aws-sdk-acmpca 1.26.0 → 1.27.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/aws-sdk-acmpca.rb +1 -1
- data/lib/aws-sdk-acmpca/client.rb +701 -134
- data/lib/aws-sdk-acmpca/client_api.rb +78 -10
- data/lib/aws-sdk-acmpca/errors.rb +16 -0
- data/lib/aws-sdk-acmpca/types.rb +416 -87
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7939b87eaa530aded1e2ae7c853b96ca3e83a80e1b465020ff96d6bd4889947f
|
4
|
+
data.tar.gz: 7dcfc9b294fc6285b948742f513fac2e99a7d9feb751136df7a82a1275fa0f55
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 32c5f502ee882b834a83626efaaa28dc7fe74975f9762c242470d5b21dde853f848b54628e838b09815f92bbaf906d0b764956ccf0f9b6114ea57f4379a77526
|
7
|
+
data.tar.gz: 9575bcbd1baef4e9d5f09c15b5109ad51112d3aca19a3ab0c826bcfc3639992045a155a59ea97eb2f72ff420f8be7e359dda1e9f83edd8ef552ef2716f5603e5
|
data/lib/aws-sdk-acmpca.rb
CHANGED
@@ -335,6 +335,21 @@ module Aws::ACMPCA
|
|
335
335
|
# successful, this action returns the Amazon Resource Name (ARN) of the
|
336
336
|
# CA.
|
337
337
|
#
|
338
|
+
# ACM Private CAA assets that are stored in Amazon S3 can be protected
|
339
|
+
# with encryption. For more information, see [Encrypting Your CRLs][1].
|
340
|
+
#
|
341
|
+
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
342
|
+
# bucket that you specify. If the IAM principal making the call does not
|
343
|
+
# have permission to write to the bucket, then an exception is thrown.
|
344
|
+
# For more information, see [Configure Access to ACM Private CA][2].
|
345
|
+
#
|
346
|
+
# </note>
|
347
|
+
#
|
348
|
+
#
|
349
|
+
#
|
350
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption
|
351
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
|
352
|
+
#
|
338
353
|
# @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration
|
339
354
|
# Name and bit size of the private key algorithm, the name of the
|
340
355
|
# signing algorithm, and X.500 certificate subject information.
|
@@ -345,27 +360,28 @@ module Aws::ACMPCA
|
|
345
360
|
# ACM Private CA will write the CRL, and an optional CNAME alias that
|
346
361
|
# you can use to hide the name of your bucket in the **CRL Distribution
|
347
362
|
# Points** extension of your CA certificate. For more information, see
|
348
|
-
# the CrlConfiguration structure.
|
363
|
+
# the [CrlConfiguration][1] structure.
|
364
|
+
#
|
365
|
+
#
|
366
|
+
#
|
367
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html
|
349
368
|
#
|
350
369
|
# @option params [required, String] :certificate_authority_type
|
351
370
|
# The type of the certificate authority.
|
352
371
|
#
|
353
372
|
# @option params [String] :idempotency_token
|
354
373
|
# Alphanumeric string that can be used to distinguish between calls to
|
355
|
-
# **CreateCertificateAuthority**.
|
356
|
-
#
|
357
|
-
#
|
358
|
-
#
|
359
|
-
#
|
360
|
-
# change the idempotency token for each call, however, ACM Private CA
|
361
|
-
# recognizes that you are requesting multiple certificates.
|
374
|
+
# **CreateCertificateAuthority**. For a given token, ACM Private CA
|
375
|
+
# creates exactly one CA. If you issue a subsequent call using the same
|
376
|
+
# token, ACM Private CA returns the ARN of the existing CA and takes no
|
377
|
+
# further action. If you change the idempotency token across multiple
|
378
|
+
# calls, ACM Private CA creates a unique CA for each unique token.
|
362
379
|
#
|
363
380
|
# @option params [Array<Types::Tag>] :tags
|
364
381
|
# Key-value pairs that will be attached to the new private CA. You can
|
365
382
|
# associate up to 50 tags with a private CA. For information using tags
|
366
|
-
# with
|
367
|
-
#
|
368
|
-
# IAM to manage permissions, see [Controlling Access Using IAM Tags][1].
|
383
|
+
# with IAM to manage permissions, see [Controlling Access Using IAM
|
384
|
+
# Tags][1].
|
369
385
|
#
|
370
386
|
#
|
371
387
|
#
|
@@ -385,10 +401,10 @@ module Aws::ACMPCA
|
|
385
401
|
# country: "CountryCodeString",
|
386
402
|
# organization: "String64",
|
387
403
|
# organizational_unit: "String64",
|
388
|
-
# distinguished_name_qualifier: "
|
404
|
+
# distinguished_name_qualifier: "ASN1PrintableString64",
|
389
405
|
# state: "String128",
|
390
406
|
# common_name: "String64",
|
391
|
-
# serial_number: "
|
407
|
+
# serial_number: "ASN1PrintableString64",
|
392
408
|
# locality: "String128",
|
393
409
|
# title: "String64",
|
394
410
|
# surname: "String40",
|
@@ -431,8 +447,26 @@ module Aws::ACMPCA
|
|
431
447
|
|
432
448
|
# Creates an audit report that lists every time that your CA private key
|
433
449
|
# is used. The report is saved in the Amazon S3 bucket that you specify
|
434
|
-
# on input. The IssueCertificate and RevokeCertificate actions
|
435
|
-
# private key.
|
450
|
+
# on input. The [IssueCertificate][1] and [RevokeCertificate][2] actions
|
451
|
+
# use the private key.
|
452
|
+
#
|
453
|
+
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
454
|
+
# bucket that you specify. If the IAM principal making the call does not
|
455
|
+
# have permission to write to the bucket, then an exception is thrown.
|
456
|
+
# For more information, see [Configure Access to ACM Private CA][3].
|
457
|
+
#
|
458
|
+
# </note>
|
459
|
+
#
|
460
|
+
# ACM Private CAA assets that are stored in Amazon S3 can be protected
|
461
|
+
# with encryption. For more information, see [Encrypting Your Audit
|
462
|
+
# Reports][4].
|
463
|
+
#
|
464
|
+
#
|
465
|
+
#
|
466
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
|
467
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
|
468
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
|
469
|
+
# [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption
|
436
470
|
#
|
437
471
|
# @option params [required, String] :certificate_authority_arn
|
438
472
|
# The Amazon Resource Name (ARN) of the CA to be audited. This is of the
|
@@ -457,7 +491,7 @@ module Aws::ACMPCA
|
|
457
491
|
#
|
458
492
|
# resp = client.create_certificate_authority_audit_report({
|
459
493
|
# certificate_authority_arn: "Arn", # required
|
460
|
-
# s3_bucket_name: "
|
494
|
+
# s3_bucket_name: "S3BucketName", # required
|
461
495
|
# audit_report_response_format: "JSON", # required, accepts JSON, CSV
|
462
496
|
# })
|
463
497
|
#
|
@@ -475,26 +509,48 @@ module Aws::ACMPCA
|
|
475
509
|
req.send_request(options)
