aws-sdk-acmpca 1.25.1 → 1.30.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3cb4f2080267cbc8a8f677393e19b8b27264b701a664718ddc181fbcebabad29
4
- data.tar.gz: 5d6b901ec951e65e2c39180b6728db8b100af0ef2476d70fb1bf40404a3b2fb0
3
+ metadata.gz: 00c2347bbc506b283aa9fd8cee61a8df05ca898e00bcee9b738abb85e77a9100
4
+ data.tar.gz: ad05977d7cbba22aed287e314cc154e00f5c4af983fd54df56ea66291cc5dbb3
5
5
  SHA512:
6
- metadata.gz: 1bc4a741819aa88cd496c5fadcc146cf2846398556564ec47aaa16279663f6e1d0c633f1a7a35d7eacd381e607779b779d84d24a9081ae1454d1b96db4f6af67
7
- data.tar.gz: 6c5f0f4a95ab22569dc53fefbbe8f702cc5e8f5f3c5dfbc33b53149e6cd944d06e76d51ad10cf07110f218aac6dc16dec812940aae0161e058ee1e17f607c118
6
+ metadata.gz: 11ad57150ae7e8c40434580a1a9aa00e8b9830288468dbab28bb455a1a8fa979cf99199857d62a19b3ee791502baf18bea28317fca2af4996c283b849944e312
7
+ data.tar.gz: 7f0465156ddef7a3fd19e3270f5bf9476d083c1a150c1982021f40919a101b1783302ad4897d2db24c99f6fa709ff583cb1cbe4ad8c18936d24e1feb311dc178
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  # WARNING ABOUT GENERATED CODE
2
4
  #
3
5
  # This file is generated. See the contributing guide for more information:
@@ -5,6 +7,7 @@
5
7
  #
6
8
  # WARNING ABOUT GENERATED CODE
7
9
 
10
+
8
11
  require 'aws-sdk-core'
9
12
  require 'aws-sigv4'
10
13
 
@@ -43,9 +46,9 @@ require_relative 'aws-sdk-acmpca/customizations'
43
46
  #
44
47
  # See {Errors} for more information.
45
48
  #
46
- # @service
49
+ # @!group service
47
50
  module Aws::ACMPCA
48
51
 
49
- GEM_VERSION = '1.25.1'
52
+ GEM_VERSION = '1.30.0'
50
53
 
51
54
  end
@@ -1,3 +1,5 @@
1
+ # frozen_string_literal: true
2
+
1
3
  # WARNING ABOUT GENERATED CODE
2
4
  #
3
5
  # This file is generated. See the contributing guide for more information:
@@ -83,13 +85,28 @@ module Aws::ACMPCA
83
85
  # * `Aws::Credentials` - Used for configuring static, non-refreshing
84
86
  # credentials.
85
87
  #
88
+ # * `Aws::SharedCredentials` - Used for loading static credentials from a
89
+ # shared file, such as `~/.aws/config`.
90
+ #
91
+ # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
92
+ #
93
+ # * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
94
+ # assume a role after providing credentials via the web.
95
+ #
96
+ # * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
97
+ # access token generated from `aws login`.
98
+ #
99
+ # * `Aws::ProcessCredentials` - Used for loading credentials from a
100
+ # process that outputs to stdout.
101
+ #
86
102
  # * `Aws::InstanceProfileCredentials` - Used for loading credentials
87
103
  # from an EC2 IMDS on an EC2 instance.
88
104
  #
89
- # * `Aws::SharedCredentials` - Used for loading credentials from a
90
- # shared file, such as `~/.aws/config`.
105
+ # * `Aws::ECSCredentials` - Used for loading credentials from
106
+ # instances running in ECS.
91
107
  #
92
- # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
108
+ # * `Aws::CognitoIdentityCredentials` - Used for loading credentials
109
+ # from the Cognito Identity service.
93
110
  #
94
111
  # When `:credentials` are not configured directly, the following
95
112
  # locations will be searched for credentials:
@@ -99,10 +116,10 @@ module Aws::ACMPCA
99
116
  # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
100
117
  # * `~/.aws/credentials`
101
118
  # * `~/.aws/config`
102
- # * EC2 IMDS instance profile - When used by default, the timeouts are
103
- # very aggressive. Construct and pass an instance of
104
- # `Aws::InstanceProfileCredentails` to enable retries and extended
105
- # timeouts.
119
+ # * EC2/ECS IMDS instance profile - When used by default, the timeouts
120
+ # are very aggressive. Construct and pass an instance of
121
+ # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
122
+ # enable retries and extended timeouts.
106
123
  #
107
124
  # @option options [required, String] :region
108
125
  # The AWS region to connect to. The configured `:region` is
@@ -333,6 +350,21 @@ module Aws::ACMPCA
333
350
  # successful, this action returns the Amazon Resource Name (ARN) of the
334
351
  # CA.
335
352
  #
353
+ # ACM Private CAA assets that are stored in Amazon S3 can be protected
354
+ # with encryption. For more information, see [Encrypting Your CRLs][1].
355
+ #
356
+ # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
357
+ # bucket that you specify. If the IAM principal making the call does not
358
+ # have permission to write to the bucket, then an exception is thrown.
359
+ # For more information, see [Configure Access to ACM Private CA][2].
360
+ #
361
+ # </note>
362
+ #
363
+ #
364
+ #
365
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption
366
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
367
+ #
336
368
  # @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
337
369
  # Name and bit size of the private key algorithm, the name of the
338
370
  # signing algorithm, and X.500 certificate subject information.
@@ -343,27 +375,28 @@ module Aws::ACMPCA
343
375
  # ACM Private CA will write the CRL, and an optional CNAME alias that
344
376
  # you can use to hide the name of your bucket in the **CRL Distribution
345
377
  # Points** extension of your CA certificate. For more information, see
346
- # the CrlConfiguration structure.
378
+ # the [CrlConfiguration][1] structure.
379
+ #
380
+ #
381
+ #
382
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
347
383
  #
348
384
  # @option params [required, String] :certificate_authority_type
349
385
  # The type of the certificate authority.
350
386
  #
351
387
  # @option params [String] :idempotency_token
352
388
  # Alphanumeric string that can be used to distinguish between calls to
353
- # **CreateCertificateAuthority**. Idempotency tokens time out after five
354
- # minutes. Therefore, if you call **CreateCertificateAuthority**
355
- # multiple times with the same idempotency token within a five minute
356
- # period, ACM Private CA recognizes that you are requesting only one
357
- # certificate. As a result, ACM Private CA issues only one. If you
358
- # change the idempotency token for each call, however, ACM Private CA
359
- # recognizes that you are requesting multiple certificates.
389
+ # **CreateCertificateAuthority**. For a given token, ACM Private CA
390
+ # creates exactly one CA. If you issue a subsequent call using the same
391
+ # token, ACM Private CA returns the ARN of the existing CA and takes no
392
+ # further action. If you change the idempotency token across multiple
393
+ # calls, ACM Private CA creates a unique CA for each unique token.
360
394
  #
361
395
  # @option params [Array<Types::Tag>] :tags
362
396
  # Key-value pairs that will be attached to the new private CA. You can
363
397
  # associate up to 50 tags with a private CA. For information using tags
364
- # with
365
- #
366
- # IAM to manage permissions, see [Controlling Access Using IAM Tags][1].
398
+ # with IAM to manage permissions, see [Controlling Access Using IAM
399
+ # Tags][1].
367
400
  #
368
401
  #
369
402
  #
@@ -383,10 +416,10 @@ module Aws::ACMPCA
383
416
  # country: "CountryCodeString",
384
417
  # organization: "String64",
385
418
  # organizational_unit: "String64",
386
- # distinguished_name_qualifier: "DistinguishedNameQualifierString",
419
+ # distinguished_name_qualifier: "ASN1PrintableString64",
387
420
  # state: "String128",
388
421
  # common_name: "String64",
389
- # serial_number: "String64",
422
+ # serial_number: "ASN1PrintableString64",
390
423
  # locality: "String128",
391
424
  # title: "String64",
392
425
  # surname: "String40",
@@ -429,8 +462,26 @@ module Aws::ACMPCA
429
462
 
