# frozen_string_literal: true # WARNING ABOUT GENERATED CODE # # This file is generated. See the contributing guide for more information: # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md # # WARNING ABOUT GENERATED CODE require 'seahorse/client/plugins/content_length.rb' require 'aws-sdk-core/plugins/credentials_configuration.rb' require 'aws-sdk-core/plugins/logging.rb' require 'aws-sdk-core/plugins/param_converter.rb' require 'aws-sdk-core/plugins/param_validator.rb' require 'aws-sdk-core/plugins/user_agent.rb' require 'aws-sdk-core/plugins/helpful_socket_errors.rb' require 'aws-sdk-core/plugins/retry_errors.rb' require 'aws-sdk-core/plugins/global_configuration.rb' require 'aws-sdk-core/plugins/regional_endpoint.rb' require 'aws-sdk-core/plugins/endpoint_discovery.rb' require 'aws-sdk-core/plugins/endpoint_pattern.rb' require 'aws-sdk-core/plugins/response_paging.rb' require 'aws-sdk-core/plugins/stub_responses.rb' require 'aws-sdk-core/plugins/idempotency_token.rb' require 'aws-sdk-core/plugins/jsonvalue_converter.rb' require 'aws-sdk-core/plugins/client_metrics_plugin.rb' require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb' require 'aws-sdk-core/plugins/transfer_encoding.rb' require 'aws-sdk-core/plugins/http_checksum.rb' require 'aws-sdk-core/plugins/defaults_mode.rb' require 'aws-sdk-core/plugins/recursion_detection.rb' require 'aws-sdk-core/plugins/signature_v4.rb' require 'aws-sdk-core/plugins/protocols/json_rpc.rb' Aws::Plugins::GlobalConfiguration.add_identifier(:acmpca) module Aws::ACMPCA # An API client for ACMPCA. To construct a client, you need to configure a `:region` and `:credentials`. # # client = Aws::ACMPCA::Client.new( # region: region_name, # credentials: credentials, # # ... # ) # # For details on configuring region and credentials see # the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html). # # See {#initialize} for a full list of supported configuration options. class Client < Seahorse::Client::Base include Aws::ClientStubs @identifier = :acmpca set_api(ClientApi::API) add_plugin(Seahorse::Client::Plugins::ContentLength) add_plugin(Aws::Plugins::CredentialsConfiguration) add_plugin(Aws::Plugins::Logging) add_plugin(Aws::Plugins::ParamConverter) add_plugin(Aws::Plugins::ParamValidator) add_plugin(Aws::Plugins::UserAgent) add_plugin(Aws::Plugins::HelpfulSocketErrors) add_plugin(Aws::Plugins::RetryErrors) add_plugin(Aws::Plugins::GlobalConfiguration) add_plugin(Aws::Plugins::RegionalEndpoint) add_plugin(Aws::Plugins::EndpointDiscovery) add_plugin(Aws::Plugins::EndpointPattern) add_plugin(Aws::Plugins::ResponsePaging) add_plugin(Aws::Plugins::StubResponses) add_plugin(Aws::Plugins::IdempotencyToken) add_plugin(Aws::Plugins::JsonvalueConverter) add_plugin(Aws::Plugins::ClientMetricsPlugin) add_plugin(Aws::Plugins::ClientMetricsSendPlugin) add_plugin(Aws::Plugins::TransferEncoding) add_plugin(Aws::Plugins::HttpChecksum) add_plugin(Aws::Plugins::DefaultsMode) add_plugin(Aws::Plugins::RecursionDetection) add_plugin(Aws::Plugins::SignatureV4) add_plugin(Aws::Plugins::Protocols::JsonRpc) # @overload initialize(options) # @param [Hash] options # @option options [required, Aws::CredentialProvider] :credentials # Your AWS credentials. This can be an instance of any one of the # following classes: # # * `Aws::Credentials` - Used for configuring static, non-refreshing # credentials. # # * `Aws::SharedCredentials` - Used for loading static credentials from a # shared file, such as `~/.aws/config`. # # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role. # # * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to # assume a role after providing credentials via the web. # # * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an # access token generated from `aws login`. # # * `Aws::ProcessCredentials` - Used for loading credentials from a # process that outputs to stdout. # # * `Aws::InstanceProfileCredentials` - Used for loading credentials # from an EC2 IMDS on an EC2 instance. # # * `Aws::ECSCredentials` - Used for loading credentials from # instances running in ECS. # # * `Aws::CognitoIdentityCredentials` - Used for loading credentials # from the Cognito Identity service. # # When `:credentials` are not configured directly, the following # locations will be searched for credentials: # # * `Aws.config[:credentials]` # * The `:access_key_id`, `:secret_access_key`, and `:session_token` options. # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'] # * `~/.aws/credentials` # * `~/.aws/config` # * EC2/ECS IMDS instance profile - When used by default, the timeouts # are very aggressive. Construct and pass an instance of # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to # enable retries and extended timeouts. Instance profile credential # fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED'] # to true. # # @option options [required, String] :region # The AWS region to connect to. The configured `:region` is # used to determine the service `:endpoint`. When not passed, # a default `:region` is searched for in the following locations: # # * `Aws.config[:region]` # * `ENV['AWS_REGION']` # * `ENV['AMAZON_REGION']` # * `ENV['AWS_DEFAULT_REGION']` # * `~/.aws/credentials` # * `~/.aws/config` # # @option options [String] :access_key_id # # @option options [Boolean] :active_endpoint_cache (false) # When set to `true`, a thread polling for endpoints will be running in # the background every 60 secs (default). Defaults to `false`. # # @option options [Boolean] :adaptive_retry_wait_to_fill (true) # Used only in `adaptive` retry mode. When true, the request will sleep # until there is sufficent client side capacity to retry the request. # When false, the request will raise a `RetryCapacityNotAvailableError` and will # not retry instead of sleeping. # # @option options [Boolean] :client_side_monitoring (false) # When `true`, client-side metrics will be collected for all API requests from # this client. # # @option options [String] :client_side_monitoring_client_id ("") # Allows you to provide an identifier for this client which will be attached to # all generated client side metrics. Defaults to an empty string. # # @option options [String] :client_side_monitoring_host ("127.0.0.1") # Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client # side monitoring agent is running on, where client metrics will be published via UDP. # # @option options [Integer] :client_side_monitoring_port (31000) # Required for publishing client metrics. The port that the client side monitoring # agent is running on, where client metrics will be published via UDP. # # @option options [Aws::ClientSideMonitoring::Publisher] :client_side_monitoring_publisher (Aws::ClientSideMonitoring::Publisher) # Allows you to provide a custom client-side monitoring publisher class. By default, # will use the Client Side Monitoring Agent Publisher. # # @option options [Boolean] :convert_params (true) # When `true`, an attempt is made to coerce request parameters into # the required types. # # @option options [Boolean] :correct_clock_skew (true) # Used only in `standard` and adaptive retry modes. Specifies whether to apply # a clock skew correction and retry requests with skewed client clocks. # # @option options [String] :defaults_mode ("legacy") # See {Aws::DefaultsModeConfiguration} for a list of the # accepted modes and the configuration defaults that are included. # # @option options [Boolean] :disable_host_prefix_injection (false) # Set to true to disable SDK automatically adding host prefix # to default service endpoint when available. # # @option options [String] :endpoint # The client endpoint is normally constructed from the `:region` # option. You should only configure an `:endpoint` when connecting # to test or custom endpoints. This should be a valid HTTP(S) URI. # # @option options [Integer] :endpoint_cache_max_entries (1000) # Used for the maximum size limit of the LRU cache storing endpoints data # for endpoint discovery enabled operations. Defaults to 1000. # # @option options [Integer] :endpoint_cache_max_threads (10) # Used for the maximum threads in use for polling endpoints to be cached, defaults to 10. # # @option options [Integer] :endpoint_cache_poll_interval (60) # When :endpoint_discovery and :active_endpoint_cache is enabled, # Use this option to config the time interval in seconds for making # requests fetching endpoints information. Defaults to 60 sec. # # @option options [Boolean] :endpoint_discovery (false) # When set to `true`, endpoint discovery will be enabled for operations when available. # # @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default) # The log formatter. # # @option options [Symbol] :log_level (:info) # The log level to send messages to the `:logger` at. # # @option options [Logger] :logger # The Logger instance to send log messages to. If this option # is not set, logging will be disabled. # # @option options [Integer] :max_attempts (3) # An integer representing the maximum number attempts that will be made for # a single request, including the initial attempt. For example, # setting this value to 5 will result in a request being retried up to # 4 times. Used in `standard` and `adaptive` retry modes. # # @option options [String] :profile ("default") # Used when loading credentials from the shared credentials file # at HOME/.aws/credentials. When not specified, 'default' is used. # # @option options [Proc] :retry_backoff # A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay. # This option is only used in the `legacy` retry mode. # # @option options [Float] :retry_base_delay (0.3) # The base delay in seconds used by the default backoff function. This option # is only used in the `legacy` retry mode. # # @option options [Symbol] :retry_jitter (:none) # A delay randomiser function used by the default backoff function. # Some predefined functions can be referenced by name - :none, :equal, :full, # otherwise a Proc that takes and returns a number. This option is only used # in the `legacy` retry mode. # # @see https://www.awsarchitectureblog.com/2015/03/backoff.html # # @option options [Integer] :retry_limit (3) # The maximum number of times to retry failed requests. Only # ~ 500 level server errors and certain ~ 400 level client errors # are retried. Generally, these are throttling errors, data # checksum errors, networking errors, timeout errors, auth errors, # endpoint discovery, and errors from expired credentials. # This option is only used in the `legacy` retry mode. # # @option options [Integer] :retry_max_delay (0) # The maximum number of seconds to delay between retries (0 for no limit) # used by the default backoff function. This option is only used in the # `legacy` retry mode. # # @option options [String] :retry_mode ("legacy") # Specifies which retry algorithm to use. Values are: # # * `legacy` - The pre-existing retry behavior. This is default value if # no retry mode is provided. # # * `standard` - A standardized set of retry rules across the AWS SDKs. # This includes support for retry quotas, which limit the number of # unsuccessful retries a client can make. # # * `adaptive` - An experimental retry mode that includes all the # functionality of `standard` mode along with automatic client side # throttling. This is a provisional mode that may change behavior # in the future. # # # @option options [String] :secret_access_key # # @option options [String] :session_token # # @option options [Boolean] :simple_json (false) # Disables request parameter conversion, validation, and formatting. # Also disable response data type conversions. This option is useful # when you want to ensure the highest level of performance by # avoiding