue a client
971
- # certificate. This action returns the Amazon Resource Name (ARN) of the
972
- # certificate. You can retrieve the certificate by calling the
973
- # GetCertificate action and specifying the ARN.
1318
+ # Uses your private certificate authority (CA), or one that has been
1319
+ # shared with you, to issue a client certificate. This action returns
1320
+ # the Amazon Resource Name (ARN) of the certificate. You can retrieve
1321
+ # the certificate by calling the [GetCertificate][1] action and
1322
+ # specifying the ARN.
974
1323
  #
975
1324
  # <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
976
1325
  # retrieve the ARNs of the certificates that you issue by using ACM
@@ -978,14 +1327,22 @@ module Aws::ACMPCA
978
1327
  #
979
1328
  # </note>
980
1329
  #
1330
+ #
1331
+ #
1332
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
1333
+ #
981
1334
  # @option params [required, String] :certificate_authority_arn
982
1335
  # The Amazon Resource Name (ARN) that was returned when you called
983
- # CreateCertificateAuthority. This must be of the form:
1336
+ # [CreateCertificateAuthority][1]. This must be of the form:
984
1337
  #
985
1338
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
986
1339
  # `
987
1340
  #
988
- # @option params [required, String, IO] :csr
1341
+ #
1342
+ #
1343
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1344
+ #
1345
+ # @option params [required, String, StringIO, File] :csr
989
1346
  # The certificate signing request (CSR) for the certificate you want to
990
1347
  # issue. You can use the following OpenSSL command to create the CSR and
991
1348
  # a 2048 bit RSA private key.
@@ -1001,20 +1358,52 @@ module Aws::ACMPCA
1001
1358
  # rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
1002
1359
  # csr/test_cert_.csr`
1003
1360
  #
1361
+ # Note: A CSR must provide either a *subject name* or a *subject
1362
+ # alternative name* or the request will be rejected.
1363
+ #
1004
1364
  # @option params [required, String] :signing_algorithm
1005
1365
  # The name of the algorithm that will be used to sign the certificate to
1006
1366
  # be issued.
1007
1367
  #
1368
+ # This parameter should not be confused with the `SigningAlgorithm`
1369
+ # parameter used to sign a CSR.
1370
+ #
1008
1371
  # @option params [String] :template_arn
1009
1372
  # Specifies a custom configuration template to use when issuing a
1010
1373
  # certificate. If this parameter is not provided, ACM Private CA
1011
- # defaults to the `EndEntityCertificate/V1` template.
1374
+ # defaults to the `EndEntityCertificate/V1` template. For CA
1375
+ # certificates, you should choose the shortest path length that meets
1376
+ # your needs. The path length is indicated by the PathLen*N* portion of
1377
+ # the ARN, where *N* is the [CA depth][1].
1378
+ #
1379
+ # Note: The CA depth configured on a subordinate CA certificate must not
1380
+ # exceed the limit set by its parents in the CA hierarchy.
1012
1381
  #
1013
1382
  # The following service-owned `TemplateArn` values are supported by ACM
1014
1383
  # Private CA:
1015
1384
  #
1385
+ # * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
1386
+ #
1387
+ # * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
1388
+ #
1016
1389
  # * arn:aws:acm-pca:::template/EndEntityCertificate/V1
1017
1390
  #
1391
+ # * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
1392
+ #
1393
+ # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
1394
+ #
1395
+ # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
1396
+ #
1397
+ # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
1398
+ #
1399
+ # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
1400
+ #
1401
+ # * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
1402
+ #
1403
+ # * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
1404
+ #
1405
+ # * arn:aws:acm-pca:::template/RootCACertificate/V1
1406
+ #
1018
1407
  # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
1019
1408
  #
1020
1409
  # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
@@ -1023,16 +1412,23 @@ module Aws::ACMPCA
1023
1412
  #
1024
1413
  # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
1025
1414
  #
1026
- # * arn:aws:acm-pca:::template/RootCACertificate/V1
1027
- #
1028
- # For more information, see [Using Templates][1].
1415
+ # For more information, see [Using Templates][2].