430
463
  # Creates an audit report that lists every time that your CA private key
431
464
  # is used. The report is saved in the Amazon S3 bucket that you specify
432
- # on input. The IssueCertificate and RevokeCertificate actions use the
433
- # private key.
465
+ # on input. The [IssueCertificate][1] and [RevokeCertificate][2] actions
466
+ # use the private key.
467
+ #
468
+ # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
469
+ # bucket that you specify. If the IAM principal making the call does not
470
+ # have permission to write to the bucket, then an exception is thrown.
471
+ # For more information, see [Configure Access to ACM Private CA][3].
472
+ #
473
+ # </note>
474
+ #
475
+ # ACM Private CAA assets that are stored in Amazon S3 can be protected
476
+ # with encryption. For more information, see [Encrypting Your Audit
477
+ # Reports][4].
478
+ #
479
+ #
480
+ #
481
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
482
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
483
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
484
+ # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption
434
485
  #
435
486
  # @option params [required, String] :certificate_authority_arn
436
487
  # The Amazon Resource Name (ARN) of the CA to be audited. This is of the
@@ -455,7 +506,7 @@ module Aws::ACMPCA
455
506
  #
456
507
  # resp = client.create_certificate_authority_audit_report({
457
508
  # certificate_authority_arn: "Arn", # required
458
- # s3_bucket_name: "String", # required
509
+ # s3_bucket_name: "S3BucketName", # required
459
510
  # audit_report_response_format: "JSON", # required, accepts JSON, CSV
460
511
  # })
461
512
  #
@@ -473,26 +524,48 @@ module Aws::ACMPCA
473
524
  req.send_request(options)
474
525
  end
475
526
 
476
- # Assigns permissions from a private CA to a designated AWS service.
477
- # Services are specified by their service principals and can be given
478
- # permission to create and retrieve certificates on a private CA.
479
- # Services can also be given permission to list the active permissions
480
- # that the private CA has granted. For ACM to automatically renew your
481
- # private CA's certificates, you must assign all possible permissions
482
- # from the CA to the ACM service principal.
483
- #
484
- # At this time, you can only assign permissions to ACM
485
- # (`acm.amazonaws.com`). Permissions can be revoked with the
486
- # DeletePermission action and listed with the ListPermissions action.
527
+ # Grants one or more permissions on a private CA to the AWS Certificate
528
+ # Manager (ACM) service principal (`acm.amazonaws.com`). These
529
+ # permissions allow ACM to issue and renew ACM certificates that reside
530
+ # in the same AWS account as the CA.
531
+ #
532
+ # You can list current permissions with the [ListPermissions][1] action
533
+ # and revoke them with the [DeletePermission][2] action.
534
+ #
535
+ # **About Permissions**
536
+ #
537
+ # * If the private CA and the certificates it issues reside in the same
538
+ # account, you can use `CreatePermission` to grant permissions for ACM
539
+ # to carry out automatic certificate renewals.
540
+ #
541
+ # * For automatic certificate renewal to succeed, the ACM service
542
+ # principal needs permissions to create, retrieve, and list
543
+ # certificates.
544
+ #
545
+ # * If the private CA and the ACM certificates reside in different
546
+ # accounts, then permissions cannot be used to enable automatic
547
+ # renewals. Instead, the ACM certificate owner must set up a
548
+ # resource-based policy to enable cross-account issuance and renewals.
549
+ # For more information, see [Using a Resource Based Policy with ACM
550
+ # Private CA](acm-pca/latest/userguide/pca-rbp.html).
551
+ #
552
+ #
553
+ #
554
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
555
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
487
556
  #
488
557
  # @option params [required, String] :certificate_authority_arn
489
558
  # The Amazon Resource Name (ARN) of the CA that grants the permissions.
490
- # You can find the ARN by calling the ListCertificateAuthorities action.
491
- # This must have the following form:
559
+ # You can find the ARN by calling the [ListCertificateAuthorities][1]
560
+ # action. This must have the following form:
492
561
  #
493
562
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
494
563
  # `.
495
564
  #
565
+ #
566
+ #
567
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
568
+ #
496
569
  # @option params [required, String] :principal
497
570
  # The AWS service or identity that receives the permission. At this
498
571
  # time, the only valid principal is `acm.amazonaws.com`.
@@ -526,7 +599,8 @@ module Aws::ACMPCA
526
599
 
527
600
  # Deletes a private certificate authority (CA). You must provide the
528
601
  # Amazon Resource Name (ARN) of the private CA that you want to delete.
529
- # You can find the ARN by calling the ListCertificateAuthorities action.
602
+ # You can find the ARN by calling the [ListCertificateAuthorities][1]
603
+ # action.
530
604
  #
531
605
  # <note markdown="1"> Deleting a CA will invalidate other CAs and certificates below it in
532
606
  # your CA hierarchy.
@@ -534,7 +608,7 @@ module Aws::ACMPCA
534
608
  # </note>
535
609
  #
536
610
  # Before you can delete a CA that you have created and activated, you
537
- # must disable it. To do this, call the UpdateCertificateAuthority
611
+ # must disable it. To do this, call the [UpdateCertificateAuthority][2]
538
612
  # action and set the **CertificateAuthorityStatus** parameter to
539
613
  # `DISABLED`.
540
614
  #
@@ -544,22 +618,35 @@ module Aws::ACMPCA
544
618
  # signed certificate into ACM Private CA (that is, the status of the CA
545
619
  # is `PENDING_CERTIFICATE`).
546
620
  #
547
- # When you successfully call DeleteCertificateAuthority, the CA's
621
+ # When you successfully call [DeleteCertificateAuthority][3], the CA's
548
622
  # status changes to `DELETED`. However, the CA won't be permanently
549
623
  # deleted until the restoration period has passed. By default, if you do
550
624
  # not set the `PermanentDeletionTimeInDays` parameter, the CA remains
551
625
  # restorable for 30 days. You can set the parameter from 7 to 30 days.
552
- # The DescribeCertificateAuthority action returns the time remaining in
553
- # the restoration window of a private CA in the `DELETED` state. To
554
- # restore an eligible CA, call the RestoreCertificateAuthority action.
626
+ # The [DescribeCertificateAuthority][4] action returns the time
627
+ # remaining in the restoration window of a private CA in the `DELETED`
628
+ # state. To restore an eligible CA, call the
629
+ # [RestoreCertificateAuthority][5] action.
630
+ #
631
+ #
632
+ #
633
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
634
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
635
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html
636
+ # [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html
637
+ # [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RestoreCertificateAuthority.html
555
638
  #
556
639
  # @option params [required, String] :certificate_authority_arn
557
640
  # The Amazon Resource Name (ARN) that was returned when you called
558
- # CreateCertificateAuthority. This must have the following form:
641
+ # [CreateCertificateAuthority][1]. This must have the following form:
559
642
  #
560
643
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
561
644
  # `.
562
645
  #
646
+ #
647
+ #
648
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
649
+ #
563
650
  # @option params [Integer] :permanent_deletion_time_in_days
564
651
  # The number of days to make a CA restorable after it has been deleted.
565
652
  # This can be anywhere from 7 to 30 days, with 30 being the default.
@@ -582,18 +669,52 @@ module Aws::ACMPCA
582
669
  req.send_request(options)
583
670
  end
584
671
 
