certificate_authorities

Creates, updates, deletes or gets a certificate_authority resource or lists certificate_authorities in a region

Overview

Name	`certificate_authorities`
Type	Resource
Description	Private certificate authority.
Id	`awscc.acmpca.certificate_authorities`

Fields

get (all properties)
list (identifiers only)

Name	Datatype	Description
`arn`	`string`	The Amazon Resource Name (ARN) of the certificate authority.
`type`	`string`	The type of the certificate authority.
`key_algorithm`	`string`	Public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate.
`signing_algorithm`	`string`	Algorithm your CA uses to sign certificate requests.
▶`subject`	`object`	Structure that contains X.500 distinguished name information for your CA.
▶`revocation_configuration`	`object`	Certificate revocation information used by the CreateCertificateAuthority and UpdateCertificateAuthority actions.
▶`tags`	`array`
`certificate_signing_request`	`string`	The base64 PEM-encoded certificate signing request (CSR) for your certificate authority certificate.
▶`csr_extensions`	`object`	Structure that contains CSR pass through extension information used by the CreateCertificateAuthority action.
`key_storage_security_standard`	`string`	KeyStorageSecurityStadard defines a cryptographic key management compliance standard used for handling CA keys.
`usage_mode`	`string`	Usage mode of the ceritificate authority.
`region`	`string`	AWS region.

Name	Datatype	Description
`arn`	`string`	The Amazon Resource Name (ARN) of the certificate authority.
`region`	`string`	AWS region.

For more information, see AWS::ACMPCA::CertificateAuthority.

Methods

Name	Resource	Accessible by	Required Params
`create_resource`	`certificate_authorities`	`INSERT`	`Type, KeyAlgorithm, SigningAlgorithm, Subject, region`
`delete_resource`	`certificate_authorities`	`DELETE`	`Identifier, region`
`update_resource`	`certificate_authorities`	`UPDATE`	`Identifier, PatchDocument, region`
`list_resources`	`certificate_authorities_list_only`	`SELECT`	`region`
`get_resource`	`certificate_authorities`	`SELECT`	`Identifier, region`

`SELECT` examples

get (all properties)
list (identifiers only)

Gets all properties from an individual certificate_authority.

SELECT
  region,
  arn,
  type,
  key_algorithm,
  signing_algorithm,
  subject,
  revocation_configuration,
  tags,
  certificate_signing_request,
  csr_extensions,
  key_storage_security_standard,
  usage_mode
FROM awscc.acmpca.certificate_authorities
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ arn }}';

Lists all certificate_authorities in a region.

SELECT
  region,
  arn
FROM awscc.acmpca.certificate_authorities_list_only
WHERE
  region = '{{ region }}';

`INSERT` example

Use the following StackQL query and manifest file to create a new certificate_authority resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO awscc.acmpca.certificate_authorities (
  Type,
  KeyAlgorithm,
  SigningAlgorithm,
  Subject,
  region
)
SELECT
  '{{ type }}',
  '{{ key_algorithm }}',
  '{{ signing_algorithm }}',
  '{{ subject }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

