aws-sdk-acmpca 1.27.0 → 1.32.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-acmpca.rb +3 -2
- data/lib/aws-sdk-acmpca/client.rb +361 -102
- data/lib/aws-sdk-acmpca/client_api.rb +103 -0
- data/lib/aws-sdk-acmpca/types.rb +1104 -85
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dc98acc54b80d947d407c145b5f09f400dad5a8b943019e3b8c9bcd008f2b2c7
|
4
|
+
data.tar.gz: 5625afa10f80568e15a65cec8fce964cebe02a72ffeb314d9ec95374a073d012
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 774424f9c13f043e133ee64be2b4d302d7797645b9d51075aea543f1c215deab51c914473d9f93b6a4d52942974a108c1e69f0946a65e66a1d3c635cab1d7d11
|
7
|
+
data.tar.gz: ea1de9d25fd213799a2a277027d62ca35f445a79cc4e2c23553dd182f16c9e8a93f086ffe040dcdd28449c283a5113e3d37fed4b474475d3acac8f4f42272af0
|
data/lib/aws-sdk-acmpca.rb
CHANGED
@@ -7,6 +7,7 @@
|
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
10
|
+
|
10
11
|
require 'aws-sdk-core'
|
11
12
|
require 'aws-sigv4'
|
12
13
|
|
@@ -45,9 +46,9 @@ require_relative 'aws-sdk-acmpca/customizations'
|
|
45
46
|
#
|
46
47
|
# See {Errors} for more information.
|
47
48
|
#
|
48
|
-
#
|
49
|
+
# @!group service
|
49
50
|
module Aws::ACMPCA
|
50
51
|
|
51
|
-
GEM_VERSION = '1.
|
52
|
+
GEM_VERSION = '1.32.0'