1029
1416
  #
1030
1417
  #
1031
1418
  #
1032
- # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1419
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
1420
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1033
1421
  #
1034
1422
  # @option params [required, Types::Validity] :validity
1035
- # The type of the validity period.
1423
+ # Information describing the validity period of the certificate.
1424
+ #
1425
+ # When issuing a certificate, ACM Private CA sets the "Not Before"
1426
+ # date in the validity field to date and time minus 60 minutes. This is
1427
+ # intended to compensate for time inconsistencies across systems of 60
1428
+ # minutes or less.
1429
+ #
1430
+ # The validity period configured on a certificate must not exceed the
1431
+ # limit set by its parents in the CA hierarchy.
1036
1432
  #
1037
1433
  # @option params [String] :idempotency_token
1038
1434
  # Custom string that can be used to distinguish between calls to the
@@ -1075,7 +1471,11 @@ module Aws::ACMPCA
1075
1471
  end
1076
1472
 
1077
1473
  # Lists the private certificate authorities that you created by using
1078
- # the CreateCertificateAuthority action.
1474
+ # the [CreateCertificateAuthority][1] action.
1475
+ #
1476
+ #
1477
+ #
1478
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1079
1479
  #
1080
1480
  # @option params [String] :next_token
1081
1481
  # Use this parameter when paginating results in a subsequent request
@@ -1090,6 +1490,10 @@ module Aws::ACMPCA
1090
1490
  # sent in the response. Use this `NextToken` value in a subsequent
1091
1491
  # request to retrieve additional items.
1092
1492
  #
1493
+ # @option params [String] :resource_owner
1494
+ # Use this parameter to filter the returned set of certificate
1495
+ # authorities based on their owner. The default is SELF.
1496
+ #
1093
1497
  # @return [Types::ListCertificateAuthoritiesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1094
1498
  #
1095
1499
  # * {Types::ListCertificateAuthoritiesResponse#certificate_authorities #certificate_authorities} => Array&lt;Types::CertificateAuthority&gt;
@@ -1102,12 +1506,14 @@ module Aws::ACMPCA
1102
1506
  # resp = client.list_certificate_authorities({
1103
1507
  # next_token: "NextToken",
1104
1508
  # max_results: 1,
1509
+ # resource_owner: "SELF", # accepts SELF, OTHER_ACCOUNTS
1105
1510
  # })
1106
1511
  #
1107
1512
  # @example Response structure
1108
1513
  #
1109
1514
  # resp.certificate_authorities #=> Array
1110
1515
  # resp.certificate_authorities[0].arn #=> String
1516
+ # resp.certificate_authorities[0].owner_account #=> String
1111
1517
  # resp.certificate_authorities[0].created_at #=> Time
1112
1518
  # resp.certificate_authorities[0].last_state_change_at #=> Time
1113
1519
  # resp.certificate_authorities[0].type #=> String, one of "ROOT", "SUBORDINATE"
@@ -1148,17 +1554,48 @@ module Aws::ACMPCA
1148
1554
  req.send_request(options)
1149
1555
  end
1150
1556
 
1151
- # Lists all the permissions, if any, that have been assigned by a
1152
- # private CA. Permissions can be granted with the CreatePermission
1153
- # action and revoked with the DeletePermission action.
1557
+ # List all permissions on a private CA, if any, granted to the AWS
1558
+ # Certificate Manager (ACM) service principal (acm.amazonaws.com).
1559
+ #
1560
+ # These permissions allow ACM to issue and renew ACM certificates that
1561
+ # reside in the same AWS account as the CA.
1562
+ #
1563
+ # Permissions can be granted with the [CreatePermission][1] action and
1564
+ # revoked with the [DeletePermission][2] action.
1565
+ #
1566
+ # **About Permissions**
1567
+ #
1568
+ # * If the private CA and the certificates it issues reside in the same
1569
+ # account, you can use `CreatePermission` to grant permissions for ACM
1570
+ # to carry out automatic certificate renewals.
1571
+ #
1572
+ # * For automatic certificate renewal to succeed, the ACM service
1573
+ # principal needs permissions to create, retrieve, and list
1574
+ # certificates.