585
- # Revokes permissions that a private CA assigned to a designated AWS
586
- # service. Permissions can be created with the CreatePermission action
587
- # and listed with the ListPermissions action.
672
+ # Revokes permissions on a private CA granted to the AWS Certificate
673
+ # Manager (ACM) service principal (acm.amazonaws.com).
674
+ #
675
+ # These permissions allow ACM to issue and renew ACM certificates that
676
+ # reside in the same AWS account as the CA. If you revoke these
677
+ # permissions, ACM will no longer renew the affected certificates
678
+ # automatically.
679
+ #
680
+ # Permissions can be granted with the [CreatePermission][1] action and
681
+ # listed with the [ListPermissions][2] action.
682
+ #
683
+ # **About Permissions**
684
+ #
685
+ # * If the private CA and the certificates it issues reside in the same
686
+ # account, you can use `CreatePermission` to grant permissions for ACM
687
+ # to carry out automatic certificate renewals.
688
+ #
689
+ # * For automatic certificate renewal to succeed, the ACM service
690
+ # principal needs permissions to create, retrieve, and list
691
+ # certificates.
692
+ #
693
+ # * If the private CA and the ACM certificates reside in different
694
+ # accounts, then permissions cannot be used to enable automatic
695
+ # renewals. Instead, the ACM certificate owner must set up a
696
+ # resource-based policy to enable cross-account issuance and renewals.
697
+ # For more information, see [Using a Resource Based Policy with ACM
698
+ # Private CA](acm-pca/latest/userguide/pca-rbp.html).
699
+ #
700
+ #
701
+ #
702
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
703
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
588
704
  #
589
705
  # @option params [required, String] :certificate_authority_arn
590
706
  # The Amazon Resource Number (ARN) of the private CA that issued the
591
707
  # permissions. You can find the CA's ARN by calling the
592
- # ListCertificateAuthorities action. This must have the following form:
708
+ # [ListCertificateAuthorities][1] action. This must have the following
709
+ # form:
593
710
  #
594
711
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
595
712
  # `.
596
713
  #
714
+ #
715
+ #
716
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
717
+ #
597
718
  # @option params [required, String] :principal
598
719
  # The AWS service or identity that will have its CA permissions revoked.
599
720
  # At this time, the only valid service principal is `acm.amazonaws.com`
@@ -620,10 +741,80 @@ module Aws::ACMPCA
620
741
  req.send_request(options)
621
742
  end
622
743
 
623
- # Lists information about your private certificate authority (CA). You
624
- # specify the private CA on input by its ARN (Amazon Resource Name). The
625
- # output contains the status of your CA. This can be any of the
626
- # following:
744
+ # Deletes the resource-based policy attached to a private CA. Deletion
745
+ # will remove any access that the policy has granted. If there is no
746
+ # policy attached to the private CA, this action will return successful.
747
+ #
748
+ # If you delete a policy that was applied through AWS Resource Access
749
+ # Manager (RAM), the CA will be removed from all shares in which it was
750
+ # included.
751
+ #
752
+ # The AWS Certificate Manager Service Linked Role that the policy
753
+ # supports is not affected when you delete the policy.
754
+ #
755
+ # The current policy can be shown with [GetPolicy][1] and updated with
756
+ # [PutPolicy][2].
757
+ #
758
+ # **About Policies**
759
+ #
760
+ # * A policy grants access on a private CA to an AWS customer account,
761
+ # to AWS Organizations, or to an AWS Organizations unit. Policies are
762
+ # under the control of a CA administrator. For more information, see
763
+ # [Using a Resource Based Policy with ACM Private
764
+ # CA](acm-pca/latest/userguide/pca-rbp.html).
765
+ #
766
+ # * A policy permits a user of AWS Certificate Manager (ACM) to issue
767
+ # ACM certificates signed by a CA in another account.
768
+ #
769
+ # * For ACM to manage automatic renewal of these certificates, the ACM
770
+ # user must configure a Service Linked Role (SLR). The SLR allows the
771
+ # ACM service to assume the identity of the user, subject to
772
+ # confirmation against the ACM Private CA policy. For more
773
+ # information, see [Using a Service Linked Role with ACM][3].
774
+ #
775
+ # * Updates made in AWS Resource Manager (RAM) are reflected in
776
+ # policies. For more information, see [Using AWS Resource Access
777
+ # Manager (RAM) with ACM Private
778
+ # CA](acm-pca/latest/userguide/pca-ram.html).
779
+ #
780
+ #
781
+ #
782
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
783
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
784
+ # [3]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
785
+ #
786
+ # @option params [required, String] :resource_arn
787
+ # The Amazon Resource Number (ARN) of the private CA that will have its
788
+ # policy deleted. You can find the CA's ARN by calling the
789
+ # [ListCertificateAuthorities][1] action. The ARN value must have the
790
+ # form
791
+ # `arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab`.
792
+ #
793
+ #
794
+ #
795
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
796
+ #
797
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
798
+ #
799
+ # @example Request syntax with placeholder values
800
+ #
801
+ # resp = client.delete_policy({
802
+ # resource_arn: "Arn", # required
803
+ # })
804
+ #
805
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePolicy AWS API Documentation
806
+ #
807
+ # @overload delete_policy(params = {})
808
+ # @param [Hash] params ({})
809
+ def delete_policy(params = {}, options = {})
810
+ req = build_request(:delete_policy, params)
811
+ req.send_request(options)
812
+ end
813
+
814
+ # Lists information about your private certificate authority (CA) or one
815
+ # that has been shared with you. You specify the private CA on input by
816
+ # its ARN (Amazon Resource Name). The output contains the status of your
817
+ # CA. This can be any of the following:
627
818
  #
628
819
  # * `CREATING` - ACM Private CA is creating your private certificate
629
820
  # authority.
@@ -649,11 +840,15 @@ module Aws::ACMPCA
649
840
  #
650
841
  # @option params [required, String] :certificate_authority_arn
651
842
  # The Amazon Resource Name (ARN) that was returned when you called
652
- # CreateCertificateAuthority. This must be of the form:
843
+ # [CreateCertificateAuthority][1]. This must be of the form:
653
844
  #
654
845
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
655
846
  # `.
656
847
  #
848
+ #
849
+ #
850
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
851
+ #
657
852
  # @return [Types::DescribeCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
658
853
  #
659
854
  # * {Types::DescribeCertificateAuthorityResponse#certificate_authority #certificate_authority} => Types::CertificateAuthority
@@ -667,6 +862,7 @@ module Aws::ACMPCA
667
862
  # @example Response structure
668
863
  #
669
864
  # resp.certificate_authority.arn #=> String
865
+ # resp.certificate_authority.owner_account #=> String
670
866
  # resp.certificate_authority.created_at #=> Time
671
867
  # resp.certificate_authority.last_state_change_at #=> Time
672
868
  # resp.certificate_authority.type #=> String, one of "ROOT", "SUBORDINATE"
@@ -707,10 +903,16 @@ module Aws::ACMPCA
707
903
  end
708
904
 