|
52
53
|
|
53
54
|
end
|
@@ -85,13 +85,28 @@ module Aws::ACMPCA
|
|
85
85
|
# * `Aws::Credentials` - Used for configuring static, non-refreshing
|
86
86
|
# credentials.
|
87
87
|
#
|
88
|
+
# * `Aws::SharedCredentials` - Used for loading static credentials from a
|
89
|
+
# shared file, such as `~/.aws/config`.
|
90
|
+
#
|
91
|
+
# * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
|
92
|
+
#
|
93
|
+
# * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
|
94
|
+
# assume a role after providing credentials via the web.
|
95
|
+
#
|
96
|
+
# * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
|
97
|
+
# access token generated from `aws login`.
|
98
|
+
#
|
99
|
+
# * `Aws::ProcessCredentials` - Used for loading credentials from a
|
100
|
+
# process that outputs to stdout.
|
101
|
+
#
|
88
102
|
# * `Aws::InstanceProfileCredentials` - Used for loading credentials
|
89
103
|
# from an EC2 IMDS on an EC2 instance.
|
90
104
|
#
|
91
|
-
# * `Aws::
|
92
|
-
#
|
105
|
+
# * `Aws::ECSCredentials` - Used for loading credentials from
|
106
|
+
# instances running in ECS.
|
93
107
|
#
|
94
|
-
# * `Aws::
|
108
|
+
# * `Aws::CognitoIdentityCredentials` - Used for loading credentials
|
109
|
+
# from the Cognito Identity service.
|
95
110
|
#
|
96
111
|
# When `:credentials` are not configured directly, the following
|
97
112
|
# locations will be searched for credentials:
|
@@ -101,10 +116,10 @@ module Aws::ACMPCA
|
|
101
116
|
# * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
|
102
117
|
# * `~/.aws/credentials`
|
103
118
|
# * `~/.aws/config`
|
104
|
-
# * EC2 IMDS instance profile - When used by default, the timeouts
|
105
|
-
# very aggressive. Construct and pass an instance of
|
106
|
-
# `Aws::InstanceProfileCredentails`
|
107
|
-
# timeouts.
|
119
|
+
# * EC2/ECS IMDS instance profile - When used by default, the timeouts
|
120
|
+
# are very aggressive. Construct and pass an instance of
|
121
|
+
# `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
122
|
+
# enable retries and extended timeouts.
|
108
123
|
#
|
109
124
|
# @option options [required, String] :region
|
110
125
|
# The AWS region to connect to. The configured `:region` is
|
@@ -370,12 +385,14 @@ module Aws::ACMPCA
|
|
370
385
|
# The type of the certificate authority.
|
371
386
|
#
|
372
387
|
# @option params [String] :idempotency_token
|
373
|
-
#
|
374
|
-
# **CreateCertificateAuthority
|
375
|
-
#
|
376
|
-
#
|
377
|
-
#
|
378
|
-
#
|
388
|
+
# Custom string that can be used to distinguish between calls to the
|
389
|
+
# **CreateCertificateAuthority** action. Idempotency tokens for
|
390
|
+
# **CreateCertificateAuthority** time out after five minutes. Therefore,
|
391
|
+
# if you call **CreateCertificateAuthority** multiple times with the
|
392
|
+
# same idempotency token within five minutes, ACM Private CA recognizes
|
393
|
+
# that you are requesting only certificate authority and will issue only
|
394
|
+
# one. If you change the idempotency token for each call, PCA recognizes
|
395
|
+
# that you are requesting multiple certificate authorities.
|
379
396
|
#
|
380
397
|
# @option params [Array<Types::Tag>] :tags
|
381
398
|
# Key-value pairs that will be attached to the new private CA. You can
|
@@ -413,6 +430,58 @@ module Aws::ACMPCA
|
|
413
430
|
# pseudonym: "String128",
|
414
431
|
# generation_qualifier: "String3",
|
415
432
|
# },
|
433
|
+
# csr_extensions: {
|
434
|
+
# key_usage: {
|
435
|
+
# digital_signature: false,
|
436
|
+
# non_repudiation: false,
|
437
|
+
# key_encipherment: false,
|
438
|
+
# data_encipherment: false,
|
439
|
+
# key_agreement: false,
|
440
|
+
# key_cert_sign: false,
|
441
|
+
# crl_sign: false,
|
442
|
+
# encipher_only: false,
|
443
|
+
# decipher_only: false,
|
444
|
+
# },
|
445
|
+
# subject_information_access: [
|
446
|
+
# {
|
447
|
+
# access_method: { # required
|
448
|
+
# custom_object_identifier: "CustomObjectIdentifier",
|
449
|
+
# access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY
|
450
|
+
# },
|
451
|
+
# access_location: { # required
|
452
|
+
# other_name: {
|
453
|
+
# type_id: "CustomObjectIdentifier", # required
|
454
|
+
# value: "String256", # required
|
455
|
+
# },
|
456
|
+
# rfc_822_name: "String256",
|
457
|
+
# dns_name: "String253",
|
458
|
+
# directory_name: {
|
459
|
+
# country: "CountryCodeString",
|
460
|
+
# organization: "String64",
|
461
|
+
# organizational_unit: "String64",
|
462
|
+
# distinguished_name_qualifier: "ASN1PrintableString64",
|
463
|
+
# state: "String128",
|
464
|
+
# common_name: "String64",
|
465
|
+
# serial_number: "ASN1PrintableString64",
|
466
|
+
# locality: "String128",
|
467
|
+
# title: "String64",
|
468
|
+
# surname: "String40",
|
469
|
+
# given_name: "String16",
|
470
|
+
# initials: "String5",
|
471
|
+
# pseudonym: "String128",
|
472
|
+
# generation_qualifier: "String3",
|
473
|
+
# },
|
474
|
+
# edi_party_name: {
|
475
|
+
# party_name: "String256", # required
|
476
|
+
# name_assigner: "String256",
|
477
|
+
# },
|
478
|
+
# uniform_resource_identifier: "String253",
|
479
|
+
# ip_address: "String39",
|
480
|
+
# registered_id: "CustomObjectIdentifier",
|
481
|
+
# },
|
482
|
+
# },
|
483
|
+
# ],
|
484
|
+
# },
|
416
485
|
# },
|
417
486
|
# revocation_configuration: {
|
418
487
|
# crl_configuration: {
|
@@ -532,12 +601,13 @@ module Aws::ACMPCA
|
|
532
601
|
# renewals. Instead, the ACM certificate owner must set up a
|
533
602
|
# resource-based policy to enable cross-account issuance and renewals.
|
534
603
|
# For more information, see [Using a Resource Based Policy with ACM
|