|
476
510
|
end
|
477
511
|
|
478
|
-
#
|
479
|
-
#
|
480
|
-
#
|
481
|
-
#
|
482
|
-
#
|
483
|
-
#
|
484
|
-
#
|
485
|
-
#
|
486
|
-
#
|
487
|
-
#
|
488
|
-
#
|
512
|
+
# Grants one or more permissions on a private CA to the AWS Certificate
|
513
|
+
# Manager (ACM) service principal (`acm.amazonaws.com`). These
|
514
|
+
# permissions allow ACM to issue and renew ACM certificates that reside
|
515
|
+
# in the same AWS account as the CA.
|
516
|
+
#
|
517
|
+
# You can list current permissions with the [ListPermissions][1] action
|
518
|
+
# and revoke them with the [DeletePermission][2] action.
|
519
|
+
#
|
520
|
+
# **About Permissions**
|
521
|
+
#
|
522
|
+
# * If the private CA and the certificates it issues reside in the same
|
523
|
+
# account, you can use `CreatePermission` to grant permissions for ACM
|
524
|
+
# to carry out automatic certificate renewals.
|
525
|
+
#
|
526
|
+
# * For automatic certificate renewal to succeed, the ACM service
|
527
|
+
# principal needs permissions to create, retrieve, and list
|
528
|
+
# certificates.
|
529
|
+
#
|
530
|
+
# * If the private CA and the ACM certificates reside in different
|
531
|
+
# accounts, then permissions cannot be used to enable automatic
|
532
|
+
# renewals. Instead, the ACM certificate owner must set up a
|
533
|
+
# resource-based policy to enable cross-account issuance and renewals.
|
534
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
535
|
+
# Private CA](acm-pca/latest/userguide/pca-rbp.html).
|
536
|
+
#
|
537
|
+
#
|
538
|
+
#
|
539
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
|
540
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
|
489
541
|
#
|
490
542
|
# @option params [required, String] :certificate_authority_arn
|
491
543
|
# The Amazon Resource Name (ARN) of the CA that grants the permissions.
|
492
|
-
# You can find the ARN by calling the ListCertificateAuthorities
|
493
|
-
# This must have the following form:
|
544
|
+
# You can find the ARN by calling the [ListCertificateAuthorities][1]
|
545
|
+
# action. This must have the following form:
|
494
546
|
#
|
495
547
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
496
548
|
# `.
|
497
549
|
#
|
550
|
+
#
|
551
|
+
#
|
552
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
553
|
+
#
|
498
554
|
# @option params [required, String] :principal
|
499
555
|
# The AWS service or identity that receives the permission. At this
|
500
556
|
# time, the only valid principal is `acm.amazonaws.com`.
|
@@ -528,7 +584,8 @@ module Aws::ACMPCA
|
|
528
584
|
|
529
585
|
# Deletes a private certificate authority (CA). You must provide the
|
530
586
|
# Amazon Resource Name (ARN) of the private CA that you want to delete.
|
531
|
-
# You can find the ARN by calling the ListCertificateAuthorities
|
587
|
+
# You can find the ARN by calling the [ListCertificateAuthorities][1]
|
588
|
+
# action.
|
532
589
|
#
|
533
590
|
# <note markdown="1"> Deleting a CA will invalidate other CAs and certificates below it in
|
534
591
|
# your CA hierarchy.
|
@@ -536,7 +593,7 @@ module Aws::ACMPCA
|
|
536
593
|
# </note>
|
537
594
|
#
|
538
595
|
# Before you can delete a CA that you have created and activated, you
|
539
|
-
# must disable it. To do this, call the UpdateCertificateAuthority
|
596
|
+
# must disable it. To do this, call the [UpdateCertificateAuthority][2]
|
540
597
|
# action and set the **CertificateAuthorityStatus** parameter to
|
541
598
|
# `DISABLED`.
|
542
599
|
#
|
@@ -546,22 +603,35 @@ module Aws::ACMPCA
|
|
546
603
|
# signed certificate into ACM Private CA (that is, the status of the CA
|
547
604
|
# is `PENDING_CERTIFICATE`).
|
548
605
|
#
|
549
|
-
# When you successfully call DeleteCertificateAuthority, the CA's
|
606
|
+
# When you successfully call [DeleteCertificateAuthority][3], the CA's
|
550
607
|
# status changes to `DELETED`. However, the CA won't be permanently
|
551
608
|
# deleted until the restoration period has passed. By default, if you do
|
552
609
|
# not set the `PermanentDeletionTimeInDays` parameter, the CA remains
|
553
610
|
# restorable for 30 days. You can set the parameter from 7 to 30 days.
|
554
|
-
# The DescribeCertificateAuthority action returns the time
|
555
|
-
# the restoration window of a private CA in the `DELETED`
|
556
|
-
# restore an eligible CA, call the
|
611
|
+
# The [DescribeCertificateAuthority][4] action returns the time
|
612
|
+
# remaining in the restoration window of a private CA in the `DELETED`
|
613
|
+
# state. To restore an eligible CA, call the
|
614
|
+
# [RestoreCertificateAuthority][5] action.
|
615
|
+
#
|
616
|
+
#
|
617
|
+
#
|
618
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
619
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
|
620
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html
|
621
|
+
# [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html
|
622
|
+
# [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RestoreCertificateAuthority.html
|
557
623
|
#
|
558
624
|
# @option params [required, String] :certificate_authority_arn
|
559
625
|
# The Amazon Resource Name (ARN) that was returned when you called
|
560
|
-
# CreateCertificateAuthority. This must have the following form:
|
626
|
+
# [CreateCertificateAuthority][1]. This must have the following form:
|
561
627
|
#
|
562
628
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
563
629
|
# `.
|
564
630
|
#
|
631
|
+
#
|
632
|
+
#
|
633
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
634
|
+
#
|
565
635
|
# @option params [Integer] :permanent_deletion_time_in_days
|
566
636
|
# The number of days to make a CA restorable after it has been deleted.
|
567
637
|
# This can be anywhere from 7 to 30 days, with 30 being the default.
|
@@ -584,18 +654,52 @@ module Aws::ACMPCA
|
|
584
654
|
req.send_request(options)
|
585
655
|
end
|
586
656
|
|
587
|
-
# Revokes permissions
|
588
|
-
#
|
589
|
-
#
|
657
|
+
# Revokes permissions on a private CA granted to the AWS Certificate
|
658
|
+
# Manager (ACM) service principal (acm.amazonaws.com).
|
659
|
+
#
|
660
|
+
# These permissions allow ACM to issue and renew ACM certificates that
|
661
|
+
# reside in the same AWS account as the CA. If you revoke these
|
662
|
+
# permissions, ACM will no longer renew the affected certificates
|
663
|
+
# automatically.
|
664
|
+
#
|
665
|
+
# Permissions can be granted with the [CreatePermission][1] action and
|
666
|
+
# listed with the [ListPermissions][2] action.
|
667
|
+
#
|
668
|
+
# **About Permissions**
|
669
|
+
#
|
670
|
+
# * If the private CA and the certificates it issues reside in the same
|
671
|
+
# account, you can use `CreatePermission` to grant permissions for ACM
|
672
|
+
# to carry out automatic certificate renewals.
|
673
|
+
#
|
674
|
+
# * For automatic certificate renewal to succeed, the ACM service
|
675
|
+
# principal needs permissions to create, retrieve, and list
|
676
|
+
# certificates.
|
677
|
+
#
|
678
|
+
# * If the private CA and the ACM certificates reside in different
|
679
|
+
# accounts, then permissions cannot be used to enable automatic
|
680
|
+
# renewals. Instead, the ACM certificate owner must set up a
|
681
|
+
# resource-based policy to enable cross-account issuance and renewals.
|
682
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
683
|
+
# Private CA](acm-pca/latest/userguide/pca-rbp.html).
|
684
|
+
#
|
685
|
+
#
|
686
|
+
#
|
687
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
|
688
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html
|
590
689
|
#
|
591
690
|
# @option params [required, String] :certificate_authority_arn
|
592
691
|
# The Amazon Resource Number (ARN) of the private CA that issued the
|
593
692
|
# permissions. You can find the CA's ARN by calling the
|
594
|
-
# ListCertificateAuthorities action. This must have the following
|
693
|
+
# [ListCertificateAuthorities][1] action. This must have the following
|
694
|
+
# form:
|
595
695
|
#
|
596
696
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
597
697
|
# `.
|
598
698
|
#
|
699
|
+
#
|
700
|
+
#
|
701
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
702
|
+
#
|
599
703
|
# @option params [required, String] :principal
|
600
704
|
# The AWS service or identity that will have its CA permissions revoked.
|
601
705
|
# At this time, the only valid service principal is `acm.amazonaws.com`
|
@@ -622,10 +726,80 @@ module Aws::ACMPCA
|
|
622
726
|
req.send_request(options)