1575
+ #
1576
+ # * If the private CA and the ACM certificates reside in different
1577
+ # accounts, then permissions cannot be used to enable automatic
1578
+ # renewals. Instead, the ACM certificate owner must set up a
1579
+ # resource-based policy to enable cross-account issuance and renewals.
1580
+ # For more information, see [Using a Resource Based Policy with ACM
1581
+ # Private CA](acm-pca/latest/userguide/pca-rbp.html).
1582
+ #
1583
+ #
1584
+ #
1585
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
1586
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
1154
1587
  #
1155
1588
  # @option params [required, String] :certificate_authority_arn
1156
1589
  # The Amazon Resource Number (ARN) of the private CA to inspect. You can
1157
- # find the ARN by calling the ListCertificateAuthorities action. This
1158
- # must be of the form:
1590
+ # find the ARN by calling the [ListCertificateAuthorities][1] action.
1591
+ # This must be of the form:
1159
1592
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
1160
1593
  # You can get a private CA's ARN by running the
1161
- # ListCertificateAuthorities action.
1594
+ # [ListCertificateAuthorities][1] action.
1595
+ #
1596
+ #
1597
+ #
1598
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
1162
1599
  #
1163
1600
  # @option params [String] :next_token
1164
1601
  # When paginating results, use this parameter in a subsequent request
@@ -1208,19 +1645,29 @@ module Aws::ACMPCA
1208
1645
  req.send_request(options)
1209
1646
  end
1210
1647
 
1211
- # Lists the tags, if any, that are associated with your private CA. Tags
1212
- # are labels that you can use to identify and organize your CAs. Each
1213
- # tag consists of a key and an optional value. Call the
1214
- # TagCertificateAuthority action to add one or more tags to your CA.
1215
- # Call the UntagCertificateAuthority action to remove tags.
1648
+ # Lists the tags, if any, that are associated with your private CA or
1649
+ # one that has been shared with you. Tags are labels that you can use to
1650
+ # identify and organize your CAs. Each tag consists of a key and an
1651
+ # optional value. Call the [TagCertificateAuthority][1] action to add
1652
+ # one or more tags to your CA. Call the [UntagCertificateAuthority][2]
1653
+ # action to remove tags.
1654
+ #
1655
+ #
1656
+ #
1657
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
1658
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
1216
1659
  #
1217
1660
  # @option params [required, String] :certificate_authority_arn
1218
1661
  # The Amazon Resource Name (ARN) that was returned when you called the
1219
- # CreateCertificateAuthority action. This must be of the form:
1662
+ # [CreateCertificateAuthority][1] action. This must be of the form:
1220
1663
  #
1221
1664
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
1222
1665
  # `
1223
1666
  #
1667
+ #
1668
+ #
1669
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1670
+ #
1224
1671
  # @option params [String] :next_token
1225
1672
  # Use this parameter when paginating results in a subsequent request
1226
1673
  # after you receive a response with truncated results. Set it to the
@@ -1264,30 +1711,121 @@ module Aws::ACMPCA
1264
1711
  req.send_request(options)
1265
1712
  end
1266
1713
 
1714
+ # Attaches a resource-based policy to a private CA.
1715
+ #
1716
+ # A policy can also be applied by [sharing][1] a private CA through AWS
1717
+ # Resource Access Manager (RAM).
1718
+ #
1719
+ # The policy can be displayed with [GetPolicy][2] and removed with
1720
+ # [DeletePolicy][3].
1721
+ #
1722
+ # **About Policies**
1723
+ #
1724
+ # * A policy grants access on a private CA to an AWS customer account,
1725
+ # to AWS Organizations, or to an AWS Organizations unit. Policies are
1726
+ # under the control of a CA administrator. For more information, see
1727
+ # [Using a Resource Based Policy with ACM Private
1728
+ # CA](acm-pca/latest/userguide/pca-rbp.html).
1729
+ #
1730
+ # * A policy permits a user of AWS Certificate Manager (ACM) to issue
1731
+ # ACM certificates signed by a CA in another account.