535
|
-
# Private CA]
|
604
|
+
# Private CA][3].
|
536
605
|
#
|
537
606
|
#
|
538
607
|
#
|
539
608
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
|
540
609
|
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
|
610
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
|
541
611
|
#
|
542
612
|
# @option params [required, String] :certificate_authority_arn
|
543
613
|
# The Amazon Resource Name (ARN) of the CA that grants the permissions.
|
@@ -680,12 +750,13 @@ module Aws::ACMPCA
|
|
680
750
|
# renewals. Instead, the ACM certificate owner must set up a
|
681
751
|
# resource-based policy to enable cross-account issuance and renewals.
|
682
752
|
# For more information, see [Using a Resource Based Policy with ACM
|
683
|
-
# Private CA]
|
753
|
+
# Private CA][3].
|
684
754
|
#
|
685
755
|
#
|
686
756
|
#
|
687
757
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
|
688
758
|
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
|
759
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
|
689
760
|
#
|
690
761
|
# @option params [required, String] :certificate_authority_arn
|
691
762
|
# The Amazon Resource Number (ARN) of the private CA that issued the
|
@@ -745,8 +816,7 @@ module Aws::ACMPCA
|
|
745
816
|
# * A policy grants access on a private CA to an AWS customer account,
|
746
817
|
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
747
818
|
# under the control of a CA administrator. For more information, see
|
748
|
-
# [Using a Resource Based Policy with ACM Private
|
749
|
-
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
819
|
+
# [Using a Resource Based Policy with ACM Private CA][3].
|
750
820
|
#
|
751
821
|
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
752
822
|
# ACM certificates signed by a CA in another account.
|
@@ -755,18 +825,19 @@ module Aws::ACMPCA
|
|
755
825
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
756
826
|
# ACM service to assume the identity of the user, subject to
|
757
827
|
# confirmation against the ACM Private CA policy. For more
|
758
|
-
# information, see [Using a Service Linked Role with ACM][
|
828
|
+
# information, see [Using a Service Linked Role with ACM][4].
|
759
829
|
#
|
760
830
|
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
761
|
-
# policies. For more information, see [
|
762
|
-
#
|
763
|
-
# CA](acm-pca/latest/userguide/pca-ram.html).
|
831
|
+
# policies. For more information, see [Attach a Policy for
|
832
|
+
# Cross-Account Access][5].
|
764
833
|
#
|
765
834
|
#
|
766
835
|
#
|
767
836
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
|
768
837
|
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
|
769
|
-
# [3]: https://docs.aws.amazon.com/acm/latest/userguide/
|
838
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
|
839
|
+
# [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
840
|
+
# [5]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
|
770
841
|
#
|
771
842
|
# @option params [required, String] :resource_arn
|
772
843
|
# The Amazon Resource Number (ARN) of the private CA that will have its
|
@@ -815,7 +886,7 @@ module Aws::ACMPCA
|
|
815
886
|
# * `EXPIRED` - Your private CA certificate has expired.
|
816
887
|
#
|
817
888
|
# * `FAILED` - Your private CA has failed. Your CA can fail because of
|
818
|
-
# problems such a network outage or
|
889
|
+
# problems such a network outage or back-end AWS failure or other
|
819
890
|
# errors. A failed CA can never return to the pending state. You must
|
820
891
|
# create a new CA.
|
821
892
|
#
|
@@ -872,6 +943,41 @@ module Aws::ACMPCA
|
|
872
943
|
# resp.certificate_authority.certificate_authority_configuration.subject.initials #=> String
|
873
944
|
# resp.certificate_authority.certificate_authority_configuration.subject.pseudonym #=> String
|
874
945
|
# resp.certificate_authority.certificate_authority_configuration.subject.generation_qualifier #=> String
|
946
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
|
947
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
|
948
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
|
949
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.data_encipherment #=> Boolean
|
950
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_agreement #=> Boolean
|
951
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_cert_sign #=> Boolean
|
952
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.crl_sign #=> Boolean
|
953
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.encipher_only #=> Boolean
|
954
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.decipher_only #=> Boolean
|
955
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access #=> Array
|
956
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.custom_object_identifier #=> String
|
957
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.access_method_type #=> String, one of "CA_REPOSITORY", "RESOURCE_PKI_MANIFEST", "RESOURCE_PKI_NOTIFY"
|
958
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.type_id #=> String
|
959
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.value #=> String
|
960
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.rfc_822_name #=> String
|
961
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.dns_name #=> String
|
962
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.country #=> String
|
963
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organization #=> String
|
964
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organizational_unit #=> String
|
965
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.distinguished_name_qualifier #=> String