709
905
  # Lists information about a specific audit report created by calling the
710
- # CreateCertificateAuthorityAuditReport action. Audit information is
711
- # created every time the certificate authority (CA) private key is used.
712
- # The private key is used when you call the IssueCertificate action or
713
- # the RevokeCertificate action.
906
+ # [CreateCertificateAuthorityAuditReport][1] action. Audit information
907
+ # is created every time the certificate authority (CA) private key is
908
+ # used. The private key is used when you call the [IssueCertificate][2]
909
+ # action or the [RevokeCertificate][3] action.
910
+ #
911
+ #
912
+ #
913
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
914
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
915
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
714
916
  #
715
917
  # @option params [required, String] :certificate_authority_arn
716
918
  # The Amazon Resource Name (ARN) of the private CA. This must be of the
@@ -721,7 +923,11 @@ module Aws::ACMPCA
721
923
  #
722
924
  # @option params [required, String] :audit_report_id
723
925
  # The report ID returned by calling the
724
- # CreateCertificateAuthorityAuditReport action.
926
+ # [CreateCertificateAuthorityAuditReport][1] action.
927
+ #
928
+ #
929
+ #
930
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
725
931
  #
726
932
  # @return [Types::DescribeCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
727
933
  #
@@ -758,22 +964,32 @@ module Aws::ACMPCA
758
964
  req.send_request(options)
759
965
  end
760
966
 
761
- # Retrieves a certificate from your private CA. The ARN of the
762
- # certificate is returned when you call the IssueCertificate action. You
763
- # must specify both the ARN of your private CA and the ARN of the issued
764
- # certificate when calling the **GetCertificate** action. You can
765
- # retrieve the certificate if it is in the **ISSUED** state. You can
766
- # call the CreateCertificateAuthorityAuditReport action to create a
767
- # report that contains information about all of the certificates issued
768
- # and revoked by your private CA.
967
+ # Retrieves a certificate from your private CA or one that has been
968
+ # shared with you. The ARN of the certificate is returned when you call
969
+ # the [IssueCertificate][1] action. You must specify both the ARN of
970
+ # your private CA and the ARN of the issued certificate when calling the
971
+ # **GetCertificate** action. You can retrieve the certificate if it is
972
+ # in the **ISSUED** state. You can call the
973
+ # [CreateCertificateAuthorityAuditReport][2] action to create a report
974
+ # that contains information about all of the certificates issued and
975
+ # revoked by your private CA.
976
+ #
977
+ #
978
+ #
979
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
980
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
769
981
  #
770
982
  # @option params [required, String] :certificate_authority_arn
771
983
  # The Amazon Resource Name (ARN) that was returned when you called
772
- # CreateCertificateAuthority. This must be of the form:
984
+ # [CreateCertificateAuthority][1]. This must be of the form:
773
985
  #
774
986
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
775
987
  # `.
776
988
  #
989
+ #
990
+ #
991
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
992
+ #
777
993
  # @option params [required, String] :certificate_arn
778
994
  # The ARN of the issued certificate. The ARN contains the certificate
779
995
  # serial number and must be in the following form:
@@ -813,9 +1029,10 @@ module Aws::ACMPCA
813
1029
  end
814
1030
 
815
1031
  # Retrieves the certificate and certificate chain for your private
816
- # certificate authority (CA). Both the certificate and the chain are
817
- # base64 PEM-encoded. The chain does not include the CA certificate.
818
- # Each certificate in the chain signs the one before it.
1032
+ # certificate authority (CA) or one that has been shared with you. Both
1033
+ # the certificate and the chain are base64 PEM-encoded. The chain does
1034
+ # not include the CA certificate. Each certificate in the chain signs
1035
+ # the one before it.
819
1036
  #
820
1037
  # @option params [required, String] :certificate_authority_arn
821
1038
  # The Amazon Resource Name (ARN) of your private CA. This is of the
@@ -851,19 +1068,28 @@ module Aws::ACMPCA
851
1068
 
852
1069
  # Retrieves the certificate signing request (CSR) for your private
853
1070
  # certificate authority (CA). The CSR is created when you call the
854
- # CreateCertificateAuthority action. Sign the CSR with your ACM Private
855
- # CA-hosted or on-premises root or subordinate CA. Then import the
856
- # signed certificate back into ACM Private CA by calling the
857
- # ImportCertificateAuthorityCertificate action. The CSR is returned as a
858
- # base64 PEM-encoded string.
1071
+ # [CreateCertificateAuthority][1] action. Sign the CSR with your ACM
1072
+ # Private CA-hosted or on-premises root or subordinate CA. Then import
1073
+ # the signed certificate back into ACM Private CA by calling the
1074
+ # [ImportCertificateAuthorityCertificate][2] action. The CSR is returned
1075
+ # as a base64 PEM-encoded string.
1076
+ #
1077
+ #
1078
+ #
1079
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1080
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
859
1081
  #
860
1082
  # @option params [required, String] :certificate_authority_arn
861
1083
  # The Amazon Resource Name (ARN) that was returned when you called the
862
- # CreateCertificateAuthority action. This must be of the form:
1084
+ # [CreateCertificateAuthority][1] action. This must be of the form:
863
1085
  #
864
1086
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
865
1087
  # `
866
1088
  #
1089
+ #
1090
+ #
1091
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1092
+ #
867
1093
  # @return [Types::GetCertificateAuthorityCsrResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
868
1094
  #
869
1095
  # * {Types::GetCertificateAuthorityCsrResponse#csr #csr} => String
@@ -892,20 +1118,83 @@ module Aws::ACMPCA
892
1118
  req.send_request(options)
893
1119
  end
894
1120
 