overhead of walking request parameters and response data # structures. # # When `:simple_json` is enabled, the request parameters hash must # be formatted exactly as the DynamoDB API expects. # # @option options [Boolean] :stub_responses (false) # Causes the client to return stubbed responses. By default # fake responses are generated and returned. You can specify # the response data to return or errors to raise by calling # {ClientStubs#stub_responses}. See {ClientStubs} for more information. # # ** Please note ** When response stubbing is enabled, no HTTP # requests are made, and retries are disabled. # # @option options [Boolean] :use_dualstack_endpoint # When set to `true`, dualstack enabled endpoints (with `.aws` TLD) # will be used if available. # # @option options [Boolean] :use_fips_endpoint # When set to `true`, fips compatible endpoints will be used if available. # When a `fips` region is used, the region is normalized and this config # is set to `true`. # # @option options [Boolean] :validate_params (true) # When `true`, request parameters are validated before # sending the request. # # @option options [URI::HTTP,String] :http_proxy A proxy to send # requests through. Formatted like 'http://proxy.com:123'. # # @option options [Float] :http_open_timeout (15) The number of # seconds to wait when opening a HTTP session before raising a # `Timeout::Error`. # # @option options [Float] :http_read_timeout (60) The default # number of seconds to wait for response data. This value can # safely be set per-request on the session. # # @option options [Float] :http_idle_timeout (5) The number of # seconds a connection is allowed to sit idle before it is # considered stale. Stale connections are closed and removed # from the pool before making a request. # # @option options [Float] :http_continue_timeout (1) The number of # seconds to wait for a 100-continue response before sending the # request body. This option has no effect unless the request has # "Expect" header set to "100-continue". Defaults to `nil` which # disables this behaviour. This value can safely be set per # request on the session. # # @option options [Float] :ssl_timeout (nil) Sets the SSL timeout # in seconds. # # @option options [Boolean] :http_wire_trace (false) When `true`, # HTTP debug output will be sent to the `:logger`. # # @option options [Boolean] :ssl_verify_peer (true) When `true`, # SSL peer certificates are verified when establishing a # connection. # # @option options [String] :ssl_ca_bundle Full path to the SSL # certificate authority bundle file that should be used when # verifying peer certificates. If you do not pass # `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default # will be used if available. # # @option options [String] :ssl_ca_directory Full path of the # directory that contains the unbundled SSL certificate # authority files for verifying peer certificates. If you do # not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the # system default will be used if available. # def initialize(*args) super end # @!group API Operations # Creates a root or subordinate private certificate authority (CA). You # must specify the CA configuration, an optional configuration for # Online Certificate Status Protocol (OCSP) and/or a certificate # revocation list (CRL), the CA type, and an optional idempotency token # to avoid accidental creation of multiple CAs. The CA configuration # specifies the name of the algorithm and key size to be used to create # the CA private key, the type of signing algorithm that the CA uses, # and X.500 subject information. The OCSP configuration can optionally # specify a custom URL for the OCSP responder. The CRL configuration # specifies the CRL expiration period in days (the validity period of # the CRL), the Amazon S3 bucket that will contain the CRL, and a CNAME # alias for the S3 bucket that is included in certificates issued by the # CA. If successful, this action returns the Amazon Resource Name (ARN) # of the CA. # # ACM Private CA assets that are stored in Amazon S3 can be protected # with encryption. For more information, see [Encrypting Your CRLs][1]. # # Both PCA and the IAM principal must have permission to write to the S3 # bucket that you specify. If the IAM principal making the call does not # have permission to write to the bucket, then an exception is thrown. # For more information, see [Configure Access to ACM Private CA][2]. # # # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#crl-encryption # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html # # @option params [required, Types::CertificateAuthorityConfiguration] :certificate_authority_configuration # Name and bit size of the private key algorithm, the name of the # signing algorithm, and X.500 certificate subject information. # # @option params [Types::RevocationConfiguration] :revocation_configuration # Contains information to enable Online Certificate Status Protocol # (OCSP) support, to enable a certificate revocation list (CRL), to # enable both, or to enable neither. The default is for both certificate # validation mechanisms to be disabled. For more information, see the # [OcspConfiguration][1] and [CrlConfiguration][2] types. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_OcspConfiguration.