|
966
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.state #=> String
|
967
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.common_name #=> String
|
968
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.serial_number #=> String
|
969
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.locality #=> String
|
970
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.title #=> String
|
971
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.surname #=> String
|
972
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.given_name #=> String
|
973
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
|
974
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
|
975
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
|
976
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
|
977
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
|
978
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
|
979
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.ip_address #=> String
|
980
|
+
# resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.registered_id #=> String
|
875
981
|
# resp.certificate_authority.revocation_configuration.crl_configuration.enabled #=> Boolean
|
876
982
|
# resp.certificate_authority.revocation_configuration.crl_configuration.expiration_in_days #=> Integer
|
877
983
|
# resp.certificate_authority.revocation_configuration.crl_configuration.custom_cname #=> String
|
@@ -1108,16 +1214,14 @@ module Aws::ACMPCA
|
|
1108
1214
|
# action returns a `ResourceNotFoundException`.
|
1109
1215
|
#
|
1110
1216
|
# The policy can be attached or updated with [PutPolicy][1] and removed
|
1111
|
-
# with
|
1112
|
-
# [DeletePolicy](acm-pca/latest/APIReference/API_DeletePolicy.html).
|
1217
|
+
# with [DeletePolicy][2].
|
1113
1218
|
#
|
1114
1219
|
# **About Policies**
|
1115
1220
|
#
|
1116
1221
|
# * A policy grants access on a private CA to an AWS customer account,
|
1117
1222
|
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
1118
1223
|
# under the control of a CA administrator. For more information, see
|
1119
|
-
# [Using a Resource Based Policy with ACM Private
|
1120
|
-
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
1224
|
+
# [Using a Resource Based Policy with ACM Private CA][3].
|
1121
1225
|
#
|
1122
1226
|
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
1123
1227
|
# ACM certificates signed by a CA in another account.
|
@@ -1126,17 +1230,19 @@ module Aws::ACMPCA
|
|
1126
1230
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
1127
1231
|
# ACM service to assume the identity of the user, subject to
|
1128
1232
|
# confirmation against the ACM Private CA policy. For more
|
1129
|
-
# information, see [Using a Service Linked Role with ACM][
|
1233
|
+
# information, see [Using a Service Linked Role with ACM][4].
|
1130
1234
|
#
|
1131
1235
|
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
1132
|
-
# policies. For more information, see [
|
1133
|
-
#
|
1134
|
-
# CA](acm-pca/latest/userguide/pca-ram.html).
|
1236
|
+
# policies. For more information, see [Attach a Policy for
|
1237
|
+
# Cross-Account Access][5].
|
1135
1238
|
#
|
1136
1239
|
#
|
1137
1240
|
#
|
1138
1241
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
|
1139
|
-
# [2]: https://docs.aws.amazon.com/acm/latest/
|
1242
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
|
1243
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
|
1244
|
+
# [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
1245
|
+
# [5]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
|
1140
1246
|
#
|
1141
1247
|
# @option params [required, String] :resource_arn
|
1142
1248
|
# The Amazon Resource Number (ARN) of the private CA that will have its
|
@@ -1172,8 +1278,8 @@ module Aws::ACMPCA
|
|
1172
1278
|
# following preparations must in place:
|
1173
1279
|
#
|
1174
1280
|
# 1. In ACM Private CA, call the [CreateCertificateAuthority][1] action
|
1175
|
-
# to create the private CA that
|
1176
|
-
#
|
1281
|
+
# to create the private CA that you plan to back with the imported
|
1282
|
+
# certificate.
|
1177
1283
|
#
|
1178
1284
|
# 2. Call the [GetCertificateAuthorityCsr][2] action to generate a
|
1179
1285
|
# certificate signing request (CSR).
|
@@ -1184,22 +1290,31 @@ module Aws::ACMPCA
|
|
1184
1290
|
# 4. Create a certificate chain and copy the signed certificate and the
|
1185
1291
|
# certificate chain to your working directory.
|
1186
1292
|
#
|
1187
|
-
#
|
1293
|
+
# ACM Private CA supports three scenarios for installing a CA
|
1294
|
+
# certificate:
|
1295
|
+
#
|
1296
|
+
# * Installing a certificate for a root CA hosted by ACM Private CA.
|
1297
|
+
#
|
1298
|
+
# * Installing a subordinate CA certificate whose parent authority is
|
1299
|
+
# hosted by ACM Private CA.
|
1300
|
+
#
|
1301
|
+
# * Installing a subordinate CA certificate whose parent authority is
|
1302
|
+
# externally hosted.
|