1121
+ # Retrieves the resource-based policy attached to a private CA. If
1122
+ # either the private CA resource or the policy cannot be found, this
1123
+ # action returns a `ResourceNotFoundException`.
1124
+ #
1125
+ # The policy can be attached or updated with [PutPolicy][1] and removed
1126
+ # with
1127
+ # [DeletePolicy](acm-pca/latest/APIReference/API_DeletePolicy.html).
1128
+ #
1129
+ # **About Policies**
1130
+ #
1131
+ # * A policy grants access on a private CA to an AWS customer account,
1132
+ # to AWS Organizations, or to an AWS Organizations unit. Policies are
1133
+ # under the control of a CA administrator. For more information, see
1134
+ # [Using a Resource Based Policy with ACM Private
1135
+ # CA](acm-pca/latest/userguide/pca-rbp.html).
1136
+ #
1137
+ # * A policy permits a user of AWS Certificate Manager (ACM) to issue
1138
+ # ACM certificates signed by a CA in another account.
1139
+ #
1140
+ # * For ACM to manage automatic renewal of these certificates, the ACM
1141
+ # user must configure a Service Linked Role (SLR). The SLR allows the
1142
+ # ACM service to assume the identity of the user, subject to
1143
+ # confirmation against the ACM Private CA policy. For more
1144
+ # information, see [Using a Service Linked Role with ACM][2].
1145
+ #
1146
+ # * Updates made in AWS Resource Manager (RAM) are reflected in
1147
+ # policies. For more information, see [Using AWS Resource Access
1148
+ # Manager (RAM) with ACM Private
1149
+ # CA](acm-pca/latest/userguide/pca-ram.html).
1150
+ #
1151
+ #
1152
+ #
1153
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
1154
+ # [2]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
1155
+ #
1156
+ # @option params [required, String] :resource_arn
1157
+ # The Amazon Resource Number (ARN) of the private CA that will have its
1158
+ # policy retrieved. You can find the CA's ARN by calling the
1159
+ # ListCertificateAuthorities action.
1160
+ #
1161
+ # @return [Types::GetPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1162
+ #
1163
+ # * {Types::GetPolicyResponse#policy #policy} => String
1164
+ #
1165
+ # @example Request syntax with placeholder values
1166
+ #
1167
+ # resp = client.get_policy({
1168
+ # resource_arn: "Arn", # required
1169
+ # })
1170
+ #
1171
+ # @example Response structure
1172
+ #
1173
+ # resp.policy #=> String
1174
+ #
1175
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicy AWS API Documentation
1176
+ #
1177
+ # @overload get_policy(params = {})
1178
+ # @param [Hash] params ({})
1179
+ def get_policy(params = {}, options = {})
1180
+ req = build_request(:get_policy, params)
1181
+ req.send_request(options)
1182
+ end
1183
+
895
1184
  # Imports a signed private CA certificate into ACM Private CA. This
896
1185
  # action is used when you are using a chain of trust whose root is
897
1186
  # located outside ACM Private CA. Before you can call this action, the
898
1187
  # following preparations must in place:
899
1188
  #
900
- # 1. In ACM Private CA, call the CreateCertificateAuthority action to
901
- # create the private CA that that you plan to back with the imported
902
- # certificate.
1189
+ # 1. In ACM Private CA, call the [CreateCertificateAuthority][1] action
1190
+ # to create the private CA that that you plan to back with the
1191
+ # imported certificate.
903
1192
  #
904
- # 2. Call the GetCertificateAuthorityCsr action to generate a
1193
+ # 2. Call the [GetCertificateAuthorityCsr][2] action to generate a
905
1194
  # certificate signing request (CSR).
906
1195
  #
907
- # 3. Sign the CSR using a root or intermediate CA hosted either by an
908
- # on-premises PKI hierarchy or a commercial CA..
1196
+ # 3. Sign the CSR using a root or intermediate CA hosted by either an
1197
+ # on-premises PKI hierarchy or by a commercial CA.
909
1198
  #
910
1199
  # 4. Create a certificate chain and copy the signed certificate and the
911
1200
  # certificate chain to your working directory.
@@ -929,19 +1218,76 @@ module Aws::ACMPCA
929
1218
  #
930
1219
  # * The chain must be PEM-encoded.
931
1220
  #
1221
+ # * The maximum allowed size of a certificate is 32 KB.
1222
+ #
1223
+ # * The maximum allowed size of a certificate chain is 2 MB.
1224
+ #
1225
+ # *Enforcement of Critical Constraints*
1226
+ #
1227
+ # ACM Private CA allows the following extensions to be marked critical
1228
+ # in the imported CA certificate or chain.
1229
+ #
1230
+ # * Basic constraints (*must* be marked critical)
1231
+ #
1232
+ # * Subject alternative names
1233
+ #
1234
+ # * Key usage
1235
+ #
1236
+ # * Extended key usage
1237
+ #
1238
+ # * Authority key identifier
1239
+ #
1240
+ # * Subject key identifier
1241
+ #
1242
+ # * Issuer alternative name
1243
+ #
1244
+ # * Subject directory attributes
1245
+ #
1246
+ # * Subject information access
1247
+ #
1248
+ # * Certificate policies
1249
+ #
1250
+ # * Policy mappings
1251
+ #
1252
+ # * Inhibit anyPolicy
1253
+ #
1254
+ # ACM Private CA rejects the following extensions when they are marked
1255
+ # critical in an imported CA certificate or chain.
1256
+ #
1257
+ # * Name constraints
1258
+ #
1259
+ # * Policy constraints
1260
+ #
1261
+ # * CRL distribution points
1262
+ #
1263
+ # * Authority information access
1264
+ #
1265
+ # * Freshest CRL
1266
+ #
1267
+ # * Any other extension
1268
+ #
1269
+ #
1270
+ #
1271
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1272
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificateAuthorityCsr.html
1273
+ #
932
1274
  # @option params [required, String] :certificate_authority_arn
933
1275
  # The Amazon Resource Name (ARN) that was returned when you called
934
- # CreateCertificateAuthority. This must be of the form:
1276
+ # [CreateCertificateAuthority][1]. This must be of the form:
935
1277
  #
936
1278
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
937
1279
  # `
938
1280
  #
939
- # @option params [required, String, IO] :certificate
1281
+ #
1282
+ #
1283
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1284
+ #
1285
+ # @option params [required, String, StringIO, File] :certificate
940
1286
  # The PEM-encoded certificate for a private CA. This may be a
941
1287
  # self-signed certificate in the case of a root CA, or it may be signed
942
1288
  # by another CA that you control.
943
1289
  #
944
- # @option params [String, IO] :certificate_chain
1290
+ # @option params [String, StringIO, File] :certificate_chain
945
1291
  # A PEM-encoded file that contains all of your certificates, other than
946
1292
  # the certificate you're importing, chaining up to your root CA. Your
947
1293
  # ACM Private CA-hosted or on-premises root certificate is the last in
@@ -969,10 +1315,11 @@ module Aws::ACMPCA
969
1315
  req.send_request(options)
970
1316
  end
971
1317
 