1732
+ #
1733
+ # * For ACM to manage automatic renewal of these certificates, the ACM
1734
+ # user must configure a Service Linked Role (SLR). The SLR allows the
1735
+ # ACM service to assume the identity of the user, subject to
1736
+ # confirmation against the ACM Private CA policy. For more
1737
+ # information, see [Using a Service Linked Role with ACM][4].
1738
+ #
1739
+ # * Updates made in AWS Resource Manager (RAM) are reflected in
1740
+ # policies. For more information, see [Using AWS Resource Access
1741
+ # Manager (RAM) with ACM Private
1742
+ # CA](acm-pca/latest/userguide/pca-ram.html).
1743
+ #
1744
+ #
1745
+ #
1746
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
1747
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
1748
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
1749
+ # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
1750
+ #
1751
+ # @option params [required, String] :resource_arn
1752
+ # The Amazon Resource Number (ARN) of the private CA to associate with
1753
+ # the policy. The ARN of the CA can be found by calling the
1754
+ # [ListCertificateAuthorities][1] action.
1755
+ #
1756
+ #
1757
+ #
1758
+ #
1759
+ #
1760
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
1761
+ #
1762
+ # @option params [required, String] :policy
1763
+ # The path and filename of a JSON-formatted IAM policy to attach to the
1764
+ # specified private CA resource. If this policy does not contain all
1765
+ # required statements or if it includes any statement that is not
1766
+ # allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
1767
+ # For information about IAM policy and statement structure, see
1768
+ # [Overview of JSON Policies][1].
1769
+ #
1770
+ #
1771
+ #
1772
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
1773
+ #
1774
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1775
+ #
1776
+ # @example Request syntax with placeholder values
1777
+ #
1778
+ # resp = client.put_policy({
1779
+ # resource_arn: "Arn", # required
1780
+ # policy: "AWSPolicy", # required
1781
+ # })
1782
+ #
1783
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PutPolicy AWS API Documentation
1784
+ #
1785
+ # @overload put_policy(params = {})
1786
+ # @param [Hash] params ({})
1787
+ def put_policy(params = {}, options = {})
1788
+ req = build_request(:put_policy, params)
1789
+ req.send_request(options)
1790
+ end
1791
+
1267
1792
  # Restores a certificate authority (CA) that is in the `DELETED` state.
1268
1793
  # You can restore a CA during the period that you defined in the
1269
1794
  # **PermanentDeletionTimeInDays** parameter of the
1270
- # DeleteCertificateAuthority action. Currently, you can specify 7 to 30
1271
- # days. If you did not specify a **PermanentDeletionTimeInDays** value,
1272
- # by default you can restore the CA at any time in a 30 day period. You
1273
- # can check the time remaining in the restoration period of a private CA
1274
- # in the `DELETED` state by calling the DescribeCertificateAuthority or
1275
- # ListCertificateAuthorities actions. The status of a restored CA is set
1276
- # to its pre-deletion status when the **RestoreCertificateAuthority**
1277
- # action returns. To change its status to `ACTIVE`, call the
1278
- # UpdateCertificateAuthority action. If the private CA was in the
1279
- # `PENDING_CERTIFICATE` state at deletion, you must use the
1280
- # ImportCertificateAuthorityCertificate action to import a certificate
1281
- # authority into the private CA before it can be activated. You cannot
1282
- # restore a CA after the restoration period has ended.
1795
+ # [DeleteCertificateAuthority][1] action. Currently, you can specify 7
1796
+ # to 30 days. If you did not specify a **PermanentDeletionTimeInDays**
1797
+ # value, by default you can restore the CA at any time in a 30 day
1798
+ # period. You can check the time remaining in the restoration period of
1799
+ # a private CA in the `DELETED` state by calling the
1800
+ # [DescribeCertificateAuthority][2] or [ListCertificateAuthorities][3]
1801
+ # actions. The status of a restored CA is set to its pre-deletion status
1802
+ # when the **RestoreCertificateAuthority** action returns. To change its
1803
+ # status to `ACTIVE`, call the [UpdateCertificateAuthority][4] action.
