AWS Certificate Manager Private Certificate Authority
User Guide (Version latest)

Inline Policies

Inline policies are policies that you create and manage and embed directly into a user, group, or role. The following policy examples show how to assign permissions to perform ACM PCA actions. For general information about inline policies, see Working with Inline Policies in the IAM User Guide. You can use the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API to create and embed inline policies.

Listing Private CAs

The following policy allows a user to list all of the private CAs in an account.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "acm-pca:ListCertificateAuthorities", "Resource": "*" }] }

Retrieving a Private CA Certificate

The following policy allows a user to retrieve a specific private CA certificate.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "acm-pca:GetCertificateAuthorityCertificate", "Resource": "arn:aws:acm:AWS_Region:AWS_Account:certificate-authority/12345678-1234-1234-1234-123456789012" } }

Importing a Private CA Certificate

The following policy allows a user to import a private CA certificate.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "acm-pca:ImportCertificateAuthorityCertificate", "Resource": "arn:aws:acm:AWS_Region:AWS_Account:certificate/12345678-1234-1234-1234-123456789012" } }

Deleting a Private CA

The following policy allows a user to delete a specific private CA.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "acm-pca:DeleteCertificateAuthority", "Resource": "arn:aws:acm:AWS_Region:AWS_Account:certificate/12345678-1234-1234-1234-123456789012" } }

Read-Only Access to ACM PCA

The following policy allows a user to describe and list private certificate authorities and to retrieve the private CA Certificate and certificate chain.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:ListCertificateAuthorities", "acm-pca:ListTags", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificate" ], "Resource": "*" } }

Full Access to ACM PCA

The following policy allows a user to perform any ACM PCA action.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["acm-pca:*"], "Resource": "*" }] }

Administrator Access to All AWS Resources

The following policy allows a user to perform any action on any AWS resource.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }] }