972
- # Uses your private certificate authority (CA) to issue a client
973
- # certificate. This action returns the Amazon Resource Name (ARN) of the
974
- # certificate. You can retrieve the certificate by calling the
975
- # GetCertificate action and specifying the ARN.
1318
+ # Uses your private certificate authority (CA), or one that has been
1319
+ # shared with you, to issue a client certificate. This action returns
1320
+ # the Amazon Resource Name (ARN) of the certificate. You can retrieve
1321
+ # the certificate by calling the [GetCertificate][1] action and
1322
+ # specifying the ARN.
976
1323
  #
977
1324
  # <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
978
1325
  # retrieve the ARNs of the certificates that you issue by using ACM
@@ -980,14 +1327,22 @@ module Aws::ACMPCA
980
1327
  #
981
1328
  # </note>
982
1329
  #
1330
+ #
1331
+ #
1332
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
1333
+ #
983
1334
  # @option params [required, String] :certificate_authority_arn
984
1335
  # The Amazon Resource Name (ARN) that was returned when you called
985
- # CreateCertificateAuthority. This must be of the form:
1336
+ # [CreateCertificateAuthority][1]. This must be of the form:
986
1337
  #
987
1338
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
988
1339
  # `
989
1340
  #
990
- # @option params [required, String, IO] :csr
1341
+ #
1342
+ #
1343
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1344
+ #
1345
+ # @option params [required, String, StringIO, File] :csr
991
1346
  # The certificate signing request (CSR) for the certificate you want to
992
1347
  # issue. You can use the following OpenSSL command to create the CSR and
993
1348
  # a 2048 bit RSA private key.
@@ -1003,20 +1358,52 @@ module Aws::ACMPCA
1003
1358
  # rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
1004
1359
  # csr/test_cert_.csr`
1005
1360
  #
1361
+ # Note: A CSR must provide either a *subject name* or a *subject
1362
+ # alternative name* or the request will be rejected.
1363
+ #
1006
1364
  # @option params [required, String] :signing_algorithm
1007
1365
  # The name of the algorithm that will be used to sign the certificate to
1008
1366
  # be issued.
1009
1367
  #
1368
+ # This parameter should not be confused with the `SigningAlgorithm`
1369
+ # parameter used to sign a CSR.
1370
+ #
1010
1371
  # @option params [String] :template_arn
1011
1372
  # Specifies a custom configuration template to use when issuing a
1012
1373
  # certificate. If this parameter is not provided, ACM Private CA
1013
- # defaults to the `EndEntityCertificate/V1` template.
1374
+ # defaults to the `EndEntityCertificate/V1` template. For CA
1375
+ # certificates, you should choose the shortest path length that meets
1376
+ # your needs. The path length is indicated by the PathLen*N* portion of
1377
+ # the ARN, where *N* is the [CA depth][1].
1378
+ #
1379
+ # Note: The CA depth configured on a subordinate CA certificate must not
1380
+ # exceed the limit set by its parents in the CA hierarchy.
1014
1381
  #
1015
1382
  # The following service-owned `TemplateArn` values are supported by ACM
1016
1383
  # Private CA:
1017
1384
  #
1385
+ # * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
1386
+ #
1387
+ # * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
1388
+ #
1018
1389
  # * arn:aws:acm-pca:::template/EndEntityCertificate/V1
1019
1390
  #
1391
+ # * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
1392
+ #
1393
+ # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
1394
+ #
1395
+ # * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
1396
+ #
1397
+ # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
1398
+ #
1399
+ # * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
1400
+ #
1401
+ # * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
1402
+ #
1403
+ # * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
1404
+ #
1405
+ # * arn:aws:acm-pca:::template/RootCACertificate/V1
1406
+ #
1020
1407
  # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
1021
1408
  #
1022
1409
  # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
@@ -1025,16 +1412,23 @@ module Aws::ACMPCA
1025
1412
  #
1026
1413
  # * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
1027
1414
  #
1028
- # * arn:aws:acm-pca:::template/RootCACertificate/V1
1029
- #
1030
- # For more information, see [Using Templates][1].
1415
+ # For more information, see [Using Templates][2].
1031
1416
  #
1032
1417
  #
1033
1418
  #
1034
- # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1419
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
1420
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
1035
1421
  #
1036
1422
  # @option params [required, Types::Validity] :validity
1037
- # The type of the validity period.
1423
+ # Information describing the validity period of the certificate.
1424
+ #
1425
+ # When issuing a certificate, ACM Private CA sets the "Not Before"
1426
+ # date in the validity field to date and time minus 60 minutes. This is
1427
+ # intended to compensate for time inconsistencies across systems of 60
1428
+ # minutes or less.
1429
+ #
1430
+ # The validity period configured on a certificate must not exceed the
1431
+ # limit set by its parents in the CA hierarchy.
1038
1432
  #
1039
1433
  # @option params [String] :idempotency_token
1040
1434
  # Custom string that can be used to distinguish between calls to the
@@ -1077,7 +1471,11 @@ module Aws::ACMPCA
1077
1471
  end
1078
1472
 
1079
1473
  # Lists the private certificate authorities that you created by using
1080
- # the CreateCertificateAuthority action.
1474
+ # the [CreateCertificateAuthority][1] action.
1475
+ #
1476
+ #
1477
+ #
1478
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1081
1479
  #
1082
1480
  # @option params [String] :next_token
1083
1481
  # Use this parameter when paginating results in a subsequent request
@@ -1092,6 +1490,10 @@ module Aws::ACMPCA
1092
1490
  # sent in the response. Use this `NextToken` value in a subsequent
1093
1491
  # request to retrieve additional items.
1094
1492
  #
1493
+ # @option params [String] :resource_owner
1494
+ # Use this parameter to filter the returned set of certificate
1495
+ # authorities based on their owner. The default is SELF.
1496
+ #
1095
1497
  # @return [Types::ListCertificateAuthoritiesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1096
1498
  #
1097
1499
  # * {Types::ListCertificateAuthoritiesResponse#certificate_authorities #certificate_authorities} => Array&lt;Types::CertificateAuthority&gt;
@@ -1104,12 +1506,14 @@ module Aws::ACMPCA
1104
1506
  # resp = client.list_certificate_authorities({
1105
1507
  # next_token: "NextToken",
1106
1508
  # max_results: 1,
1509
+ # resource_owner: "SELF", # accepts SELF, OTHER_ACCOUNTS
1107
1510
  # })
1108
1511
  #
1109
1512
  # @example Response structure
1110
1513
  #
1111
1514
  # resp.certificate_authorities #=> Array
1112
1515
  # resp.certificate_authorities[0].arn #=> String
1516
+ # resp.certificate_authorities[0].owner_account #=> String
1113
1517
  # resp.certificate_authorities[0].created_at #=> Time
1114
1518
  # resp.certificate_authorities[0].last_state_change_at #=> Time
1115
1519
  # resp.certificate_authorities[0].type #=> String, one of "ROOT", "SUBORDINATE"
@@ -1150,17 +1554,48 @@ module Aws::ACMPCA
1150
1554
  req.send_request(options)
1151
1555
  end
1152
1556
 
1153
- # Lists all the permissions, if any, that have been assigned by a
1154
- # private CA. Permissions can be granted with the CreatePermission
1155
- # action and revoked with the DeletePermission action.
1557
+ # List all permissions on a private CA, if any, granted to the AWS
1558
+ # Certificate Manager (ACM) service principal (acm.amazonaws.com).
1559
+ #
1560
+ # These permissions allow ACM to issue and renew ACM certificates that
1561
+ # reside in the same AWS account as the CA.
1562
+ #
1563
+ # Permissions can be granted with the [CreatePermission][1] action and
1564
+ # revoked with the [DeletePermission][2] action.
1565
+ #
1566
+ # **About Permissions**
1567
+ #
1568
+ # * If the private CA and the certificates it issues reside in the same
1569
+ # account, you can use `CreatePermission` to grant permissions for ACM
1570
+ # to carry out automatic certificate renewals.
1571
+ #
1572
+ # * For automatic certificate renewal to succeed, the ACM service
1573
+ # principal needs permissions to create, retrieve, and list
1574
+ # certificates.
1575
+ #
1576
+ # * If the private CA and the ACM certificates reside in different
1577
+ # accounts, then permissions cannot be used to enable automatic
1578
+ # renewals. Instead, the ACM certificate owner must set up a
1579
+ # resource-based policy to enable cross-account issuance and renewals.
1580
+ # For more information, see [Using a Resource Based Policy with ACM
1581
+ # Private CA](acm-pca/latest/userguide/pca-rbp.html).
1582
+ #
1583
+ #
1584
+ #
1585
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
1586
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
1156
1587
  #
1157
1588
  # @option params [required, String] :certificate_authority_arn
1158
1589
  # The Amazon Resource Number (ARN) of the private CA to inspect. You can
1159
- # find the ARN by calling the ListCertificateAuthorities action. This
1160
- # must be of the form:
1590
+ # find the ARN by calling the [ListCertificateAuthorities][1] action.
1591
+ # This must be of the form:
1161
1592
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
1162
1593
  # You can get a private CA's ARN by running the
1163
- # ListCertificateAuthorities action.
1594
+ # [ListCertificateAuthorities][1] action.
1595
+ #
1596
+ #
1597
+ #
1598
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
1164
1599
  #
1165
1600
  # @option params [String] :next_token
1166
1601
  # When paginating results, use this parameter in a subsequent request
@@ -1210,19 +1645,29 @@ module Aws::ACMPCA
1210
1645
  req.send_request(options)
1211
1646
  end
1212
1647
 