|
623
727
|
end
|
624
728
|
|
625
|
-
#
|
626
|
-
#
|
627
|
-
#
|
628
|
-
#
|
729
|
+
# Deletes the resource-based policy attached to a private CA. Deletion
|
730
|
+
# will remove any access that the policy has granted. If there is no
|
731
|
+
# policy attached to the private CA, this action will return successful.
|
732
|
+
#
|
733
|
+
# If you delete a policy that was applied through AWS Resource Access
|
734
|
+
# Manager (RAM), the CA will be removed from all shares in which it was
|
735
|
+
# included.
|
736
|
+
#
|
737
|
+
# The AWS Certificate Manager Service Linked Role that the policy
|
738
|
+
# supports is not affected when you delete the policy.
|
739
|
+
#
|
740
|
+
# The current policy can be shown with [GetPolicy][1] and updated with
|
741
|
+
# [PutPolicy][2].
|
742
|
+
#
|
743
|
+
# **About Policies**
|
744
|
+
#
|
745
|
+
# * A policy grants access on a private CA to an AWS customer account,
|
746
|
+
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
747
|
+
# under the control of a CA administrator. For more information, see
|
748
|
+
# [Using a Resource Based Policy with ACM Private
|
749
|
+
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
750
|
+
#
|
751
|
+
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
752
|
+
# ACM certificates signed by a CA in another account.
|
753
|
+
#
|
754
|
+
# * For ACM to manage automatic renewal of these certificates, the ACM
|
755
|
+
# user must configure a Service Linked Role (SLR). The SLR allows the
|
756
|
+
# ACM service to assume the identity of the user, subject to
|
757
|
+
# confirmation against the ACM Private CA policy. For more
|
758
|
+
# information, see [Using a Service Linked Role with ACM][3].
|
759
|
+
#
|
760
|
+
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
761
|
+
# policies. For more information, see [Using AWS Resource Access
|
762
|
+
# Manager (RAM) with ACM Private
|
763
|
+
# CA](acm-pca/latest/userguide/pca-ram.html).
|
764
|
+
#
|
765
|
+
#
|
766
|
+
#
|
767
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
|
768
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
|
769
|
+
# [3]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
770
|
+
#
|
771
|
+
# @option params [required, String] :resource_arn
|
772
|
+
# The Amazon Resource Number (ARN) of the private CA that will have its
|
773
|
+
# policy deleted. You can find the CA's ARN by calling the
|
774
|
+
# [ListCertificateAuthorities][1] action. The ARN value must have the
|
775
|
+
# form
|
776
|
+
# `arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab`.
|
777
|
+
#
|
778
|
+
#
|
779
|
+
#
|
780
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
781
|
+
#
|
782
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
783
|
+
#
|
784
|
+
# @example Request syntax with placeholder values
|
785
|
+
#
|
786
|
+
# resp = client.delete_policy({
|
787
|
+
# resource_arn: "Arn", # required
|
788
|
+
# })
|
789
|
+
#
|
790
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePolicy AWS API Documentation
|
791
|
+
#
|
792
|
+
# @overload delete_policy(params = {})
|
793
|
+
# @param [Hash] params ({})
|
794
|
+
def delete_policy(params = {}, options = {})
|
795
|
+
req = build_request(:delete_policy, params)
|
796
|
+
req.send_request(options)
|
797
|
+
end
|
798
|
+
|
799
|
+
# Lists information about your private certificate authority (CA) or one
|
800
|
+
# that has been shared with you. You specify the private CA on input by
|
801
|
+
# its ARN (Amazon Resource Name). The output contains the status of your
|
802
|
+
# CA. This can be any of the following:
|
629
803
|
#
|
630
804
|
# * `CREATING` - ACM Private CA is creating your private certificate
|
631
805
|
# authority.
|
@@ -651,11 +825,15 @@ module Aws::ACMPCA
|
|
651
825
|
#
|
652
826
|
# @option params [required, String] :certificate_authority_arn
|
653
827
|
# The Amazon Resource Name (ARN) that was returned when you called
|
654
|
-
# CreateCertificateAuthority. This must be of the form:
|
828
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
655
829
|
#
|
656
830
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
657
831
|
# `.
|
658
832
|
#
|
833
|
+
#
|
834
|
+
#
|
835
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
836
|
+
#
|
659
837
|
# @return [Types::DescribeCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
660
838
|
#
|
661
839
|
# * {Types::DescribeCertificateAuthorityResponse#certificate_authority #certificate_authority} => Types::CertificateAuthority
|
@@ -669,6 +847,7 @@ module Aws::ACMPCA
|
|
669
847
|
# @example Response structure
|
670
848
|
#
|
671
849
|
# resp.certificate_authority.arn #=> String
|
850
|
+
# resp.certificate_authority.owner_account #=> String
|
672
851
|
# resp.certificate_authority.created_at #=> Time
|
673
852
|
# resp.certificate_authority.last_state_change_at #=> Time
|
674
853
|
# resp.certificate_authority.type #=> String, one of "ROOT", "SUBORDINATE"
|
@@ -709,10 +888,16 @@ module Aws::ACMPCA
|
|
709
888
|
end
|
710
889
|
|
711
890
|
# Lists information about a specific audit report created by calling the
|
712
|
-
# CreateCertificateAuthorityAuditReport action. Audit information
|
713
|
-
# created every time the certificate authority (CA) private key is
|
714
|
-
# The private key is used when you call the IssueCertificate
|
715
|
-
# the RevokeCertificate action.
|
891
|
+
# [CreateCertificateAuthorityAuditReport][1] action. Audit information
|
892
|
+
# is created every time the certificate authority (CA) private key is
|
893
|
+
# used. The private key is used when you call the [IssueCertificate][2]
|
894
|
+
# action or the [RevokeCertificate][3] action.
|
895
|
+
#
|
896
|
+
#
|
897
|
+
#
|
898
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
899
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
|
900
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html
|
716
901
|
#
|
717
902
|
# @option params [required, String] :certificate_authority_arn
|
718
903
|
# The Amazon Resource Name (ARN) of the private CA. This must be of the
|
@@ -723,7 +908,11 @@ module Aws::ACMPCA
|
|
723
908
|
#
|
724
909
|
# @option params [required, String] :audit_report_id
|
725
910
|
# The report ID returned by calling the
|
726
|
-
# CreateCertificateAuthorityAuditReport action.
|
911
|
+
# [CreateCertificateAuthorityAuditReport][1] action.
|
912
|
+
#
|
913
|
+
#
|
914
|
+
#
|
915
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
727
916
|
#
|
728
917
|
# @return [Types::DescribeCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
729
918
|
#
|
@@ -760,22 +949,32 @@ module Aws::ACMPCA
|
|
760
949
|
req.send_request(options)