1188
1303
|
#
|
1189
|
-
#
|
1190
|
-
#
|
1304
|
+
# The following additional requirements apply when you import a CA
|
1305
|
+
# certificate.
|
1191
1306
|
#
|
1192
|
-
# *
|
1193
|
-
#
|
1307
|
+
# * Only a self-signed certificate can be imported as a root CA.
|
1308
|
+
#
|
1309
|
+
# * A self-signed certificate cannot be imported as a subordinate CA.
|
1194
1310
|
#
|
1195
1311
|
# * Your certificate chain must not include the private CA certificate
|
1196
1312
|
# that you are importing.
|
1197
1313
|
#
|
1198
|
-
# * Your
|
1199
|
-
#
|
1200
|
-
#
|
1201
|
-
#
|
1202
|
-
# and so on until your chain is built.
|
1314
|
+
# * Your root CA must be the last certificate in your chain. The
|
1315
|
+
# subordinate certificate, if any, that your root CA signed must be
|
1316
|
+
# next to last. The subordinate certificate signed by the preceding
|
1317
|
+
# subordinate CA must come next, and so on until your chain is built.
|
1203
1318
|
#
|
1204
1319
|
# * The chain must be PEM-encoded.
|
1205
1320
|
#
|
@@ -1316,6 +1431,21 @@ module Aws::ACMPCA
|
|
1316
1431
|
#
|
1317
1432
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
|
1318
1433
|
#
|
1434
|
+
# @option params [Types::ApiPassthrough] :api_passthrough
|
1435
|
+
# Specifies X.509 certificate information to be included in the issued
|
1436
|
+
# certificate. An `APIPassthrough` or `APICSRPassthrough` template
|
1437
|
+
# variant must be selected, or else this parameter is ignored. For more
|
1438
|
+
# information about using these templates, see [Understanding
|
1439
|
+
# Certificate Templates][1].
|
1440
|
+
#
|
1441
|
+
# If conflicting or duplicate certificate information is supplied during
|
1442
|
+
# certificate issuance, ACM Private CA applies [order of operation
|
1443
|
+
# rules](xxxxx) to determine what information is used.
|
1444
|
+
#
|
1445
|
+
#
|
1446
|
+
#
|
1447
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
|
1448
|
+
#
|
1319
1449
|
# @option params [required, String] :certificate_authority_arn
|
1320
1450
|
# The Amazon Resource Name (ARN) that was returned when you called
|
1321
1451
|
# [CreateCertificateAuthority][1]. This must be of the form:
|
@@ -1329,15 +1459,15 @@ module Aws::ACMPCA
|
|
1329
1459
|
#
|
1330
1460
|
# @option params [required, String, StringIO, File] :csr
|
1331
1461
|
# The certificate signing request (CSR) for the certificate you want to
|
1332
|
-
# issue.
|
1333
|
-
# a 2048 bit RSA private key.
|
1462
|
+
# issue. As an example, you can use the following OpenSSL command to
|
1463
|
+
# create the CSR and a 2048 bit RSA private key.
|
1334
1464
|
#
|
1335
1465
|
# `openssl req -new -newkey rsa:2048 -days 365 -keyout
|
1336
1466
|
# private/test_cert_priv_key.pem -out csr/test_cert_.csr`
|
1337
1467
|
#
|
1338
|
-
# If you have a configuration file, you can use the following
|
1339
|
-
# command. The `usr_cert` block in the configuration file
|
1340
|
-
# X509 version 3 extensions.
|
1468
|
+
# If you have a configuration file, you can then use the following
|
1469
|
+
# OpenSSL command. The `usr_cert` block in the configuration file
|
1470
|
+
# contains your X509 version 3 extensions.
|
1341
1471
|
#
|
1342
1472
|
# `openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey
|
1343
1473
|
# rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
|
@@ -1351,7 +1481,8 @@ module Aws::ACMPCA
|
|
1351
1481
|
# be issued.
|
1352
1482
|
#
|
1353
1483
|
# This parameter should not be confused with the `SigningAlgorithm`
|
1354
|
-
# parameter used to sign a CSR
|
1484
|
+
# parameter used to sign a CSR in the `CreateCertificateAuthority`
|
1485
|
+
# action.
|
1355
1486
|
#
|
1356
1487
|
# @option params [String] :template_arn
|
1357
1488
|
# Specifies a custom configuration template to use when issuing a
|
@@ -1364,65 +1495,70 @@ module Aws::ACMPCA
|
|
1364
1495
|
# Note: The CA depth configured on a subordinate CA certificate must not
|
1365
1496
|
# exceed the limit set by its parents in the CA hierarchy.
|
1366
1497
|
#
|
1367
|
-
#
|
1368
|
-
#
|
1369
|
-
#
|
1370
|
-
# * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
|
1371
|
-
#
|
1372
|
-
# * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
|
1373
|
-
#
|
1374
|
-
# * arn:aws:acm-pca:::template/EndEntityCertificate/V1
|
1375
|
-
#
|
1376
|
-
# * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
|
1377
|
-
#
|
1378
|
-
# * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
|
1498
|
+
# For a list of `TemplateArn` values supported by ACM Private CA, see
|
1499
|
+
# [Understanding Certificate Templates][2].
|
1379
1500
|
#
|
1380
|
-
# * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
|
1381
1501
|
#
|
1382
|
-
# * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
|
1383
1502
|
#
|
1384
|
-
#
|
1503
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
|
1504
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
|