1213
- # Lists the tags, if any, that are associated with your private CA. Tags
1214
- # are labels that you can use to identify and organize your CAs. Each
1215
- # tag consists of a key and an optional value. Call the
1216
- # TagCertificateAuthority action to add one or more tags to your CA.
1217
- # Call the UntagCertificateAuthority action to remove tags.
1648
+ # Lists the tags, if any, that are associated with your private CA or
1649
+ # one that has been shared with you. Tags are labels that you can use to
1650
+ # identify and organize your CAs. Each tag consists of a key and an
1651
+ # optional value. Call the [TagCertificateAuthority][1] action to add
1652
+ # one or more tags to your CA. Call the [UntagCertificateAuthority][2]
1653
+ # action to remove tags.
1654
+ #
1655
+ #
1656
+ #
1657
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
1658
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
1218
1659
  #
1219
1660
  # @option params [required, String] :certificate_authority_arn
1220
1661
  # The Amazon Resource Name (ARN) that was returned when you called the
1221
- # CreateCertificateAuthority action. This must be of the form:
1662
+ # [CreateCertificateAuthority][1] action. This must be of the form:
1222
1663
  #
1223
1664
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
1224
1665
  # `
1225
1666
  #
1667
+ #
1668
+ #
1669
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1670
+ #
1226
1671
  # @option params [String] :next_token
1227
1672
  # Use this parameter when paginating results in a subsequent request
1228
1673
  # after you receive a response with truncated results. Set it to the
@@ -1266,30 +1711,121 @@ module Aws::ACMPCA
1266
1711
  req.send_request(options)
1267
1712
  end
1268
1713
 