/*+ create */
INSERT INTO awscc.acmpca.certificate_authorities (
  Type,
  KeyAlgorithm,
  SigningAlgorithm,
  Subject,
  RevocationConfiguration,
  Tags,
  CsrExtensions,
  KeyStorageSecurityStandard,
  UsageMode,
  region
)
SELECT
  '{{ type }}',
  '{{ key_algorithm }}',
  '{{ signing_algorithm }}',
  '{{ subject }}',
  '{{ revocation_configuration }}',
  '{{ tags }}',
  '{{ csr_extensions }}',
  '{{ key_storage_security_standard }}',
  '{{ usage_mode }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: certificate_authority
  props:
    - name: type
      value: '{{ type }}'
    - name: key_algorithm
      value: '{{ key_algorithm }}'
    - name: signing_algorithm
      value: '{{ signing_algorithm }}'
    - name: subject
      value:
        country: '{{ country }}'
        organization: '{{ organization }}'
        organizational_unit: '{{ organizational_unit }}'
        distinguished_name_qualifier: '{{ distinguished_name_qualifier }}'
        state: '{{ state }}'
        common_name: '{{ common_name }}'
        serial_number: '{{ serial_number }}'
        locality: '{{ locality }}'
        title: '{{ title }}'
        surname: '{{ surname }}'
        given_name: '{{ given_name }}'
        initials: '{{ initials }}'
        pseudonym: '{{ pseudonym }}'
        generation_qualifier: '{{ generation_qualifier }}'
        custom_attributes:
          - object_identifier: '{{ object_identifier }}'
            value: '{{ value }}'
    - name: revocation_configuration
      value:
        crl_configuration:
          enabled: '{{ enabled }}'
          expiration_in_days: '{{ expiration_in_days }}'
          custom_cname: '{{ custom_cname }}'
          s3_bucket_name: '{{ s3_bucket_name }}'
          s3_object_acl: '{{ s3_object_acl }}'
          crl_distribution_point_extension_configuration:
            omit_extension: '{{ omit_extension }}'
          crl_type: '{{ crl_type }}'
          custom_path: '{{ custom_path }}'
        ocsp_configuration:
          enabled: '{{ enabled }}'
          ocsp_custom_cname: '{{ ocsp_custom_cname }}'
    - name: tags
      value:
        - key: '{{ key }}'
          value: '{{ value }}'
    - name: csr_extensions
      value:
        key_usage:
          digital_signature: '{{ digital_signature }}'
          non_repudiation: '{{ non_repudiation }}'
          key_encipherment: '{{ key_encipherment }}'
          data_encipherment: '{{ data_encipherment }}'
          key_agreement: '{{ key_agreement }}'
          key_cert_sign: '{{ key_cert_sign }}'
          c_rl_sign: '{{ c_rl_sign }}'
          encipher_only: '{{ encipher_only }}'
          decipher_only: '{{ decipher_only }}'
        subject_information_access:
          - access_method:
              custom_object_identifier: null
              access_method_type: '{{ access_method_type }}'
            access_location:
              other_name:
                type_id: null
                value: '{{ value }}'
              rfc822_name: '{{ rfc822_name }}'
              dns_name: '{{ dns_name }}'
              directory_name: null
              edi_party_name:
                party_name: '{{ party_name }}'
                name_assigner: '{{ name_assigner }}'
              uniform_resource_identifier: '{{ uniform_resource_identifier }}'
              ip_address: '{{ ip_address }}'
              registered_id: null
    - name: key_storage_security_standard
      value: '{{ key_storage_security_standard }}'
    - name: usage_mode
      value: '{{ usage_mode }}'

`UPDATE` example

Use the following StackQL query and manifest file to update a certificate_authority resource, using stack-deploy.

/*+ update */
UPDATE awscc.acmpca.certificate_authorities
SET PatchDocument = string('{{ {
    "RevocationConfiguration": revocation_configuration,
    "Tags": tags
} | generate_patch_document }}')
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ arn }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

`DELETE` example

/*+ delete */
DELETE FROM awscc.acmpca.certificate_authorities
WHERE
  Identifier = '{{ arn }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
`ClientToken`	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
`RoleArn`	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
`TypeVersionId`	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the certificate_authorities resource, the following permissions are required:

Create
Read
Update
Delete
List

acm-pca:CreateCertificateAuthority,
acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr,
acm-pca:TagCertificateAuthority

acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr,
acm-pca:ListTags

acm-pca:TagCertificateAuthority,
acm-pca:UntagCertificateAuthority,
acm-pca:UpdateCertificateAuthority

acm-pca:DeleteCertificateAuthority,
acm-pca:DescribeCertificateAuthority

acm-pca:DescribeCertificateAuthority,
acm-pca:GetCertificateAuthorityCsr,
acm-pca:ListCertificateAuthorities,
acm-pca:ListTags

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

UPDATE example​

DELETE example​

Additional Parameters​

Permissions​