Skip to content
Alchemy
GitHubXDiscord

Permission

The Permission resource allows you to manage AWS ACMPCA Permissions for certificate authorities, enabling you to specify actions that can be performed by specific principals.

Minimal Example

Section titled “Minimal Example”

Create a basic permission for a certificate authority allowing a specific action for a principal:

import AWS from "alchemy/aws/control";


const acmPermission = await AWS.ACMPCA.Permission("basicPermission", {
  CertificateAuthorityArn: "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcd1234-efgh-5678-ijkl-90mnopqrst",
  Actions: ["acm-pca:IssueCertificate"],
  Principal: "arn:aws:iam::123456789012:role/MyRole"
});

Advanced Configuration

Section titled “Advanced Configuration”

Specify additional permissions including the optional SourceAccount to restrict the actions to a specific AWS account:

const advancedPermission = await AWS.ACMPCA.Permission("advancedPermission", {
  CertificateAuthorityArn: "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcd1234-efgh-5678-ijkl-90mnopqrst",
  Actions: [
    "acm-pca:IssueCertificate",
    "acm-pca:GetCertificate"
  ],
  Principal: "arn:aws:iam::123456789012:role/MyRole",
  SourceAccount: "123456789012"
});

Granting Multiple Actions

Section titled “Granting Multiple Actions”

Demonstrate granting multiple actions to a principal for a certificate authority:

const multipleActionsPermission = await AWS.ACMPCA.Permission("multipleActionsPermission", {
  CertificateAuthorityArn: "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcd1234-efgh-5678-ijkl-90mnopqrst",
  Actions: [
    "acm-pca:IssueCertificate",
    "acm-pca:RevokeCertificate",
    "acm-pca:GetCertificate"
  ],
  Principal: "arn:aws:iam::123456789012:role/MyRole"
});

Adopting Existing Permissions

Section titled “Adopting Existing Permissions”

Show how to adopt an existing permission instead of failing when the permission already exists:

const adoptExistingPermission = await AWS.ACMPCA.Permission("adoptExistingPermission", {
  CertificateAuthorityArn: "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/abcd1234-efgh-5678-ijkl-90mnopqrst",
  Actions: ["acm-pca:IssueCertificate"],
  Principal: "arn:aws:iam::123456789012:role/MyRole",
  adopt: true
});