1385
1505
|
#
|
1386
|
-
#
|
1506
|
+
# @option params [required, Types::Validity] :validity
|
1507
|
+
# Information describing the end of the validity period of the
|
1508
|
+
# certificate. This parameter sets the “Not After” date for the
|
1509
|
+
# certificate.
|
1387
1510
|
#
|
1388
|
-
#
|
1511
|
+
# Certificate validity is the period of time during which a certificate
|
1512
|
+
# is valid. Validity can be expressed as an explicit date and time when
|
1513
|
+
# the certificate expires, or as a span of time after issuance, stated
|
1514
|
+
# in days, months, or years. For more information, see [Validity][1] in
|
1515
|
+
# RFC 5280.
|
1389
1516
|
#
|
1390
|
-
#
|
1517
|
+
# This value is unaffected when `ValidityNotBefore` is also specified.
|
1518
|
+
# For example, if `Validity` is set to 20 days in the future, the
|
1519
|
+
# certificate will expire 20 days from issuance time regardless of the
|
1520
|
+
# `ValidityNotBefore` value.
|
1391
1521
|
#
|
1392
|
-
#
|
1522
|
+
# The end of the validity period configured on a certificate must not
|
1523
|
+
# exceed the limit set on its parents in the CA hierarchy.
|
1393
1524
|
#
|
1394
|
-
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
|
1395
1525
|
#
|
1396
|
-
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen2/V1
|
1397
1526
|
#
|
1398
|
-
#
|
1527
|
+
# [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
|
1399
1528
|
#
|
1400
|
-
#
|
1529
|
+
# @option params [Types::Validity] :validity_not_before
|
1530
|
+
# Information describing the start of the validity period of the
|
1531
|
+
# certificate. This parameter sets the “Not Before" date for the
|
1532
|
+
# certificate.
|
1401
1533
|
#
|
1534
|
+
# By default, when issuing a certificate, ACM Private CA sets the "Not
|
1535
|
+
# Before" date to the issuance time minus 60 minutes. This compensates
|
1536
|
+
# for clock inconsistencies across computer systems. The
|
1537
|
+
# `ValidityNotBefore` parameter can be used to customize the “Not
|
1538
|
+
# Before” value.
|
1402
1539
|
#
|
1540
|
+
# Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is
|
1541
|
+
# optional.
|
1403
1542
|
#
|
1404
|
-
#
|
1405
|
-
#
|
1543
|
+
# The `ValidityNotBefore` value is expressed as an explicit date and
|
1544
|
+
# time, using the `Validity` type value `ABSOLUTE`. For more
|
1545
|
+
# information, see [Validity][1] in this API reference and [Validity][2]
|
1546
|
+
# in RFC 5280.
|
1406
1547
|
#
|
1407
|
-
# @option params [required, Types::Validity] :validity
|
1408
|
-
# Information describing the validity period of the certificate.
|
1409
1548
|
#
|
1410
|
-
# When issuing a certificate, ACM Private CA sets the "Not Before"
|
1411
|
-
# date in the validity field to date and time minus 60 minutes. This is
|
1412
|
-
# intended to compensate for time inconsistencies across systems of 60
|
1413
|
-
# minutes or less.
|
1414
1549
|
#
|
1415
|
-
#
|
1416
|
-
#
|
1550
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html
|
1551
|
+
# [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5
|
1417
1552
|
#
|
1418
1553
|
# @option params [String] :idempotency_token
|
1419
|
-
#
|
1420
|
-
# **IssueCertificate** action. Idempotency tokens
|
1421
|
-
#
|
1422
|
-
# the same idempotency token
|
1423
|
-
#
|
1424
|
-
#
|
1425
|
-
#
|
1554
|
+
# Alphanumeric string that can be used to distinguish between calls to
|
1555
|
+
# the **IssueCertificate** action. Idempotency tokens for
|
1556
|
+
# **IssueCertificate** time out after one minute. Therefore, if you call
|
1557
|
+
# **IssueCertificate** multiple times with the same idempotency token
|
1558
|
+
# within one minute, ACM Private CA recognizes that you are requesting
|
1559
|
+
# only one certificate and will issue only one. If you change the
|
1560
|
+
# idempotency token for each call, PCA recognizes that you are
|
1561
|
+
# requesting multiple certificates.
|
1426
1562
|
#
|
1427
1563
|
# @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1428
1564
|
#
|
@@ -1431,6 +1567,89 @@ module Aws::ACMPCA
|
|
1431
1567
|
# @example Request syntax with placeholder values
|
1432
1568
|
#
|
1433
1569
|
# resp = client.issue_certificate({
|
1570
|
+
# api_passthrough: {
|
1571
|
+
# extensions: {
|
1572
|
+
# certificate_policies: [
|
1573
|
+
# {
|
1574
|
+
# cert_policy_id: "CustomObjectIdentifier", # required
|
1575
|
+
# policy_qualifiers: [
|
1576
|
+
# {
|
1577
|
+
# policy_qualifier_id: "CPS", # required, accepts CPS
|
1578
|
+
# qualifier: { # required
|
1579
|
+
# cps_uri: "String256", # required
|
1580
|
+
# },
|
1581
|
+
# },
|
1582
|
+
# ],
|
1583
|
+
# },
|
1584
|
+
# ],
|
1585
|
+
# extended_key_usage: [
|
1586
|
+
# {
|
1587
|
+
# extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY
|
1588
|
+
# extended_key_usage_object_identifier: "CustomObjectIdentifier",
|
1589
|
+
# },
|
1590
|
+
# ],
|
1591
|
+
# key_usage: {
|
1592
|
+