|
761
950
|
end
|
762
951
|
|
763
|
-
# Retrieves a certificate from your private CA
|
764
|
-
# certificate is returned when you call
|
765
|
-
#
|
766
|
-
#
|
767
|
-
# retrieve the certificate if it is
|
768
|
-
#
|
769
|
-
#
|
770
|
-
#
|
952
|
+
# Retrieves a certificate from your private CA or one that has been
|
953
|
+
# shared with you. The ARN of the certificate is returned when you call
|
954
|
+
# the [IssueCertificate][1] action. You must specify both the ARN of
|
955
|
+
# your private CA and the ARN of the issued certificate when calling the
|
956
|
+
# **GetCertificate** action. You can retrieve the certificate if it is
|
957
|
+
# in the **ISSUED** state. You can call the
|
958
|
+
# [CreateCertificateAuthorityAuditReport][2] action to create a report
|
959
|
+
# that contains information about all of the certificates issued and
|
960
|
+
# revoked by your private CA.
|
961
|
+
#
|
962
|
+
#
|
963
|
+
#
|
964
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html
|
965
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
771
966
|
#
|
772
967
|
# @option params [required, String] :certificate_authority_arn
|
773
968
|
# The Amazon Resource Name (ARN) that was returned when you called
|
774
|
-
# CreateCertificateAuthority. This must be of the form:
|
969
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
775
970
|
#
|
776
971
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
777
972
|
# `.
|
778
973
|
#
|
974
|
+
#
|
975
|
+
#
|
976
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
977
|
+
#
|
779
978
|
# @option params [required, String] :certificate_arn
|
780
979
|
# The ARN of the issued certificate. The ARN contains the certificate
|
781
980
|
# serial number and must be in the following form:
|
@@ -815,9 +1014,10 @@ module Aws::ACMPCA
|
|
815
1014
|
end
|
816
1015
|
|
817
1016
|
# Retrieves the certificate and certificate chain for your private
|
818
|
-
# certificate authority (CA)
|
819
|
-
# base64 PEM-encoded. The chain does
|
820
|
-
# Each certificate in the chain signs
|
1017
|
+
# certificate authority (CA) or one that has been shared with you. Both
|
1018
|
+
# the certificate and the chain are base64 PEM-encoded. The chain does
|
1019
|
+
# not include the CA certificate. Each certificate in the chain signs
|
1020
|
+
# the one before it.
|
821
1021
|
#
|
822
1022
|
# @option params [required, String] :certificate_authority_arn
|
823
1023
|
# The Amazon Resource Name (ARN) of your private CA. This is of the
|
@@ -853,19 +1053,28 @@ module Aws::ACMPCA
|
|
853
1053
|
|
854
1054
|
# Retrieves the certificate signing request (CSR) for your private
|
855
1055
|
# certificate authority (CA). The CSR is created when you call the
|
856
|
-
# CreateCertificateAuthority action. Sign the CSR with your ACM
|
857
|
-
# CA-hosted or on-premises root or subordinate CA. Then import
|
858
|
-
# signed certificate back into ACM Private CA by calling the
|
859
|
-
# ImportCertificateAuthorityCertificate action. The CSR is returned
|
860
|
-
# base64 PEM-encoded string.
|
1056
|
+
# [CreateCertificateAuthority][1] action. Sign the CSR with your ACM
|
1057
|
+
# Private CA-hosted or on-premises root or subordinate CA. Then import
|
1058
|
+
# the signed certificate back into ACM Private CA by calling the
|
1059
|
+
# [ImportCertificateAuthorityCertificate][2] action. The CSR is returned
|
1060
|
+
# as a base64 PEM-encoded string.
|
1061
|
+
#
|
1062
|
+
#
|
1063
|
+
#
|
1064
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1065
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
|
861
1066
|
#
|
862
1067
|
# @option params [required, String] :certificate_authority_arn
|
863
1068
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
864
|
-
# CreateCertificateAuthority action. This must be of the form:
|
1069
|
+
# [CreateCertificateAuthority][1] action. This must be of the form:
|
865
1070
|
#
|
866
1071
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
867
1072
|
# `
|
868
1073
|
#
|
1074
|
+
#
|
1075
|
+
#
|
1076
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1077
|
+
#
|
869
1078
|
# @return [Types::GetCertificateAuthorityCsrResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
870
1079
|
#
|
871
1080
|
# * {Types::GetCertificateAuthorityCsrResponse#csr #csr} => String
|
@@ -894,20 +1103,83 @@ module Aws::ACMPCA
|
|
894
1103
|
req.send_request(options)
|
895
1104
|
end
|
896
1105
|
|
1106
|
+
# Retrieves the resource-based policy attached to a private CA. If
|
1107
|
+
# either the private CA resource or the policy cannot be found, this
|
1108
|
+
# action returns a `ResourceNotFoundException`.
|
1109
|
+
#
|
1110
|
+
# The policy can be attached or updated with [PutPolicy][1] and removed
|
1111
|
+
# with
|
1112
|
+
# [DeletePolicy](acm-pca/latest/APIReference/API_DeletePolicy.html).
|
1113
|
+
#
|
1114
|
+
# **About Policies**
|
1115
|
+
#
|
1116
|
+
# * A policy grants access on a private CA to an AWS customer account,
|
1117
|
+
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
1118
|
+
# under the control of a CA administrator. For more information, see
|
1119
|
+
# [Using a Resource Based Policy with ACM Private
|
1120
|
+
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
1121
|
+
#
|
1122
|
+
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
1123
|
+
# ACM certificates signed by a CA in another account.
|
1124
|
+
#
|
1125
|
+
# * For ACM to manage automatic renewal of these certificates, the ACM
|
1126
|
+
# user must configure a Service Linked Role (SLR). The SLR allows the
|
1127
|
+
# ACM service to assume the identity of the user, subject to
|
1128
|
+
# confirmation against the ACM Private CA policy. For more
|
1129
|
+
# information, see [Using a Service Linked Role with ACM][2].
|
1130
|
+
#
|
1131
|
+
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
1132
|
+
# policies. For more information, see [Using AWS Resource Access
|
1133
|
+
# Manager (RAM) with ACM Private
|
1134
|
+
# CA](acm-pca/latest/userguide/pca-ram.html).
|
1135
|
+
#
|
1136
|
+
#
|
1137
|
+
#
|
1138
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html
|
1139
|
+
# [2]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
1140
|
+
#
|
1141
|
+
# @option params [required, String] :resource_arn
|
1142
|
+
# The Amazon Resource Number (ARN) of the private CA that will have its
|
1143
|
+
# policy retrieved. You can find the CA's ARN by calling the
|
1144
|
+
# ListCertificateAuthorities action.
|
1145
|
+
#
|
1146
|
+
# @return [Types::GetPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1147
|
+
#
|
1148
|
+
# * {Types::GetPolicyResponse#policy #policy} => String
|
1149
|
+
#
|
1150
|
+
# @example Request syntax with placeholder values
|
1151
|
+
#
|
1152
|
+
# resp = client.get_policy({
|
1153
|
+
# resource_arn: "Arn", # required
|
1154
|
+
# })
|
1155
|
+
#
|
1156
|
+
# @example Response structure
|
1157
|
+
#
|
1158
|
+
# resp.policy #=> String
|
1159
|
+
#
|
1160
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicy AWS API Documentation
|
1161
|
+
#
|
1162
|
+
# @overload get_policy(params = {})
|
1163
|
+
# @param [Hash] params ({})
|
1164
|
+
def get_policy(params = {}, options = {})
|
1165
|
+
req = build_request(:get_policy, params)
|
1166
|
+
req.send_request(options)
