Menu
AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

ACM PCA API Permissions: Actions and Resources Reference

When you are setting up access control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The first column in the table lists each ACM PCA API operation. You specify actions in a policy's Action element. The remaining columns provide the additional information.

You can use the IAM policy elements in your ACM PCA policies to express conditions. For a complete list, see Available Keys in the IAM User Guide.

Note

To specify an action, use the acm-pca: prefix followed by the API operation name (for example, acm-pca:IssueCertificate).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

ACM PCA API Operations and Permissions

ACM PCA API Operations Required Permissions (API Actions) Resources

CreateCertificateAuthority

acm-pca:CreateCertificateAuthority

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

CreateCertificateAuthorityAuditReport

acm-pca:CreateCertificateAuthorityAuditReport

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

DeleteCertificateAuthority

acm-pca:DeleteCertificateAuthority

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

DescribeCertificateAuthority

acm-pca:DescribeCertificateAuthority

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

DescribeCertificateAuthorityAuditReport

acm-pca:DescribeCertificateAuthorityAuditReport

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

GetCertificate

acm-pca:GetCertificate

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

GetCertificateAuthorityCertificate

acm-pca:GetCertificateAuthorityCertificate

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

GetCertificateAuthorityCsr

acm-pca:GetCertificateAuthorityCsr

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

ImportCertificateAuthorityCertificate

acm-pca:ImportCertificateAuthorityCertificate

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

IssueCertificate

acm-pca:IssueCertificate

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

ListCertificateAuthorities

acm-pca:ListCertificateAuthorities

N/A

ListTags

acm-pca:ListTags

N/A

RevokeCertificate

acm-pca:RevokeCertificate

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

TagCertificateAuthority

acm-pca:TagCertificateAuthority

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

UntagCertificateAuthority

acm-pca:UntagCertificateAuthority

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID

UpdateCertificateAuthority

acm-pca:UpdateCertificateAuthority

arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/certificate_ID