# digital_signature: false,
|
1593
|
+
# non_repudiation: false,
|
1594
|
+
# key_encipherment: false,
|
1595
|
+
# data_encipherment: false,
|
1596
|
+
# key_agreement: false,
|
1597
|
+
# key_cert_sign: false,
|
1598
|
+
# crl_sign: false,
|
1599
|
+
# encipher_only: false,
|
1600
|
+
# decipher_only: false,
|
1601
|
+
# },
|
1602
|
+
# subject_alternative_names: [
|
1603
|
+
# {
|
1604
|
+
# other_name: {
|
1605
|
+
# type_id: "CustomObjectIdentifier", # required
|
1606
|
+
# value: "String256", # required
|
1607
|
+
# },
|
1608
|
+
# rfc_822_name: "String256",
|
1609
|
+
# dns_name: "String253",
|
1610
|
+
# directory_name: {
|
1611
|
+
# country: "CountryCodeString",
|
1612
|
+
# organization: "String64",
|
1613
|
+
# organizational_unit: "String64",
|
1614
|
+
# distinguished_name_qualifier: "ASN1PrintableString64",
|
1615
|
+
# state: "String128",
|
1616
|
+
# common_name: "String64",
|
1617
|
+
# serial_number: "ASN1PrintableString64",
|
1618
|
+
# locality: "String128",
|
1619
|
+
# title: "String64",
|
1620
|
+
# surname: "String40",
|
1621
|
+
# given_name: "String16",
|
1622
|
+
# initials: "String5",
|
1623
|
+
# pseudonym: "String128",
|
1624
|
+
# generation_qualifier: "String3",
|
1625
|
+
# },
|
1626
|
+
# edi_party_name: {
|
1627
|
+
# party_name: "String256", # required
|
1628
|
+
# name_assigner: "String256",
|
1629
|
+
# },
|
1630
|
+
# uniform_resource_identifier: "String253",
|
1631
|
+
# ip_address: "String39",
|
1632
|
+
# registered_id: "CustomObjectIdentifier",
|
1633
|
+
# },
|
1634
|
+
# ],
|
1635
|
+
# },
|
1636
|
+
# subject: {
|
1637
|
+
# country: "CountryCodeString",
|
1638
|
+
# organization: "String64",
|
1639
|
+
# organizational_unit: "String64",
|
1640
|
+
# distinguished_name_qualifier: "ASN1PrintableString64",
|
1641
|
+
# state: "String128",
|
1642
|
+
# common_name: "String64",
|
1643
|
+
# serial_number: "ASN1PrintableString64",
|
1644
|
+
# locality: "String128",
|
1645
|
+
# title: "String64",
|
1646
|
+
# surname: "String40",
|
1647
|
+
# given_name: "String16",
|
1648
|
+
# initials: "String5",
|
1649
|
+
# pseudonym: "String128",
|
1650
|
+
# generation_qualifier: "String3",
|
1651
|
+
# },
|
1652
|
+
# },
|
1434
1653
|
# certificate_authority_arn: "Arn", # required
|
1435
1654
|
# csr: "data", # required
|
1436
1655
|
# signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA
|
@@ -1439,6 +1658,10 @@ module Aws::ACMPCA
|
|
1439
1658
|
# value: 1, # required
|
1440
1659
|
# type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
|
1441
1660
|
# },
|
1661
|
+
# validity_not_before: {
|
1662
|
+
# value: 1, # required
|
1663
|
+
# type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS
|
1664
|
+
# },
|
1442
1665
|
# idempotency_token: "IdempotencyToken",
|
1443
1666
|
# })
|
1444
1667
|
#
|
@@ -1523,6 +1746,41 @@ module Aws::ACMPCA
|
|
1523
1746
|
# resp.certificate_authorities[0].certificate_authority_configuration.subject.initials #=> String
|
1524
1747
|
# resp.certificate_authorities[0].certificate_authority_configuration.subject.pseudonym #=> String
|
1525
1748
|
# resp.certificate_authorities[0].certificate_authority_configuration.subject.generation_qualifier #=> String
|
1749
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean
|
1750
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean
|
1751
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean
|
1752
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.data_encipherment #=> Boolean
|
1753
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_agreement #=> Boolean
|
1754
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_cert_sign #=> Boolean
|
1755
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.crl_sign #=> Boolean
|
1756
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.encipher_only #=> Boolean
|
1757
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.decipher_only #=> Boolean
|
1758
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access #=> Array
|
1759
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.custom_object_identifier #=> String
|
1760
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.access_method_type #=> String, one of "CA_REPOSITORY", "RESOURCE_PKI_MANIFEST", "RESOURCE_PKI_NOTIFY"
|
1761
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.type_id #=> String
|
1762
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.value #=> String
|
1763
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.rfc_822_name #=> String
|
1764
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.dns_name #=> String
|
1765
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.country #=> String
|
1766
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organization #=> String
|
1767
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organizational_unit #=> String
|
1768
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.distinguished_name_qualifier #=> String