|
1167
|
+
end
|
1168
|
+
|
897
1169
|
# Imports a signed private CA certificate into ACM Private CA. This
|
898
1170
|
# action is used when you are using a chain of trust whose root is
|
899
1171
|
# located outside ACM Private CA. Before you can call this action, the
|
900
1172
|
# following preparations must in place:
|
901
1173
|
#
|
902
|
-
# 1. In ACM Private CA, call the CreateCertificateAuthority action
|
903
|
-
# create the private CA that that you plan to back with the
|
904
|
-
# certificate.
|
1174
|
+
# 1. In ACM Private CA, call the [CreateCertificateAuthority][1] action
|
1175
|
+
# to create the private CA that that you plan to back with the
|
1176
|
+
# imported certificate.
|
905
1177
|
#
|
906
|
-
# 2. Call the GetCertificateAuthorityCsr action to generate a
|
1178
|
+
# 2. Call the [GetCertificateAuthorityCsr][2] action to generate a
|
907
1179
|
# certificate signing request (CSR).
|
908
1180
|
#
|
909
|
-
# 3. Sign the CSR using a root or intermediate CA hosted either
|
910
|
-
# on-premises PKI hierarchy or a commercial CA
|
1181
|
+
# 3. Sign the CSR using a root or intermediate CA hosted by either an
|
1182
|
+
# on-premises PKI hierarchy or by a commercial CA.
|
911
1183
|
#
|
912
1184
|
# 4. Create a certificate chain and copy the signed certificate and the
|
913
1185
|
# certificate chain to your working directory.
|
@@ -931,19 +1203,76 @@ module Aws::ACMPCA
|
|
931
1203
|
#
|
932
1204
|
# * The chain must be PEM-encoded.
|
933
1205
|
#
|
1206
|
+
# * The maximum allowed size of a certificate is 32 KB.
|
1207
|
+
#
|
1208
|
+
# * The maximum allowed size of a certificate chain is 2 MB.
|
1209
|
+
#
|
1210
|
+
# *Enforcement of Critical Constraints*
|
1211
|
+
#
|
1212
|
+
# ACM Private CA allows the following extensions to be marked critical
|
1213
|
+
# in the imported CA certificate or chain.
|
1214
|
+
#
|
1215
|
+
# * Basic constraints (*must* be marked critical)
|
1216
|
+
#
|
1217
|
+
# * Subject alternative names
|
1218
|
+
#
|
1219
|
+
# * Key usage
|
1220
|
+
#
|
1221
|
+
# * Extended key usage
|
1222
|
+
#
|
1223
|
+
# * Authority key identifier
|
1224
|
+
#
|
1225
|
+
# * Subject key identifier
|
1226
|
+
#
|
1227
|
+
# * Issuer alternative name
|
1228
|
+
#
|
1229
|
+
# * Subject directory attributes
|
1230
|
+
#
|
1231
|
+
# * Subject information access
|
1232
|
+
#
|
1233
|
+
# * Certificate policies
|
1234
|
+
#
|
1235
|
+
# * Policy mappings
|
1236
|
+
#
|
1237
|
+
# * Inhibit anyPolicy
|
1238
|
+
#
|
1239
|
+
# ACM Private CA rejects the following extensions when they are marked
|
1240
|
+
# critical in an imported CA certificate or chain.
|
1241
|
+
#
|
1242
|
+
# * Name constraints
|
1243
|
+
#
|
1244
|
+
# * Policy constraints
|
1245
|
+
#
|
1246
|
+
# * CRL distribution points
|
1247
|
+
#
|
1248
|
+
# * Authority information access
|
1249
|
+
#
|
1250
|
+
# * Freshest CRL
|
1251
|
+
#
|
1252
|
+
# * Any other extension
|
1253
|
+
#
|
1254
|
+
#
|
1255
|
+
#
|
1256
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1257
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificateAuthorityCsr.html
|
1258
|
+
#
|
934
1259
|
# @option params [required, String] :certificate_authority_arn
|
935
1260
|
# The Amazon Resource Name (ARN) that was returned when you called
|
936
|
-
# CreateCertificateAuthority. This must be of the form:
|
1261
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
937
1262
|
#
|
938
1263
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
939
1264
|
# `
|
940
1265
|
#
|
941
|
-
#
|
1266
|
+
#
|
1267
|
+
#
|
1268
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1269
|
+
#
|
1270
|
+
# @option params [required, String, StringIO, File] :certificate
|
942
1271
|
# The PEM-encoded certificate for a private CA. This may be a
|
943
1272
|
# self-signed certificate in the case of a root CA, or it may be signed
|
944
1273
|
# by another CA that you control.
|
945
1274
|
#
|
946
|
-
# @option params [String,
|
1275
|
+
# @option params [String, StringIO, File] :certificate_chain
|
947
1276
|
# A PEM-encoded file that contains all of your certificates, other than
|
948
1277
|
# the certificate you're importing, chaining up to your root CA. Your
|
949
1278
|
# ACM Private CA-hosted or on-premises root certificate is the last in
|
@@ -971,10 +1300,11 @@ module Aws::ACMPCA
|
|
971
1300
|
req.send_request(options)
