certificate_authorities

Creates, updates, deletes or gets a certificate_authority resource or lists certificate_authorities in a region

Overview

Name	`certificate_authorities`
Type	Resource
Description	Private certificate authority.
Id	`aws.acmpca.certificate_authorities`

Fields

Name	Datatype	Description
`arn`	`string`	The Amazon Resource Name (ARN) of the certificate authority.
`type`	`string`	The type of the certificate authority.
`key_algorithm`	`string`	Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
`signing_algorithm`	`string`	Algorithm your CA uses to sign certificate requests.
`subject`	`object`	Structure that contains X.500 distinguished name information for your CA.
`revocation_configuration`	`object`	Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
`tags`	`array`
`certificate_signing_request`	`string`	The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
`csr_extensions`	`object`	Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
`key_storage_security_standard`	`string`	KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
`usage_mode`	`string`	Usage mode of the ceritificate authority.
`region`	`string`	AWS region.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`Type, KeyAlgorithm, SigningAlgorithm, Subject, region`
`delete_resource`	`DELETE`	`data__Identifier, region`
`update_resource`	`UPDATE`	`data__Identifier, data__PatchDocument, region`
`list_resources`	`SELECT`	`region`
`get_resource`	`SELECT`	`data__Identifier, region`

`SELECT` examples

Gets all certificate_authorities in a region.

SELECT
region,
arn,
type,
key_algorithm,
signing_algorithm,
subject,
revocation_configuration,
tags,
certificate_signing_request,
csr_extensions,
key_storage_security_standard,
usage_mode
FROM aws.acmpca.certificate_authorities
WHERE region = 'us-east-1';

Gets all properties from an individual certificate_authority.

SELECT
region,
arn,
type,
key_algorithm,
signing_algorithm,
subject,
revocation_configuration,
tags,
certificate_signing_request,
csr_extensions,
key_storage_security_standard,
usage_mode
FROM aws.acmpca.certificate_authorities
WHERE region = 'us-east-1' AND data__Identifier = '<Arn>';

`INSERT` example

Use the following StackQL query and manifest file to create a new certificate_authority resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO aws.acmpca.certificate_authorities (
 Type,
 KeyAlgorithm,
 SigningAlgorithm,
 Subject,
 region
)
SELECT 
'{{ Type }}',
 '{{ KeyAlgorithm }}',
 '{{ SigningAlgorithm }}',
 '{{ Subject }}',
'{{ region }}';

/*+ create */
INSERT INTO aws.acmpca.certificate_authorities (
 Type,
 KeyAlgorithm,
 SigningAlgorithm,
 Subject,
 RevocationConfiguration,
 Tags,
 CsrExtensions,
 KeyStorageSecurityStandard,
 UsageMode,
 region
)
SELECT 
 '{{ Type }}',
 '{{ KeyAlgorithm }}',
 '{{ SigningAlgorithm }}',
 '{{ Subject }}',
 '{{ RevocationConfiguration }}',
 '{{ Tags }}',
 '{{ CsrExtensions }}',
 '{{ KeyStorageSecurityStandard }}',
 '{{ UsageMode }}',
 '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: certificate_authority
    props:
      - name: Type
        value: '{{ Type }}'
      - name: KeyAlgorithm
        value: '{{ KeyAlgorithm }}'
      - name: SigningAlgorithm
        value: '{{ SigningAlgorithm }}'
      - name: Subject
        value:
          Country: '{{ Country }}'
          Organization: '{{ Organization }}'
          OrganizationalUnit: '{{ OrganizationalUnit }}'
          DistinguishedNameQualifier: '{{ DistinguishedNameQualifier }}'
          State: '{{ State }}'
          CommonName: '{{ CommonName }}'
          SerialNumber: '{{ SerialNumber }}'
          Locality: '{{ Locality }}'
          Title: '{{ Title }}'
          Surname: '{{ Surname }}'
          GivenName: '{{ GivenName }}'
          Initials: '{{ Initials }}'
          Pseudonym: '{{ Pseudonym }}'
          GenerationQualifier: '{{ GenerationQualifier }}'
          CustomAttributes:
            - ObjectIdentifier: '{{ ObjectIdentifier }}'
              Value: '{{ Value }}'
      - name: RevocationConfiguration
        value:
          CrlConfiguration:
            Enabled: '{{ Enabled }}'
            ExpirationInDays: '{{ ExpirationInDays }}'
            CustomCname: '{{ CustomCname }}'
            S3BucketName: '{{ S3BucketName }}'
            S3ObjectAcl: '{{ S3ObjectAcl }}'
            CrlDistributionPointExtensionConfiguration:
              OmitExtension: '{{ OmitExtension }}'
          OcspConfiguration:
            Enabled: '{{ Enabled }}'
            OcspCustomCname: '{{ OcspCustomCname }}'
      - name: Tags
        value:
          - Key: '{{ Key }}'
            Value: '{{ Value }}'
      - name: CsrExtensions
        value:
          KeyUsage:
            DigitalSignature: '{{ DigitalSignature }}'
            NonRepudiation: '{{ NonRepudiation }}'
            KeyEncipherment: '{{ KeyEncipherment }}'
            DataEncipherment: '{{ DataEncipherment }}'
            KeyAgreement: '{{ KeyAgreement }}'
            KeyCertSign: '{{ KeyCertSign }}'
            CRLSign: '{{ CRLSign }}'
            EncipherOnly: '{{ EncipherOnly }}'
            DecipherOnly: '{{ DecipherOnly }}'
          SubjectInformationAccess:
            - AccessMethod:
                CustomObjectIdentifier: null
                AccessMethodType: '{{ AccessMethodType }}'
              AccessLocation:
                OtherName:
                  TypeId: null
                  Value: '{{ Value }}'
                Rfc822Name: '{{ Rfc822Name }}'
                DnsName: '{{ DnsName }}'
                DirectoryName: null
                EdiPartyName:
                  PartyName: '{{ PartyName }}'
                  NameAssigner: '{{ NameAssigner }}'
                UniformResourceIdentifier: '{{ UniformResourceIdentifier }}'
                IpAddress: '{{ IpAddress }}'
                RegisteredId: null
      - name: KeyStorageSecurityStandard
        value: '{{ KeyStorageSecurityStandard }}'
      - name: UsageMode
        value: '{{ UsageMode }}'

`DELETE` example

/*+ delete */
DELETE FROM aws.acmpca.certificate_authorities
WHERE data__Identifier = '<Arn>'
AND region = 'us-east-1';

Permissions

To operate on the certificate_authorities resource, the following permissions are required:

Create

acm-pca:CreateCertificateAuthority,
acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr

Read

acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr,
acm-pca:ListTags

Update

acm-pca:ListTags,
acm-pca:TagCertificateAuthority,
acm-pca:UntagCertificateAuthority,
acm-pca:UpdateCertificateAuthority

Delete

acm-pca:DeleteCertificateAuthority,
acm-pca:DescribeCertificateAuthority

List

acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr,
acm-pca:ListCertificateAuthorities,
acm-pca:ListTags

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Permissions​

Create​

Read​

Update​

Delete​

List​