1714
+ # Attaches a resource-based policy to a private CA.
1715
+ #
1716
+ # A policy can also be applied by [sharing][1] a private CA through AWS
1717
+ # Resource Access Manager (RAM).
1718
+ #
1719
+ # The policy can be displayed with [GetPolicy][2] and removed with
1720
+ # [DeletePolicy][3].
1721
+ #
1722
+ # **About Policies**
1723
+ #
1724
+ # * A policy grants access on a private CA to an AWS customer account,
1725
+ # to AWS Organizations, or to an AWS Organizations unit. Policies are
1726
+ # under the control of a CA administrator. For more information, see
1727
+ # [Using a Resource Based Policy with ACM Private
1728
+ # CA](acm-pca/latest/userguide/pca-rbp.html).
1729
+ #
1730
+ # * A policy permits a user of AWS Certificate Manager (ACM) to issue
1731
+ # ACM certificates signed by a CA in another account.
1732
+ #
1733
+ # * For ACM to manage automatic renewal of these certificates, the ACM
1734
+ # user must configure a Service Linked Role (SLR). The SLR allows the
1735
+ # ACM service to assume the identity of the user, subject to
1736
+ # confirmation against the ACM Private CA policy. For more
1737
+ # information, see [Using a Service Linked Role with ACM][4].
1738
+ #
1739
+ # * Updates made in AWS Resource Manager (RAM) are reflected in
1740
+ # policies. For more information, see [Using AWS Resource Access
1741
+ # Manager (RAM) with ACM Private
1742
+ # CA](acm-pca/latest/userguide/pca-ram.html).
1743
+ #
1744
+ #
1745
+ #
1746
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
1747
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
1748
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
1749
+ # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
1750
+ #
1751
+ # @option params [required, String] :resource_arn
1752
+ # The Amazon Resource Number (ARN) of the private CA to associate with
1753
+ # the policy. The ARN of the CA can be found by calling the
1754
+ # [ListCertificateAuthorities][1] action.
1755
+ #
1756
+ #
1757
+ #
1758
+ #
1759
+ #
1760
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
1761
+ #
1762
+ # @option params [required, String] :policy
1763
+ # The path and filename of a JSON-formatted IAM policy to attach to the
1764
+ # specified private CA resource. If this policy does not contain all
1765
+ # required statements or if it includes any statement that is not
1766
+ # allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
1767
+ # For information about IAM policy and statement structure, see
1768
+ # [Overview of JSON Policies][1].
1769
+ #
1770
+ #
1771
+ #
1772
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
1773
+ #
1774
+ # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1775
+ #
1776
+ # @example Request syntax with placeholder values
1777
+ #
1778
+ # resp = client.put_policy({
1779
+ # resource_arn: "Arn", # required
1780
+ # policy: "AWSPolicy", # required
1781
+ # })
1782
+ #
1783
+ # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PutPolicy AWS API Documentation
1784
+ #
1785
+ # @overload put_policy(params = {})
1786
+ # @param [Hash] params ({})
1787
+ def put_policy(params = {}, options = {})
1788
+ req = build_request(:put_policy, params)
1789
+ req.send_request(options)
1790
+ end
1791
+
1269
1792
  # Restores a certificate authority (CA) that is in the `DELETED` state.
1270
1793
  # You can restore a CA during the period that you defined in the
1271
1794
  # **PermanentDeletionTimeInDays** parameter of the
1272
- # DeleteCertificateAuthority action. Currently, you can specify 7 to 30
1273
- # days. If you did not specify a **PermanentDeletionTimeInDays** value,
1274
- # by default you can restore the CA at any time in a 30 day period. You
1275
- # can check the time remaining in the restoration period of a private CA
1276
- # in the `DELETED` state by calling the DescribeCertificateAuthority or
1277
- # ListCertificateAuthorities actions. The status of a restored CA is set
1278
- # to its pre-deletion status when the **RestoreCertificateAuthority**
1279
- # action returns. To change its status to `ACTIVE`, call the
1280
- # UpdateCertificateAuthority action. If the private CA was in the
1281
- # `PENDING_CERTIFICATE` state at deletion, you must use the
1282
- # ImportCertificateAuthorityCertificate action to import a certificate
1283
- # authority into the private CA before it can be activated. You cannot
1284
- # restore a CA after the restoration period has ended.
1795
+ # [DeleteCertificateAuthority][1] action. Currently, you can specify 7
1796
+ # to 30 days. If you did not specify a **PermanentDeletionTimeInDays**
1797
+ # value, by default you can restore the CA at any time in a 30 day
1798
+ # period. You can check the time remaining in the restoration period of
1799
+ # a private CA in the `DELETED` state by calling the
1800
+ # [DescribeCertificateAuthority][2] or [ListCertificateAuthorities][3]
1801
+ # actions. The status of a restored CA is set to its pre-deletion status
1802
+ # when the **RestoreCertificateAuthority** action returns. To change its
1803
+ # status to `ACTIVE`, call the [UpdateCertificateAuthority][4] action.
1804
+ # If the private CA was in the `PENDING_CERTIFICATE` state at deletion,
1805
+ # you must use the [ImportCertificateAuthorityCertificate][5] action to
1806
+ # import a certificate authority into the private CA before it can be
1807
+ # activated. You cannot restore a CA after the restoration period has
1808
+ # ended.
1809
+ #
1810
+ #
1811
+ #
1812
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html
1813
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html
1814
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
1815
+ # [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
1816
+ # [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
1285
1817
  #
1286
1818
  # @option params [required, String] :certificate_authority_arn
1287
1819
  # The Amazon Resource Name (ARN) that was returned when you called the
1288
- # CreateCertificateAuthority action. This must be of the form:
1820
+ # [CreateCertificateAuthority][1] action. This must be of the form:
1289
1821
  #
1290
1822
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
1291
1823
  # `
1292
1824
  #
1825
+ #
1826
+ #
1827
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1828
+ #
1293
1829
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1294
1830
  #
1295
1831
  # @example Request syntax with placeholder values
@@ -1311,15 +1847,33 @@ module Aws::ACMPCA
1311
1847
  # enable a certificate revocation list (CRL) when you create or update
1312
1848
  # your private CA, information about the revoked certificates will be
1313
1849
  # included in the CRL. ACM Private CA writes the CRL to an S3 bucket
1314
- # that you specify. For more information about revocation, see the
1315
- # CrlConfiguration structure. ACM Private CA also writes revocation
1316
- # information to the audit report. For more information, see
1317
- # CreateCertificateAuthorityAuditReport.
1850
+ # that you specify. A CRL is typically updated approximately 30 minutes
1851
+ # after a certificate is revoked. If for any reason the CRL update
1852
+ # fails, ACM Private CA attempts makes further attempts every 15
1853
+ # minutes. With Amazon CloudWatch, you can create alarms for the metrics
1854
+ # `CRLGenerated` and `MisconfiguredCRLBucket`. For more information, see
1855
+ # [Supported CloudWatch Metrics][1].
1856
+ #
1857
+ # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
1858
+ # bucket that you specify. If the IAM principal making the call does not
1859
+ # have permission to write to the bucket, then an exception is thrown.
1860
+ # For more information, see [Configure Access to ACM Private CA][2].
1861
+ #
1862
+ # </note>
1863
+ #
1864
+ # ACM Private CA also writes revocation information to the audit report.
1865
+ # For more information, see [CreateCertificateAuthorityAuditReport][3].
1318
1866
  #
1319
1867
  # <note markdown="1"> You cannot revoke a root CA self-signed certificate.
1320
1868
  #
1321
1869
  # </note>
1322
1870
  #
1871
+ #
1872
+ #
1873
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html
1874
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
1875
+ # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
1876
+ #
1323
1877
  # @option params [required, String] :certificate_authority_arn
1324
1878
  # Amazon Resource Name (ARN) of the private CA that issued the
1325
1879
  # certificate to be revoked. This must be of the form:
@@ -1330,21 +1884,22 @@ module Aws::ACMPCA
1330
1884
  # @option params [required, String] :certificate_serial
1331
1885
  # Serial number of the certificate to be revoked. This must be in
1332
1886
  # hexadecimal format. You can retrieve the serial number by calling
1333
- # GetCertificate with the Amazon Resource Name (ARN) of the certificate
1334
- # you want and the ARN of your private CA. The **GetCertificate** action
1335
- # retrieves the certificate in the PEM format. You can use the following
1336
- # OpenSSL command to list the certificate in text format and copy the
1337
- # hexadecimal serial number.
1887
+ # [GetCertificate][1] with the Amazon Resource Name (ARN) of the
1888
+ # certificate you want and the ARN of your private CA. The
1889
+ # **GetCertificate** action retrieves the certificate in the PEM format.
1890
+ # You can use the following OpenSSL command to list the certificate in
1891
+ # text format and copy the hexadecimal serial number.
1338
1892
  #
1339
1893
  # `openssl x509 -in file_path -text -noout`
1340
1894
  #
1341
1895
  # You can also copy the serial number from the console or use the
1342
- # [DescribeCertificate][1] action in the *AWS Certificate Manager API
1896
+ # [DescribeCertificate][2] action in the *AWS Certificate Manager API
1343
1897
  # Reference*.
1344
1898
  #
1345
1899
  #
1346
1900
  #
1347
- # [1]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
1901
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
1902
+ # [2]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
1348
1903
  #
1349
1904
  # @option params [required, String] :revocation_reason
1350
1905
  # Specifies why you revoked the certificate.
@@ -1376,16 +1931,25 @@ module Aws::ACMPCA
1376
1931
  # to identify a specific characteristic of that CA, or you can apply the
1377
1932
  # same tag to multiple private CAs if you want to filter for a common
1378
1933
  # relationship among those CAs. To remove one or more tags, use the
1379
- # UntagCertificateAuthority action. Call the ListTags action to see what
1380
- # tags are associated with your CA.
1934
+ # [UntagCertificateAuthority][1] action. Call the [ListTags][2] action
1935
+ # to see what tags are associated with your CA.
1936
+ #
1937
+ #
1938
+ #
1939
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
1940
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html
1381
1941
  #
1382
1942
  # @option params [required, String] :certificate_authority_arn
1383
1943
  # The Amazon Resource Name (ARN) that was returned when you called
1384
- # CreateCertificateAuthority. This must be of the form:
1944
+ # [CreateCertificateAuthority][1]. This must be of the form:
1385
1945
  #
1386
1946
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
1387
1947
  # `
1388
1948
  #
1949
+ #
1950
+ #
1951
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
1952
+ #
1389
1953
  # @option params [required, Array<Types::Tag>] :tags
1390
1954
  # List of tags to be associated with the CA.
1391
1955
  #
@@ -1417,16 +1981,25 @@ module Aws::ACMPCA
1417
1981
  # when calling this action, the tag will be removed regardless of value.
1418
1982
  # If you specify a value, the tag is removed only if it is associated
1419
1983
  # with the specified value. To add tags to a private CA, use the
1420
- # TagCertificateAuthority. Call the ListTags action to see what tags are
1421
- # associated with your CA.
1984
+ # [TagCertificateAuthority][1]. Call the [ListTags][2] action to see
1985
+ # what tags are associated with your CA.
1986
+ #
1987
+ #
1988
+ #
1989
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
1990
+ # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html
1422
1991
  #
1423
1992
  # @option params [required, String] :certificate_authority_arn
1424
1993
  # The Amazon Resource Name (ARN) that was returned when you called
1425
- # CreateCertificateAuthority. This must be of the form:
1994
+ # [CreateCertificateAuthority][1]. This must be of the form:
1426
1995
  #
1427
1996
  # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
1428
1997
  # `
1429
1998
  #
1999
+ #
2000
+ #
2001
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
2002
+ #
1430
2003
  # @option params [required, Array<Types::Tag>] :tags
1431
2004
  # List of tags to be removed from the CA.
1432
2005
  #
@@ -1459,6 +2032,17 @@ module Aws::ACMPCA
1459
2032
  # `ACTIVE` state or make a CA that is in the `DISABLED` state active
1460
2033
  # again.
1461
2034
  #
2035
+ # <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
2036
+ # bucket that you specify. If the IAM principal making the call does not
2037
+ # have permission to write to the bucket, then an exception is thrown.
2038
+ # For more information, see [Configure Access to ACM Private CA][1].
2039
+ #
2040
+ # </note>
2041
+ #
2042
+ #
2043
+ #
2044
+ # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
2045
+ #
1462
2046
  # @option params [required, String] :certificate_authority_arn
1463
2047
  # Amazon Resource Name (ARN) of the private CA that issued the
1464
2048
  # certificate to be revoked. This must be of the form:
@@ -1511,7 +2095,7 @@ module Aws::ACMPCA
1511
2095
  params: params,
1512
2096
  config: config)
1513
2097
  context[:gem_name] = 'aws-sdk-acmpca'
1514
- context[:gem_version] = '1.25.1'
2098
+ context[:gem_version] = '1.30.0'
1515
2099
  Seahorse::Client::Request.new(handlers, context)
1516
2100
  end
1517
2101