|
972
1301
|
end
|
973
1302
|
|
974
|
-
# Uses your private certificate authority (CA)
|
975
|
-
#
|
976
|
-
#
|
977
|
-
#
|
1303
|
+
# Uses your private certificate authority (CA), or one that has been
|
1304
|
+
# shared with you, to issue a client certificate. This action returns
|
1305
|
+
# the Amazon Resource Name (ARN) of the certificate. You can retrieve
|
1306
|
+
# the certificate by calling the [GetCertificate][1] action and
|
1307
|
+
# specifying the ARN.
|
978
1308
|
#
|
979
1309
|
# <note markdown="1"> You cannot use the ACM **ListCertificateAuthorities** action to
|
980
1310
|
# retrieve the ARNs of the certificates that you issue by using ACM
|
@@ -982,14 +1312,22 @@ module Aws::ACMPCA
|
|
982
1312
|
#
|
983
1313
|
# </note>
|
984
1314
|
#
|
1315
|
+
#
|
1316
|
+
#
|
1317
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
|
1318
|
+
#
|
985
1319
|
# @option params [required, String] :certificate_authority_arn
|
986
1320
|
# The Amazon Resource Name (ARN) that was returned when you called
|
987
|
-
# CreateCertificateAuthority. This must be of the form:
|
1321
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
988
1322
|
#
|
989
1323
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
990
1324
|
# `
|
991
1325
|
#
|
992
|
-
#
|
1326
|
+
#
|
1327
|
+
#
|
1328
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1329
|
+
#
|
1330
|
+
# @option params [required, String, StringIO, File] :csr
|
993
1331
|
# The certificate signing request (CSR) for the certificate you want to
|
994
1332
|
# issue. You can use the following OpenSSL command to create the CSR and
|
995
1333
|
# a 2048 bit RSA private key.
|
@@ -1005,20 +1343,52 @@ module Aws::ACMPCA
|
|
1005
1343
|
# rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out
|
1006
1344
|
# csr/test_cert_.csr`
|
1007
1345
|
#
|
1346
|
+
# Note: A CSR must provide either a *subject name* or a *subject
|
1347
|
+
# alternative name* or the request will be rejected.
|
1348
|
+
#
|
1008
1349
|
# @option params [required, String] :signing_algorithm
|
1009
1350
|
# The name of the algorithm that will be used to sign the certificate to
|
1010
1351
|
# be issued.
|
1011
1352
|
#
|
1353
|
+
# This parameter should not be confused with the `SigningAlgorithm`
|
1354
|
+
# parameter used to sign a CSR.
|
1355
|
+
#
|
1012
1356
|
# @option params [String] :template_arn
|
1013
1357
|
# Specifies a custom configuration template to use when issuing a
|
1014
1358
|
# certificate. If this parameter is not provided, ACM Private CA
|
1015
|
-
# defaults to the `EndEntityCertificate/V1` template.
|
1359
|
+
# defaults to the `EndEntityCertificate/V1` template. For CA
|
1360
|
+
# certificates, you should choose the shortest path length that meets
|
1361
|
+
# your needs. The path length is indicated by the PathLen*N* portion of
|
1362
|
+
# the ARN, where *N* is the [CA depth][1].
|
1363
|
+
#
|
1364
|
+
# Note: The CA depth configured on a subordinate CA certificate must not
|
1365
|
+
# exceed the limit set by its parents in the CA hierarchy.
|
1016
1366
|
#
|
1017
1367
|
# The following service-owned `TemplateArn` values are supported by ACM
|
1018
1368
|
# Private CA:
|
1019
1369
|
#
|
1370
|
+
# * arn:aws:acm-pca:::template/CodeSigningCertificate/V1
|
1371
|
+
#
|
1372
|
+
# * arn:aws:acm-pca:::template/CodeSigningCertificate\_CSRPassthrough/V1
|
1373
|
+
#
|
1020
1374
|
# * arn:aws:acm-pca:::template/EndEntityCertificate/V1
|
1021
1375
|
#
|
1376
|
+
# * arn:aws:acm-pca:::template/EndEntityCertificate\_CSRPassthrough/V1
|
1377
|
+
#
|
1378
|
+
# * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate/V1
|
1379
|
+
#
|
1380
|
+
# * arn:aws:acm-pca:::template/EndEntityClientAuthCertificate\_CSRPassthrough/V1
|
1381
|
+
#
|
1382
|
+
# * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate/V1
|
1383
|
+
#
|
1384
|
+
# * arn:aws:acm-pca:::template/EndEntityServerAuthCertificate\_CSRPassthrough/V1
|
1385
|
+
#
|
1386
|
+
# * arn:aws:acm-pca:::template/OCSPSigningCertificate/V1
|
1387
|
+
#
|
1388
|
+
# * arn:aws:acm-pca:::template/OCSPSigningCertificate\_CSRPassthrough/V1
|
1389
|
+
#
|
1390
|
+
# * arn:aws:acm-pca:::template/RootCACertificate/V1
|
1391
|
+
#
|
1022
1392
|
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen0/V1
|
1023
1393
|
#
|
1024
1394
|
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen1/V1
|
@@ -1027,16 +1397,23 @@ module Aws::ACMPCA
|
|
1027
1397
|
#
|
1028
1398
|
# * arn:aws:acm-pca:::template/SubordinateCACertificate\_PathLen3/V1
|
1029
1399
|
#
|
1030
|
-
#
|
1031
|
-
#
|
1032
|
-
# For more information, see [Using Templates][1].
|
1400
|
+
# For more information, see [Using Templates][2].
|
1033
1401
|
#
|
1034
1402
|
#
|
1035
1403
|
#
|
1036
|
-
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/
|
1404
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth
|
1405
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html
|
1037
1406
|
#
|
1038
1407
|
# @option params [required, Types::Validity] :validity
|
1039
|
-
#
|
1408
|
+
# Information describing the validity period of the certificate.
|
1409
|
+
#
|
1410
|
+
# When issuing a certificate, ACM Private CA sets the "Not Before"
|
1411
|
+
# date in the validity field to date and time minus 60 minutes. This is
|
1412
|
+
# intended to compensate for time inconsistencies across systems of 60
|
1413
|
+
# minutes or less.
|
1414
|
+
#
|
1415
|
+
# The validity period configured on a certificate must not exceed the
|
1416
|
+
# limit set by its parents in the CA hierarchy.
|
1040
1417
|
#
|
1041
1418
|
# @option params [String] :idempotency_token
|
1042
1419
|
# Custom string that can be used to distinguish between calls to the
|
@@ -1079,7 +1456,11 @@ module Aws::ACMPCA
|
|
1079
1456
|
end
|
1080
1457
|
|
1081
1458
|
# Lists the private certificate authorities that you created by using
|
1082
|
-
# the CreateCertificateAuthority action.
|
1459
|
+
# the [CreateCertificateAuthority][1] action.
|
1460
|
+
#
|
1461
|
+
#
|
1462
|
+
#
|
1463
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1083
1464
|
#
|
1084
1465
|
# @option params [String] :next_token
|
1085
1466
|
# Use this parameter when paginating results in a subsequent request
|
@@ -1094,6 +1475,10 @@ module Aws::ACMPCA
|
|
1094
1475
|
# sent in the response. Use this `NextToken` value in a subsequent
|
1095
1476
|
# request to retrieve additional items.
|
1096
1477
|
#
|
1478
|
+
# @option params [String] :resource_owner
|
1479
|
+
# Use this parameter to filter the returned set of certificate
|
1480
|
+
# authorities based on their owner. The default is SELF.
|
1481
|
+
#
|
1097
1482
|
# @return [Types::ListCertificateAuthoritiesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1098
1483
|
#
|
1099
1484
|
# * {Types::ListCertificateAuthoritiesResponse#certificate_authorities #certificate_authorities} => Array<Types::CertificateAuthority>
|
@@ -1106,12 +1491,14 @@ module Aws::ACMPCA
|
|
1106
1491
|
# resp = client.list_certificate_authorities({
|
1107
1492
|
# next_token: "NextToken",
|
1108
1493
|
# max_results: 1,
|
1494
|
+
# resource_owner: "SELF", # accepts SELF, OTHER_ACCOUNTS
|
1109
1495
|
# })
|
1110
1496
|
#
|
1111
1497
|
# @example Response structure
|
1112
1498
|
#
|
1113
1499
|
# resp.certificate_authorities #=> Array
|
1114
1500
|
# resp.certificate_authorities[0].arn #=> String
|
1501
|
+
# resp.certificate_authorities[0].owner_account #=> String
|
1115
1502
|
# resp.certificate_authorities[0].created_at #=> Time
|
1116
1503
|
# resp.certificate_authorities[0].last_state_change_at #=> Time
|
1117
1504
|
# resp.certificate_authorities[0].type #=> String, one of "ROOT", "SUBORDINATE"
|
@@ -1152,17 +1539,48 @@ module Aws::ACMPCA
|
|
1152
1539
|
req.send_request(options)
|
1153
1540
|
end
|
1154
1541
|
|
1155
|
-
#
|
1156
|
-
#
|
1157
|
-
#
|
1542
|
+
# List all permissions on a private CA, if any, granted to the AWS
|
1543
|
+
# Certificate Manager (ACM) service principal (acm.amazonaws.com).
|
1544
|
+
#
|
1545
|
+
# These permissions allow ACM to issue and renew ACM certificates that
|
1546
|
+
# reside in the same AWS account as the CA.
|
1547
|
+
#
|
1548
|
+
# Permissions can be granted with the [CreatePermission][1] action and
|
1549
|
+
# revoked with the [DeletePermission][2] action.
|
1550
|
+
#
|
1551
|
+
# **About Permissions**
|
1552
|
+
#
|
1553
|
+
# * If the private CA and the certificates it issues reside in the same
|
1554
|
+
# account, you can use `CreatePermission` to grant permissions for ACM
|
1555
|
+
# to carry out automatic certificate renewals.
|
1556
|
+
#
|
1557
|
+
# * For automatic certificate renewal to succeed, the ACM service
|
1558
|
+
# principal needs permissions to create, retrieve, and list
|
1559
|
+
# certificates.
|
1560
|
+
#
|
1561
|
+
# * If the private CA and the ACM certificates reside in different
|
1562
|
+
# accounts, then permissions cannot be used to enable automatic
|
1563
|
+
# renewals. Instead, the ACM certificate owner must set up a
|
1564
|
+
# resource-based policy to enable cross-account issuance and renewals.
|
1565
|
+
# For more information, see [Using a Resource Based Policy with ACM
|
1566
|
+
# Private CA](acm-pca/latest/userguide/pca-rbp.html).
|
1567
|
+
#
|
1568
|
+
#
|
1569
|
+
#
|
1570
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html
|
1571
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html
|
1158
1572
|
#
|
1159
1573
|
# @option params [required, String] :certificate_authority_arn
|
1160
1574
|
# The Amazon Resource Number (ARN) of the private CA to inspect. You can
|
1161
|
-
# find the ARN by calling the ListCertificateAuthorities action.
|
1162
|
-
# must be of the form:
|
1575
|
+
# find the ARN by calling the [ListCertificateAuthorities][1] action.
|
1576
|
+
# This must be of the form:
|
1163
1577
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012`
|
1164
1578
|
# You can get a private CA's ARN by running the
|
1165
|
-
# ListCertificateAuthorities action.
|
1579
|
+
# [ListCertificateAuthorities][1] action.
|
1580
|
+
#
|
1581
|
+
#
|
1582
|
+
#
|
1583
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
1166
1584
|
#
|
1167
1585
|
# @option params [String] :next_token
|
1168
1586
|
# When paginating results, use this parameter in a subsequent request
|
@@ -1212,19 +1630,29 @@ module Aws::ACMPCA
|
|
1212
1630
|
req.send_request(options)