1804
+ # If the private CA was in the `PENDING_CERTIFICATE` state at deletion,
1805
+ # you must use the [ImportCertificateAuthorityCertificate][5] action to
1806
+ # import a certificate authority into the private CA before it can be
1807
+ # activated. You cannot restore a CA after the restoration period has
1808
+ # ended.
1809
+ #
1810
+ #
1811
+ #
1812
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html
1813
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html
1814
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
1815
+ # [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
1816
+ # [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
1283
1817
  #
1284
1818
  # @option params [required, String] :certificate_authority_arn
1285
1819
  # The Amazon Resource Name (ARN) that was returned when you called the
1286
- # CreateCertificateAuthority action. This must be of the form:
1820
+ # [CreateCertificateAuthority][1] action. This must be of the form:
1287
1821
  #
1288
1822
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
1289
1823
  # `
1290
1824
  #
1825
+ #
1826
+ #
1827
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1828
+ #
1291
1829
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1292
1830
  #
1293
1831
  # @example Request syntax with placeholder values
@@ -1309,15 +1847,33 @@ module Aws::ACMPCA
1309
1847
  # enable a certificate revocation list (CRL) when you create or update
1310
1848
  # your private CA, information about the revoked certificates will be
1311
1849
  # included in the CRL. ACM Private CA writes the CRL to an S3 bucket
1312
- # that you specify. For more information about revocation, see the
1313
- # CrlConfiguration structure. ACM Private CA also writes revocation
1314
- # information to the audit report. For more information, see
1315
- # CreateCertificateAuthorityAuditReport.
1850
+ # that you specify. A CRL is typically updated approximately 30 minutes
1851
+ # after a certificate is revoked. If for any reason the CRL update
1852
+ # fails, ACM Private CA attempts makes further attempts every 15
1853
+ # minutes. With Amazon CloudWatch, you can create alarms for the metrics
1854
+ # `CRLGenerated` and `MisconfiguredCRLBucket`. For more information, see
1855
+ # [Supported CloudWatch Metrics][1].
1856
+ #
1857
+ # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
1858
+ # bucket that you specify. If the IAM principal making the call does not
1859
+ # have permission to write to the bucket, then an exception is thrown.
1860
+ # For more information, see [Configure Access to ACM Private CA][2].
1861
+ #
1862
+ # </note>
1863
+ #
1864
+ # ACM Private CA also writes revocation information to the audit report.
1865
+ # For more information, see [CreateCertificateAuthorityAuditReport][3].
1316
1866
  #
1317
1867
  # <note markdown="1"> You cannot revoke a root CA self-signed certificate.
1318
1868
  #
1319
1869
  # </note>
1320
1870
  #
1871
+ #
1872
+ #
1873
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html
1874
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
1875
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
1876
+ #
1321
1877
  # @option params [required, String] :certificate_authority_arn
1322
1878
  # Amazon Resource Name (ARN) of the private CA that issued the
1323
1879
  # certificate to be revoked. This must be of the form:
@@ -1328,21 +1884,22 @@ module Aws::ACMPCA
1328
1884
  # @option params [required, String] :certificate_serial
1329
1885
  # Serial number of the certificate to be revoked. This must be in
1330
1886
  # hexadecimal format. You can retrieve the serial number by calling
1331
- # GetCertificate with the Amazon Resource Name (ARN) of the certificate
1332
- # you want and the ARN of your private CA. The **GetCertificate** action
1333
- # retrieves the certificate in the PEM format. You can use the following
1334
- # OpenSSL command to list the certificate in text format and copy the
1335
- # hexadecimal serial number.
1887
+ # [GetCertificate][1] with the Amazon Resource Name (ARN) of the
1888
+ # certificate you want and the ARN of your private CA. The
1889
+ # **GetCertificate** action retrieves the certificate in the PEM format.
1890
+ # You can use the following OpenSSL command to list the certificate in
1891
+ # text format and copy the hexadecimal serial number.