|
1769
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.state #=> String
|
1770
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.common_name #=> String
|
1771
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.serial_number #=> String
|
1772
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.locality #=> String
|
1773
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.title #=> String
|
1774
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.surname #=> String
|
1775
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.given_name #=> String
|
1776
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String
|
1777
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String
|
1778
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String
|
1779
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String
|
1780
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String
|
1781
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String
|
1782
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.ip_address #=> String
|
1783
|
+
# resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.registered_id #=> String
|
1526
1784
|
# resp.certificate_authorities[0].revocation_configuration.crl_configuration.enabled #=> Boolean
|
1527
1785
|
# resp.certificate_authorities[0].revocation_configuration.crl_configuration.expiration_in_days #=> Integer
|
1528
1786
|
# resp.certificate_authorities[0].revocation_configuration.crl_configuration.custom_cname #=> String
|
@@ -1563,12 +1821,13 @@ module Aws::ACMPCA
|
|
1563
1821
|
# renewals. Instead, the ACM certificate owner must set up a
|
1564
1822
|
# resource-based policy to enable cross-account issuance and renewals.
|
1565
1823
|
# For more information, see [Using a Resource Based Policy with ACM
|
1566
|
-
# Private CA]
|
1824
|
+
# Private CA][3].
|
1567
1825
|
#
|
1568
1826
|
#
|
1569
1827
|
#
|
1570
1828
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
|
1571
1829
|
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
|
1830
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
|
1572
1831
|
#
|
1573
1832
|
# @option params [required, String] :certificate_authority_arn
|
1574
1833
|
# The Amazon Resource Number (ARN) of the private CA to inspect. You can
|
@@ -1698,8 +1957,9 @@ module Aws::ACMPCA
|
|
1698
1957
|
|
1699
1958
|
# Attaches a resource-based policy to a private CA.
|
1700
1959
|
#
|
1701
|
-
# A policy can also be applied by
|
1702
|
-
# Resource Access Manager (RAM).
|
1960
|
+
# A policy can also be applied by sharing a private CA through AWS
|
1961
|
+
# Resource Access Manager (RAM). For more information, see [Attach a
|
1962
|
+
# Policy for Cross-Account Access][1].
|
1703
1963
|
#
|
1704
1964
|
# The policy can be displayed with [GetPolicy][2] and removed with
|
1705
1965
|
# [DeletePolicy][3].
|
@@ -1709,8 +1969,7 @@ module Aws::ACMPCA
|
|
1709
1969
|
# * A policy grants access on a private CA to an AWS customer account,
|
1710
1970
|
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
1711
1971
|
# under the control of a CA administrator. For more information, see
|
1712
|
-
# [Using a Resource Based Policy with ACM Private
|
1713
|
-
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
1972
|
+
# [Using a Resource Based Policy with ACM Private CA][4].
|
1714
1973
|
#
|
1715
1974
|
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
1716
1975
|
# ACM certificates signed by a CA in another account.
|
@@ -1719,19 +1978,19 @@ module Aws::ACMPCA
|
|
1719
1978
|
# user must configure a Service Linked Role (SLR). The SLR allows the
|
1720
1979
|
# ACM service to assume the identity of the user, subject to
|
1721
1980
|
# confirmation against the ACM Private CA policy. For more
|
1722
|
-
# information, see [Using a Service Linked Role with ACM][
|
1981
|
+
# information, see [Using a Service Linked Role with ACM][5].
|
1723
1982
|
#
|
1724
1983
|
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
1725
|
-
# policies. For more information, see [
|
1726
|
-
#
|
1727
|
-
# CA](acm-pca/latest/userguide/pca-ram.html).
|
1984
|
+
# policies. For more information, see [Attach a Policy for
|
1985
|
+
# Cross-Account Access][1].
|
1728
1986
|
#
|
1729
1987
|
#
|
1730
1988
|
#
|
1731
1989
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
|
1732
1990
|
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
|
1733
1991
|
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
|
1734
|
-
# [4]: https://docs.aws.amazon.com/acm/latest/userguide/
|
1992
|
+
# [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html
|
1993
|
+
# [5]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
1735
1994
|
#
|
1736
1995
|
# @option params [required, String] :resource_arn
|
1737
1996
|
# The Amazon Resource Number (ARN) of the private CA to associate with
|
@@ -1745,7 +2004,7 @@ module Aws::ACMPCA
|
|
1745
2004
|
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
1746
2005
|
#
|
1747
2006
|
# @option params [required, String] :policy
|
1748
|
-
# The path and
|
2007
|
+
# The path and file name of a JSON-formatted IAM policy to attach to the
|
1749
2008
|
# specified private CA resource. If this policy does not contain all
|
1750
2009
|
# required statements or if it includes any statement that is not
|
1751
2010
|
# allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
|
@@ -2080,7 +2339,7 @@ module Aws::ACMPCA
|
|
2080
2339
|
params: params,
|
2081
2340
|
config: config)
|
2082
2341
|
context[:gem_name] = 'aws-sdk-acmpca'
|
2083
|
-
context[:gem_version] = '1.
|
2342
|
+
context[:gem_version] = '1.32.0'
|
2084
2343
|
Seahorse::Client::Request.new(handlers, context)
|
2085
2344
|
end
|
2086
2345
|
|