|
1213
1631
|
end
|
1214
1632
|
|
1215
|
-
# Lists the tags, if any, that are associated with your private CA
|
1216
|
-
# are labels that you can use to
|
1217
|
-
# tag consists of a key and an
|
1218
|
-
#
|
1219
|
-
#
|
1633
|
+
# Lists the tags, if any, that are associated with your private CA or
|
1634
|
+
# one that has been shared with you. Tags are labels that you can use to
|
1635
|
+
# identify and organize your CAs. Each tag consists of a key and an
|
1636
|
+
# optional value. Call the [TagCertificateAuthority][1] action to add
|
1637
|
+
# one or more tags to your CA. Call the [UntagCertificateAuthority][2]
|
1638
|
+
# action to remove tags.
|
1639
|
+
#
|
1640
|
+
#
|
1641
|
+
#
|
1642
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
|
1643
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
|
1220
1644
|
#
|
1221
1645
|
# @option params [required, String] :certificate_authority_arn
|
1222
1646
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
1223
|
-
# CreateCertificateAuthority action. This must be of the form:
|
1647
|
+
# [CreateCertificateAuthority][1] action. This must be of the form:
|
1224
1648
|
#
|
1225
1649
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1226
1650
|
# `
|
1227
1651
|
#
|
1652
|
+
#
|
1653
|
+
#
|
1654
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1655
|
+
#
|
1228
1656
|
# @option params [String] :next_token
|
1229
1657
|
# Use this parameter when paginating results in a subsequent request
|
1230
1658
|
# after you receive a response with truncated results. Set it to the
|
@@ -1268,30 +1696,121 @@ module Aws::ACMPCA
|
|
1268
1696
|
req.send_request(options)
|
1269
1697
|
end
|
1270
1698
|
|
1699
|
+
# Attaches a resource-based policy to a private CA.
|
1700
|
+
#
|
1701
|
+
# A policy can also be applied by [sharing][1] a private CA through AWS
|
1702
|
+
# Resource Access Manager (RAM).
|
1703
|
+
#
|
1704
|
+
# The policy can be displayed with [GetPolicy][2] and removed with
|
1705
|
+
# [DeletePolicy][3].
|
1706
|
+
#
|
1707
|
+
# **About Policies**
|
1708
|
+
#
|
1709
|
+
# * A policy grants access on a private CA to an AWS customer account,
|
1710
|
+
# to AWS Organizations, or to an AWS Organizations unit. Policies are
|
1711
|
+
# under the control of a CA administrator. For more information, see
|
1712
|
+
# [Using a Resource Based Policy with ACM Private
|
1713
|
+
# CA](acm-pca/latest/userguide/pca-rbp.html).
|
1714
|
+
#
|
1715
|
+
# * A policy permits a user of AWS Certificate Manager (ACM) to issue
|
1716
|
+
# ACM certificates signed by a CA in another account.
|
1717
|
+
#
|
1718
|
+
# * For ACM to manage automatic renewal of these certificates, the ACM
|
1719
|
+
# user must configure a Service Linked Role (SLR). The SLR allows the
|
1720
|
+
# ACM service to assume the identity of the user, subject to
|
1721
|
+
# confirmation against the ACM Private CA policy. For more
|
1722
|
+
# information, see [Using a Service Linked Role with ACM][4].
|
1723
|
+
#
|
1724
|
+
# * Updates made in AWS Resource Manager (RAM) are reflected in
|
1725
|
+
# policies. For more information, see [Using AWS Resource Access
|
1726
|
+
# Manager (RAM) with ACM Private
|
1727
|
+
# CA](acm-pca/latest/userguide/pca-ram.html).
|
1728
|
+
#
|
1729
|
+
#
|
1730
|
+
#
|
1731
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html
|
1732
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html
|
1733
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html
|
1734
|
+
# [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html
|
1735
|
+
#
|
1736
|
+
# @option params [required, String] :resource_arn
|
1737
|
+
# The Amazon Resource Number (ARN) of the private CA to associate with
|
1738
|
+
# the policy. The ARN of the CA can be found by calling the
|
1739
|
+
# [ListCertificateAuthorities][1] action.
|
1740
|
+
#
|
1741
|
+
#
|
1742
|
+
#
|
1743
|
+
#
|
1744
|
+
#
|
1745
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
1746
|
+
#
|
1747
|
+
# @option params [required, String] :policy
|
1748
|
+
# The path and filename of a JSON-formatted IAM policy to attach to the
|
1749
|
+
# specified private CA resource. If this policy does not contain all
|
1750
|
+
# required statements or if it includes any statement that is not
|
1751
|
+
# allowed, the `PutPolicy` action returns an `InvalidPolicyException`.
|
1752
|
+
# For information about IAM policy and statement structure, see
|
1753
|
+
# [Overview of JSON Policies][1].
|
1754
|
+
#
|
1755
|
+
#
|
1756
|
+
#
|
1757
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
|
1758
|
+
#
|
1759
|
+
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1760
|
+
#
|
1761
|
+
# @example Request syntax with placeholder values
|
1762
|
+
#
|
1763
|
+
# resp = client.put_policy({
|
1764
|
+
# resource_arn: "Arn", # required
|
1765
|
+
# policy: "AWSPolicy", # required
|
1766
|
+
# })
|
1767
|
+
#
|
1768
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PutPolicy AWS API Documentation
|
1769
|
+
#
|
1770
|
+
# @overload put_policy(params = {})
|
1771
|
+
# @param [Hash] params ({})
|
1772
|
+
def put_policy(params = {}, options = {})
|
1773
|
+
req = build_request(:put_policy, params)
|
1774
|
+
req.send_request(options)