1336
1892
  #
1337
1893
  # `openssl x509 -in file_path -text -noout`
1338
1894
  #
1339
1895
  # You can also copy the serial number from the console or use the
1340
- # [DescribeCertificate][1] action in the *AWS Certificate Manager API
1896
+ # [DescribeCertificate][2] action in the *AWS Certificate Manager API
1341
1897
  # Reference*.
1342
1898
  #
1343
1899
  #
1344
1900
  #
1345
- # [1]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
1901
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
1902
+ # [2]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
1346
1903
  #
1347
1904
  # @option params [required, String] :revocation_reason
1348
1905
  # Specifies why you revoked the certificate.
@@ -1374,16 +1931,25 @@ module Aws::ACMPCA
1374
1931
  # to identify a specific characteristic of that CA, or you can apply the
1375
1932
  # same tag to multiple private CAs if you want to filter for a common
1376
1933
  # relationship among those CAs. To remove one or more tags, use the
1377
- # UntagCertificateAuthority action. Call the ListTags action to see what
1378
- # tags are associated with your CA.
1934
+ # [UntagCertificateAuthority][1] action. Call the [ListTags][2] action
1935
+ # to see what tags are associated with your CA.
1936
+ #
1937
+ #
1938
+ #
1939
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
1940
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html
1379
1941
  #
1380
1942
  # @option params [required, String] :certificate_authority_arn
1381
1943
  # The Amazon Resource Name (ARN) that was returned when you called
1382
- # CreateCertificateAuthority. This must be of the form:
1944
+ # [CreateCertificateAuthority][1]. This must be of the form:
1383
1945
  #
1384
1946
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
1385
1947
  # `
1386
1948
  #
1949
+ #
1950
+ #
1951
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1952
+ #
1387
1953
  # @option params [required, Array<Types::Tag>] :tags
1388
1954
  # List of tags to be associated with the CA.
1389
1955
  #
@@ -1415,16 +1981,25 @@ module Aws::ACMPCA
1415
1981
  # when calling this action, the tag will be removed regardless of value.
1416
1982
  # If you specify a value, the tag is removed only if it is associated
1417
1983
  # with the specified value. To add tags to a private CA, use the
1418
- # TagCertificateAuthority. Call the ListTags action to see what tags are
1419
- # associated with your CA.
1984
+ # [TagCertificateAuthority][1]. Call the [ListTags][2] action to see
1985
+ # what tags are associated with your CA.
1986
+ #
1987
+ #
1988
+ #
1989
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
1990
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html
1420
1991
  #
1421
1992
  # @option params [required, String] :certificate_authority_arn
1422
1993
  # The Amazon Resource Name (ARN) that was returned when you called
1423
- # CreateCertificateAuthority. This must be of the form:
1994
+ # [CreateCertificateAuthority][1]. This must be of the form:
1424
1995
  #
1425
1996
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
1426
1997
  # `
1427
1998
  #
1999
+ #
2000
+ #
2001
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
2002
+ #
1428
2003
  # @option params [required, Array<Types::Tag>] :tags
1429
2004
  # List of tags to be removed from the CA.
1430
2005
  #
@@ -1457,6 +2032,17 @@ module Aws::ACMPCA
1457
2032
  # `ACTIVE` state or make a CA that is in the `DISABLED` state active
1458
2033
  # again.
1459
2034
  #
2035
+ # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
2036
+ # bucket that you specify. If the IAM principal making the call does not
2037
+ # have permission to write to the bucket, then an exception is thrown.
2038
+ # For more information, see [Configure Access to ACM Private CA][1].
2039
+ #
2040
+ # </note>
2041
+ #
2042
+ #
2043
+ #
2044
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
2045
+ #
1460
2046
  # @option params [required, String] :certificate_authority_arn
1461
2047
  # Amazon Resource Name (ARN) of the private CA that issued the
1462
2048
  # certificate to be revoked. This must be of the form:
@@ -1509,7 +2095,7 @@ module Aws::ACMPCA
1509
2095
  params: params,
1510
2096
  config: config)
1511
2097
  context[:gem_name] = 'aws-sdk-acmpca'
1512
- context[:gem_version] = '1.24.0'
2098
+ context[:gem_version] = '1.29.0'
1513
2099
  Seahorse::Client::Request.new(handlers, context)
1514
2100
  end
1515
2101