|
1775
|
+
end
|
1776
|
+
|
1271
1777
|
# Restores a certificate authority (CA) that is in the `DELETED` state.
|
1272
1778
|
# You can restore a CA during the period that you defined in the
|
1273
1779
|
# **PermanentDeletionTimeInDays** parameter of the
|
1274
|
-
# DeleteCertificateAuthority action. Currently, you can specify 7
|
1275
|
-
# days. If you did not specify a **PermanentDeletionTimeInDays**
|
1276
|
-
# by default you can restore the CA at any time in a 30 day
|
1277
|
-
# can check the time remaining in the restoration period of
|
1278
|
-
# in the `DELETED` state by calling the
|
1279
|
-
#
|
1280
|
-
# to its pre-deletion status
|
1281
|
-
# action returns. To change its
|
1282
|
-
#
|
1283
|
-
# `PENDING_CERTIFICATE` state at deletion,
|
1284
|
-
# ImportCertificateAuthorityCertificate action to
|
1285
|
-
# authority into the private CA before it can be
|
1286
|
-
# restore a CA after the restoration period has
|
1780
|
+
# [DeleteCertificateAuthority][1] action. Currently, you can specify 7
|
1781
|
+
# to 30 days. If you did not specify a **PermanentDeletionTimeInDays**
|
1782
|
+
# value, by default you can restore the CA at any time in a 30 day
|
1783
|
+
# period. You can check the time remaining in the restoration period of
|
1784
|
+
# a private CA in the `DELETED` state by calling the
|
1785
|
+
# [DescribeCertificateAuthority][2] or [ListCertificateAuthorities][3]
|
1786
|
+
# actions. The status of a restored CA is set to its pre-deletion status
|
1787
|
+
# when the **RestoreCertificateAuthority** action returns. To change its
|
1788
|
+
# status to `ACTIVE`, call the [UpdateCertificateAuthority][4] action.
|
1789
|
+
# If the private CA was in the `PENDING_CERTIFICATE` state at deletion,
|
1790
|
+
# you must use the [ImportCertificateAuthorityCertificate][5] action to
|
1791
|
+
# import a certificate authority into the private CA before it can be
|
1792
|
+
# activated. You cannot restore a CA after the restoration period has
|
1793
|
+
# ended.
|
1794
|
+
#
|
1795
|
+
#
|
1796
|
+
#
|
1797
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html
|
1798
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html
|
1799
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html
|
1800
|
+
# [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
|
1801
|
+
# [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html
|
1287
1802
|
#
|
1288
1803
|
# @option params [required, String] :certificate_authority_arn
|
1289
1804
|
# The Amazon Resource Name (ARN) that was returned when you called the
|
1290
|
-
# CreateCertificateAuthority action. This must be of the form:
|
1805
|
+
# [CreateCertificateAuthority][1] action. This must be of the form:
|
1291
1806
|
#
|
1292
1807
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1293
1808
|
# `
|
1294
1809
|
#
|
1810
|
+
#
|
1811
|
+
#
|
1812
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1813
|
+
#
|
1295
1814
|
# @return [Struct] Returns an empty {Seahorse::Client::Response response}.
|
1296
1815
|
#
|
1297
1816
|
# @example Request syntax with placeholder values
|
@@ -1313,15 +1832,33 @@ module Aws::ACMPCA
|
|
1313
1832
|
# enable a certificate revocation list (CRL) when you create or update
|
1314
1833
|
# your private CA, information about the revoked certificates will be
|
1315
1834
|
# included in the CRL. ACM Private CA writes the CRL to an S3 bucket
|
1316
|
-
# that you specify.
|
1317
|
-
#
|
1318
|
-
#
|
1319
|
-
#
|
1835
|
+
# that you specify. A CRL is typically updated approximately 30 minutes
|
1836
|
+
# after a certificate is revoked. If for any reason the CRL update
|
1837
|
+
# fails, ACM Private CA attempts makes further attempts every 15
|
1838
|
+
# minutes. With Amazon CloudWatch, you can create alarms for the metrics
|
1839
|
+
# `CRLGenerated` and `MisconfiguredCRLBucket`. For more information, see
|
1840
|
+
# [Supported CloudWatch Metrics][1].
|
1841
|
+
#
|
1842
|
+
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
1843
|
+
# bucket that you specify. If the IAM principal making the call does not
|
1844
|
+
# have permission to write to the bucket, then an exception is thrown.
|
1845
|
+
# For more information, see [Configure Access to ACM Private CA][2].
|
1846
|
+
#
|
1847
|
+
# </note>
|
1848
|
+
#
|
1849
|
+
# ACM Private CA also writes revocation information to the audit report.
|
1850
|
+
# For more information, see [CreateCertificateAuthorityAuditReport][3].
|
1320
1851
|
#
|
1321
1852
|
# <note markdown="1"> You cannot revoke a root CA self-signed certificate.
|
1322
1853
|
#
|
1323
1854
|
# </note>
|
1324
1855
|
#
|
1856
|
+
#
|
1857
|
+
#
|
1858
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html
|
1859
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
|
1860
|
+
# [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html
|
1861
|
+
#
|
1325
1862
|
# @option params [required, String] :certificate_authority_arn
|
1326
1863
|
# Amazon Resource Name (ARN) of the private CA that issued the
|
1327
1864
|
# certificate to be revoked. This must be of the form:
|
@@ -1332,21 +1869,22 @@ module Aws::ACMPCA
|
|
1332
1869
|
# @option params [required, String] :certificate_serial
|
1333
1870
|
# Serial number of the certificate to be revoked. This must be in
|
1334
1871
|
# hexadecimal format. You can retrieve the serial number by calling
|
1335
|
-
# GetCertificate with the Amazon Resource Name (ARN) of the
|
1336
|
-
# you want and the ARN of your private CA. The
|
1337
|
-
# retrieves the certificate in the PEM format.
|
1338
|
-
# OpenSSL command to list the certificate in
|
1339
|
-
# hexadecimal serial number.
|
1872
|
+
# [GetCertificate][1] with the Amazon Resource Name (ARN) of the
|
1873
|
+
# certificate you want and the ARN of your private CA. The
|
1874
|
+
# **GetCertificate** action retrieves the certificate in the PEM format.
|
1875
|
+
# You can use the following OpenSSL command to list the certificate in
|
1876
|
+
# text format and copy the hexadecimal serial number.
|
1340
1877
|
#
|
1341
1878
|
# `openssl x509 -in file_path -text -noout`
|
1342
1879
|
#
|
1343
1880
|
# You can also copy the serial number from the console or use the
|
1344
|
-
# [DescribeCertificate][
|
1881
|
+
# [DescribeCertificate][2] action in the *AWS Certificate Manager API
|
1345
1882
|
# Reference*.
|
1346
1883
|
#
|
1347
1884
|
#
|
1348
1885
|
#
|
1349
|
-
# [1]: https://docs.aws.amazon.com/acm/latest/APIReference/
|
1886
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html
|
1887
|
+
# [2]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html
|
1350
1888
|
#
|
1351
1889
|
# @option params [required, String] :revocation_reason
|
1352
1890
|
# Specifies why you revoked the certificate.
|
@@ -1378,16 +1916,25 @@ module Aws::ACMPCA
|
|
1378
1916
|
# to identify a specific characteristic of that CA, or you can apply the
|
1379
1917
|
# same tag to multiple private CAs if you want to filter for a common
|
1380
1918
|
# relationship among those CAs. To remove one or more tags, use the
|
1381
|
-
# UntagCertificateAuthority action. Call the ListTags action
|
1382
|
-
# tags are associated with your CA.
|
1919
|
+
# [UntagCertificateAuthority][1] action. Call the [ListTags][2] action
|
1920
|
+
# to see what tags are associated with your CA.
|
1921
|
+
#
|
1922
|
+
#
|
1923
|
+
#
|
1924
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html
|
1925
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html
|
1383
1926
|
#
|
1384
1927
|
# @option params [required, String] :certificate_authority_arn
|
1385
1928
|
# The Amazon Resource Name (ARN) that was returned when you called
|
1386
|
-
# CreateCertificateAuthority. This must be of the form:
|
1929
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
1387
1930
|
#
|
1388
1931
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1389
1932
|
# `
|
1390
1933
|
#
|
1934
|
+
#
|
1935
|
+
#
|
1936
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1937
|
+
#
|
1391
1938
|
# @option params [required, Array<Types::Tag>] :tags
|
1392
1939
|
# List of tags to be associated with the CA.
|
1393
1940
|
#
|
@@ -1419,16 +1966,25 @@ module Aws::ACMPCA
|
|
1419
1966
|
# when calling this action, the tag will be removed regardless of value.
|
1420
1967
|
# If you specify a value, the tag is removed only if it is associated
|
1421
1968
|
# with the specified value. To add tags to a private CA, use the
|
1422
|
-
# TagCertificateAuthority. Call the ListTags action to see
|
1423
|
-
# associated with your CA.
|
1969
|
+
# [TagCertificateAuthority][1]. Call the [ListTags][2] action to see
|
1970
|
+
# what tags are associated with your CA.
|
1971
|
+
#
|
1972
|
+
#
|
1973
|
+
#
|
1974
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html
|
1975
|
+
# [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html
|
1424
1976
|
#
|
1425
1977
|
# @option params [required, String] :certificate_authority_arn
|
1426
1978
|
# The Amazon Resource Name (ARN) that was returned when you called
|
1427
|
-
# CreateCertificateAuthority. This must be of the form:
|
1979
|
+
# [CreateCertificateAuthority][1]. This must be of the form:
|
1428
1980
|
#
|
1429
1981
|
# `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
|
1430
1982
|
# `
|
1431
1983
|
#
|
1984
|
+
#
|
1985
|
+
#
|
1986
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html
|
1987
|
+
#
|
1432
1988
|
# @option params [required, Array<Types::Tag>] :tags
|
1433
1989
|
# List of tags to be removed from the CA.
|
1434
1990
|
#
|
@@ -1461,6 +2017,17 @@ module Aws::ACMPCA
|
|
1461
2017
|
# `ACTIVE` state or make a CA that is in the `DISABLED` state active
|
1462
2018
|
# again.
|
1463
2019
|
#
|
2020
|
+
# <note markdown="1"> Both PCA and the IAM principal must have permission to write to the S3
|
2021
|
+
# bucket that you specify. If the IAM principal making the call does not
|
2022
|
+
# have permission to write to the bucket, then an exception is thrown.
|
2023
|
+
# For more information, see [Configure Access to ACM Private CA][1].
|
2024
|
+
#
|
2025
|
+
# </note>
|
2026
|
+
#
|
2027
|
+
#
|
2028
|
+
#
|
2029
|
+
# [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html
|
2030
|
+
#
|
1464
2031
|
# @option params [required, String] :certificate_authority_arn
|
1465
2032
|
# Amazon Resource Name (ARN) of the private CA that issued the
|
1466
2033
|
# certificate to be revoked. This must be of the form:
|
@@ -1513,7 +2080,7 @@ module Aws::ACMPCA
|
|
1513
2080
|
params: params,
|
1514
2081
|
config: config)
|
1515
2082
|
context[:gem_name] = 'aws-sdk-acmpca'
|
1516
|
-
context[:gem_version] = '1.
|
2083
|
+
context[:gem_version] = '1.27.0'
|
1517
2084
|
Seahorse::Client::Request.new(handlers, context)
|
1518
2085
|
end
|
1519
2086
|
|