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html # # @option params [required, String] :certificate_authority_type # The type of the certificate authority. # # @option params [String] :idempotency_token # Custom string that can be used to distinguish between calls to the # **CreateCertificateAuthority** action. Idempotency tokens for # **CreateCertificateAuthority** time out after five minutes. Therefore, # if you call **CreateCertificateAuthority** multiple times with the # same idempotency token within five minutes, ACM Private CA recognizes # that you are requesting only certificate authority and will issue only # one. If you change the idempotency token for each call, PCA recognizes # that you are requesting multiple certificate authorities. # # @option params [String] :key_storage_security_standard # Specifies a cryptographic key management compliance standard used for # handling CA keys. # # Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER # # Note: `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in Region # ap-northeast-3. When creating a CA in the ap-northeast-3, you must # provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for # `KeyStorageSecurityStandard`. Failure to do this results in an # `InvalidArgsException` with the message, "A certificate authority # cannot be created in this region with the specified security # standard." # # @option params [Array] :tags # Key-value pairs that will be attached to the new private CA. You can # associate up to 50 tags with a private CA. For information using tags # with IAM to manage permissions, see [Controlling Access Using IAM # Tags][1]. # # # # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html # # @return [Types::CreateCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CreateCertificateAuthorityResponse#certificate_authority_arn #certificate_authority_arn} => String # # @example Request syntax with placeholder values # # resp = client.create_certificate_authority({ # certificate_authority_configuration: { # required # key_algorithm: "RSA_2048", # required, accepts RSA_2048, RSA_4096, EC_prime256v1, EC_secp384r1 # signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA # subject: { # required # country: "CountryCodeString", # organization: "String64", # organizational_unit: "String64", # distinguished_name_qualifier: "ASN1PrintableString64", # state: "String128", # common_name: "String64", # serial_number: "ASN1PrintableString64", # locality: "String128", # title: "String64", # surname: "String40", # given_name: "String16", # initials: "String5", # pseudonym: "String128", # generation_qualifier: "String3", # }, # csr_extensions: { # key_usage: { # digital_signature: false, # non_repudiation: false, # key_encipherment: false, # data_encipherment: false, # key_agreement: false, # key_cert_sign: false, # crl_sign: false, # encipher_only: false, # decipher_only: false, # }, # subject_information_access: [ # { # access_method: { # required # custom_object_identifier: "CustomObjectIdentifier", # access_method_type: "CA_REPOSITORY", # accepts CA_REPOSITORY, RESOURCE_PKI_MANIFEST, RESOURCE_PKI_NOTIFY # }, # access_location: { # required # other_name: { # type_id: "CustomObjectIdentifier", # required # value: "String256", # required # }, # rfc_822_name: "String256", # dns_name: "String253", # directory_name: { # country: "CountryCodeString", # organization: "String64", # organizational_unit: "String64", # distinguished_name_qualifier: "ASN1PrintableString64", # state: "String128", # common_name: "String64", # serial_number: "ASN1PrintableString64", # locality: "String128", # title: "String64", # surname: "String40", # given_name: "String16", # initials: "String5", # pseudonym: "String128", # generation_qualifier: "String3", # }, # edi_party_name: { # party_name: "String256", # required # name_assigner: "String256", # }, # uniform_resource_identifier: "String253", # ip_address: "String39", # registered_id: "CustomObjectIdentifier", # }, # }, # ], # }, # }, # revocation_configuration: { # crl_configuration: { # enabled: false, # required # expiration_in_days: 1, # custom_cname: "String253", # s3_bucket_name: "String3To255", # s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL # }, # ocsp_configuration: { # enabled: false, # required # ocsp_custom_cname: "String253", # }, # }, # certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE # idempotency_token: "IdempotencyToken", # key_storage_security_standard: "FIPS_140_2_LEVEL_2_OR_HIGHER", # accepts FIPS_140_2_LEVEL_2_OR_HIGHER, FIPS_140_2_LEVEL_3_OR_HIGHER # tags: [ # { # key: "TagKey", # required # value: "TagValue", # }, # ], # }) # # @example Response structure # # resp.certificate_authority_arn #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthority AWS API Documentation # # @overload create_certificate_authority(params = {}) # @param [Hash] params ({}) def create_certificate_authority(params = {}, options = {}) req = build_request(:create_certificate_authority, params) req.send_request(options) end # Creates an audit report that lists every time that your CA private key # is used. The report is saved in the Amazon S3 bucket that you specify # on input. The [IssueCertificate][1] and [RevokeCertificate][2] actions # use the private key. # # Both PCA and the IAM principal must have permission to write to the S3 # bucket that you specify. If the IAM principal making the call does not # have permission to write to the bucket, then an exception is thrown. # For more information, see [Configure Access to ACM Private CA][3]. # # # # ACM Private CA assets that are stored in Amazon S3 can be protected # with encryption. For more information, see [Encrypting Your Audit # Reports][4]. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuditReport.html#audit-report-encryption # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) of the CA to be audited. This is of the # form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # `. # # @option params [required, String] :s3_bucket_name # The name of the S3 bucket that will contain the audit report. # # @option params [required, String] :audit_report_response_format # The format in which to create the report. This can be either **JSON** # or **CSV**. # # @return [Types::CreateCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CreateCertificateAuthorityAuditReportResponse#audit_report_id #audit_report_id} => String # * {Types::CreateCertificateAuthorityAuditReportResponse#s3_key #s3_key} => String # # @example Request syntax with placeholder values # # resp = client.create_certificate_authority_audit_report({ # certificate_authority_arn: "Arn", # required # s3_bucket_name: "S3BucketName", # required # audit_report_response_format: "JSON", # required, accepts JSON, CSV # }) # # @example Response structure # # resp.audit_report_id #=> String # resp.s3_key #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreateCertificateAuthorityAuditReport AWS API Documentation # # @overload create_certificate_authority_audit_report(params = {}) # @param [Hash] params ({}) def create_certificate_authority_audit_report(params = {}, options = {}) req = build_request(:create_certificate_authority_audit_report, params) req.send_request(options) end # Grants one or more permissions on a private CA to the AWS Certificate # Manager (ACM) service principal (`acm.amazonaws.com`). These # permissions allow ACM to issue and renew ACM certificates that reside # in the same AWS account as the CA. # # You can list current permissions with the [ListPermissions][1] action # and revoke them with the [DeletePermission][2] action. # # **About Permissions** # # * If the private CA and the certificates it issues reside in the same # account, you can use `CreatePermission` to grant permissions for ACM # to carry out automatic certificate renewals. # # * For automatic certificate renewal to succeed, the ACM service # principal needs permissions to create, retrieve, and list # certificates. # # * If the private CA and the ACM certificates reside in different # accounts, then permissions cannot be used to enable automatic # renewals. Instead, the ACM certificate owner must set up a # resource-based policy to enable cross-account issuance and renewals. # For more information, see [Using a Resource Based Policy with ACM # Private CA][3]. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) of the CA that grants the permissions. # You can find the ARN by calling the [ListCertificateAuthorities][1] # action. This must have the following form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # `. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html # # @option params [required, String] :principal # The AWS service or identity that receives the permission. At this # time, the only valid principal is `acm.amazonaws.com`. # # @option params [String] :source_account # The ID of the calling account. # # @option params [required, Array] :actions # The actions that the specified AWS service principal can use. These # include `IssueCertificate`, `GetCertificate`, and `ListPermissions`. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.create_permission({ # certificate_authority_arn: "Arn", # required # principal: "Principal", # required # source_account: "AccountId", # actions: ["IssueCertificate"], # required, accepts IssueCertificate, GetCertificate, ListPermissions # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CreatePermission AWS API Documentation # # @overload create_permission(params = {}) # @param [Hash] params ({}) def create_permission(params = {}, options = {}) req = build_request(:create_permission, params) req.send_request(options) end # Deletes a private certificate authority (CA). You must provide the # Amazon Resource Name (ARN) of the private CA that you want to delete. # You can find the ARN by calling the [ListCertificateAuthorities][1] # action. # # Deleting a CA will invalidate other CAs and certificates below it in # your CA hierarchy. # # # # Before you can delete a CA that you have created and activated, you # must disable it. To do this, call the [UpdateCertificateAuthority][2] # action and set the **CertificateAuthorityStatus** parameter to # `DISABLED`. # # Additionally, you can delete a CA if you are waiting for it to be # created (that is, the status of the CA is `CREATING`). You can also # delete it if the CA has been created but you haven't yet imported the # signed certificate into ACM Private CA (that is, the status of the CA # is `PENDING_CERTIFICATE`). # # When you successfully call [DeleteCertificateAuthority][3], the CA's # status changes to `DELETED`. However, the CA won't be permanently # deleted until the restoration period has passed. By default, if you do # not set the `PermanentDeletionTimeInDays` parameter, the CA remains # restorable for 30 days. You can set the parameter from 7 to 30 days. # The [DescribeCertificateAuthority][4] action returns the time # remaining in the restoration window of a private CA in the `DELETED` # state. To restore an eligible CA, call the # [RestoreCertificateAuthority][5] action. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html # [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html # [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RestoreCertificateAuthority.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called # [CreateCertificateAuthority][1]. This must have the following form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # `. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @option params [Integer] :permanent_deletion_time_in_days # The number of days to make a CA restorable after it has been deleted. # This can be anywhere from 7 to 30 days, with 30 being the default. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.delete_certificate_authority({ # certificate_authority_arn: "Arn", # required # permanent_deletion_time_in_days: 1, # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeleteCertificateAuthority AWS API Documentation # # @overload delete_certificate_authority(params = {}) # @param [Hash] params ({}) def delete_certificate_authority(params = {}, options = {}) req = build_request(:delete_certificate_authority, params) req.send_request(options) end # Revokes permissions on a private CA granted to the AWS Certificate # Manager (ACM) service principal (acm.amazonaws.com). # # These permissions allow ACM to issue and renew ACM certificates that # reside in the same AWS account as the CA. If you revoke these # permissions, ACM will no longer renew the affected certificates # automatically. # # Permissions can be granted with the [CreatePermission][1] action and # listed with the [ListPermissions][2] action. # # **About Permissions** # # * If the private CA and the certificates it issues reside in the same # account, you can use `CreatePermission` to grant permissions for ACM # to carry out automatic certificate renewals. # # * For automatic certificate renewal to succeed, the ACM service # principal needs permissions to create, retrieve, and list # certificates. # # * If the private CA and the ACM certificates reside in different # accounts, then permissions cannot be used to enable automatic # renewals. Instead, the ACM certificate owner must set up a # resource-based policy to enable cross-account issuance and renewals. # For more information, see [Using a Resource Based Policy with ACM # Private CA][3]. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListPermissions.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Number (ARN) of the private CA that issued the # permissions. You can find the CA's ARN by calling the # [ListCertificateAuthorities][1] action. This must have the following # form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # `. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html # # @option params [required, String] :principal # The AWS service or identity that will have its CA permissions revoked. # At this time, the only valid service principal is `acm.amazonaws.com` # # @option params [String] :source_account # The AWS account that calls this action. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.delete_permission({ # certificate_authority_arn: "Arn", # required # principal: "Principal", # required # source_account: "AccountId", # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePermission AWS API Documentation # # @overload delete_permission(params = {}) # @param [Hash] params ({}) def delete_permission(params = {}, options = {}) req = build_request(:delete_permission, params) req.send_request(options) end # Deletes the resource-based policy attached to a private CA. Deletion # will remove any access that the policy has granted. If there is no # policy attached to the private CA, this action will return successful. # # If you delete a policy that was applied through AWS Resource Access # Manager (RAM), the CA will be removed from all shares in which it was # included. # # The AWS Certificate Manager Service Linked Role that the policy # supports is not affected when you delete the policy. # # The current policy can be shown with [GetPolicy][1] and updated with # [PutPolicy][2]. # # **About Policies** # # * A policy grants access on a private CA to an AWS customer account, # to AWS Organizations, or to an AWS Organizations unit. Policies are # under the control of a CA administrator. For more information, see # [Using a Resource Based Policy with ACM Private CA][3]. # # * A policy permits a user of AWS Certificate Manager (ACM) to issue # ACM certificates signed by a CA in another account. # # * For ACM to manage automatic renewal of these certificates, the ACM # user must configure a Service Linked Role (SLR). The SLR allows the # ACM service to assume the identity of the user, subject to # confirmation against the ACM Private CA policy. For more # information, see [Using a Service Linked Role with ACM][4]. # # * Updates made in AWS Resource Manager (RAM) are reflected in # policies. For more information, see [Attach a Policy for # Cross-Account Access][5]. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html # [5]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html # # @option params [required, String] :resource_arn # The Amazon Resource Number (ARN) of the private CA that will have its # policy deleted. You can find the CA's ARN by calling the # [ListCertificateAuthorities][1] action. The ARN value must have the # form # `arn:aws:acm-pca:region:account:certificate-authority/01234567-89ab-cdef-0123-0123456789ab`. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.delete_policy({ # resource_arn: "Arn", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DeletePolicy AWS API Documentation # # @overload delete_policy(params = {}) # @param [Hash] params ({}) def delete_policy(params = {}, options = {}) req = build_request(:delete_policy, params) req.send_request(options) end # Lists information about your private certificate authority (CA) or one # that has been shared with you. You specify the private CA on input by # its ARN (Amazon Resource Name). The output contains the status of your # CA. This can be any of the following: # # * `CREATING` - ACM Private CA is creating your private certificate # authority. # # * `PENDING_CERTIFICATE` - The certificate is pending. You must use # your ACM Private CA-hosted or on-premises root or subordinate CA to # sign your private CA CSR and then import it into PCA. # # * `ACTIVE` - Your private CA is active. # # * `DISABLED` - Your private CA has been disabled. # # * `EXPIRED` - Your private CA certificate has expired. # # * `FAILED` - Your private CA has failed. Your CA can fail because of # problems such a network outage or back-end AWS failure or other # errors. A failed CA can never return to the pending state. You must # create a new CA. # # * `DELETED` - Your private CA is within the restoration period, after # which it is permanently deleted. The length of time remaining in the # CA's restoration period is also included in this action's output. # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called # [CreateCertificateAuthority][1]. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # `. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @return [Types::DescribeCertificateAuthorityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeCertificateAuthorityResponse#certificate_authority #certificate_authority} => Types::CertificateAuthority # # @example Request syntax with placeholder values # # resp = client.describe_certificate_authority({ # certificate_authority_arn: "Arn", # required # }) # # @example Response structure # # resp.certificate_authority.arn #=> String # resp.certificate_authority.owner_account #=> String # resp.certificate_authority.created_at #=> Time # resp.certificate_authority.last_state_change_at #=> Time # resp.certificate_authority.type #=> String, one of "ROOT", "SUBORDINATE" # resp.certificate_authority.serial #=> String # resp.certificate_authority.status #=> String, one of "CREATING", "PENDING_CERTIFICATE", "ACTIVE", "DELETED", "DISABLED", "EXPIRED", "FAILED" # resp.certificate_authority.not_before #=> Time # resp.certificate_authority.not_after #=> Time # resp.certificate_authority.failure_reason #=> String, one of "REQUEST_TIMED_OUT", "UNSUPPORTED_ALGORITHM", "OTHER" # resp.certificate_authority.certificate_authority_configuration.key_algorithm #=> String, one of "RSA_2048", "RSA_4096", "EC_prime256v1", "EC_secp384r1" # resp.certificate_authority.certificate_authority_configuration.signing_algorithm #=> String, one of "SHA256WITHECDSA", "SHA384WITHECDSA", "SHA512WITHECDSA", "SHA256WITHRSA", "SHA384WITHRSA", "SHA512WITHRSA" # resp.certificate_authority.certificate_authority_configuration.subject.country #=> String # resp.certificate_authority.certificate_authority_configuration.subject.organization #=> String # resp.certificate_authority.certificate_authority_configuration.subject.organizational_unit #=> String # resp.certificate_authority.certificate_authority_configuration.subject.distinguished_name_qualifier #=> String # resp.certificate_authority.certificate_authority_configuration.subject.state #=> String # resp.certificate_authority.certificate_authority_configuration.subject.common_name #=> String # resp.certificate_authority.certificate_authority_configuration.subject.serial_number #=> String # resp.certificate_authority.certificate_authority_configuration.subject.locality #=> String # resp.certificate_authority.certificate_authority_configuration.subject.title #=> String # resp.certificate_authority.certificate_authority_configuration.subject.surname #=> String # resp.certificate_authority.certificate_authority_configuration.subject.given_name #=> String # resp.certificate_authority.certificate_authority_configuration.subject.initials #=> String # resp.certificate_authority.certificate_authority_configuration.subject.pseudonym #=> String # resp.certificate_authority.certificate_authority_configuration.subject.generation_qualifier #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.data_encipherment #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_agreement #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.key_cert_sign #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.crl_sign #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.encipher_only #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.key_usage.decipher_only #=> Boolean # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access #=> Array # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.custom_object_identifier #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.access_method_type #=> String, one of "CA_REPOSITORY", "RESOURCE_PKI_MANIFEST", "RESOURCE_PKI_NOTIFY" # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.type_id #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.value #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.rfc_822_name #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.dns_name #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.country #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organization #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organizational_unit #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.distinguished_name_qualifier #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.state #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.common_name #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.serial_number #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.locality #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.title #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.surname #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.given_name #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.ip_address #=> String # resp.certificate_authority.certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.registered_id #=> String # resp.certificate_authority.revocation_configuration.crl_configuration.enabled #=> Boolean # resp.certificate_authority.revocation_configuration.crl_configuration.expiration_in_days #=> Integer # resp.certificate_authority.revocation_configuration.crl_configuration.custom_cname #=> String # resp.certificate_authority.revocation_configuration.crl_configuration.s3_bucket_name #=> String # resp.certificate_authority.revocation_configuration.crl_configuration.s3_object_acl #=> String, one of "PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL" # resp.certificate_authority.revocation_configuration.ocsp_configuration.enabled #=> Boolean # resp.certificate_authority.revocation_configuration.ocsp_configuration.ocsp_custom_cname #=> String # resp.certificate_authority.restorable_until #=> Time # resp.certificate_authority.key_storage_security_standard #=> String, one of "FIPS_140_2_LEVEL_2_OR_HIGHER", "FIPS_140_2_LEVEL_3_OR_HIGHER" # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthority AWS API Documentation # # @overload describe_certificate_authority(params = {}) # @param [Hash] params ({}) def describe_certificate_authority(params = {}, options = {}) req = build_request(:describe_certificate_authority, params) req.send_request(options) end # Lists information about a specific audit report created by calling the # [CreateCertificateAuthorityAuditReport][1] action. Audit information # is created every time the certificate authority (CA) private key is # used. The private key is used when you call the [IssueCertificate][2] # action or the [RevokeCertificate][3] action. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) of the private CA. This must be of the # form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # `. # # @option params [required, String] :audit_report_id # The report ID returned by calling the # [CreateCertificateAuthorityAuditReport][1] action. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html # # @return [Types::DescribeCertificateAuthorityAuditReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeCertificateAuthorityAuditReportResponse#audit_report_status #audit_report_status} => String # * {Types::DescribeCertificateAuthorityAuditReportResponse#s3_bucket_name #s3_bucket_name} => String # * {Types::DescribeCertificateAuthorityAuditReportResponse#s3_key #s3_key} => String # * {Types::DescribeCertificateAuthorityAuditReportResponse#created_at #created_at} => Time # # @example Request syntax with placeholder values # # resp = client.describe_certificate_authority_audit_report({ # certificate_authority_arn: "Arn", # required # audit_report_id: "AuditReportId", # required # }) # # @example Response structure # # resp.audit_report_status #=> String, one of "CREATING", "SUCCESS", "FAILED" # resp.s3_bucket_name #=> String # resp.s3_key #=> String # resp.created_at #=> Time # # # The following waiters are defined for this operation (see {Client#wait_until} for detailed usage): # # * audit_report_created # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/DescribeCertificateAuthorityAuditReport AWS API Documentation # # @overload describe_certificate_authority_audit_report(params = {}) # @param [Hash] params ({}) def describe_certificate_authority_audit_report(params = {}, options = {}) req = build_request(:describe_certificate_authority_audit_report, params) req.send_request(options) end # Retrieves a certificate from your private CA or one that has been # shared with you. The ARN of the certificate is returned when you call # the [IssueCertificate][1] action. You must specify both the ARN of # your private CA and the ARN of the issued certificate when calling the # **GetCertificate** action. You can retrieve the certificate if it is # in the **ISSUED** state. You can call the # [CreateCertificateAuthorityAuditReport][2] action to create a report # that contains information about all of the certificates issued and # revoked by your private CA. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_IssueCertificate.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called # [CreateCertificateAuthority][1]. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # `. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @option params [required, String] :certificate_arn # The ARN of the issued certificate. The ARN contains the certificate # serial number and must be in the following form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245 # ` # # @return [Types::GetCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::GetCertificateResponse#certificate #certificate} => String # * {Types::GetCertificateResponse#certificate_chain #certificate_chain} => String # # @example Request syntax with placeholder values # # resp = client.get_certificate({ # certificate_authority_arn: "Arn", # required # certificate_arn: "Arn", # required # }) # # @example Response structure # # resp.certificate #=> String # resp.certificate_chain #=> String # # # The following waiters are defined for this operation (see {Client#wait_until} for detailed usage): # # * certificate_issued # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificate AWS API Documentation # # @overload get_certificate(params = {}) # @param [Hash] params ({}) def get_certificate(params = {}, options = {}) req = build_request(:get_certificate, params) req.send_request(options) end # Retrieves the certificate and certificate chain for your private # certificate authority (CA) or one that has been shared with you. Both # the certificate and the chain are base64 PEM-encoded. The chain does # not include the CA certificate. Each certificate in the chain signs # the one before it. # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) of your private CA. This is of the # form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # `. # # @return [Types::GetCertificateAuthorityCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::GetCertificateAuthorityCertificateResponse#certificate #certificate} => String # * {Types::GetCertificateAuthorityCertificateResponse#certificate_chain #certificate_chain} => String # # @example Request syntax with placeholder values # # resp = client.get_certificate_authority_certificate({ # certificate_authority_arn: "Arn", # required # }) # # @example Response structure # # resp.certificate #=> String # resp.certificate_chain #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCertificate AWS API Documentation # # @overload get_certificate_authority_certificate(params = {}) # @param [Hash] params ({}) def get_certificate_authority_certificate(params = {}, options = {}) req = build_request(:get_certificate_authority_certificate, params) req.send_request(options) end # Retrieves the certificate signing request (CSR) for your private # certificate authority (CA). The CSR is created when you call the # [CreateCertificateAuthority][1] action. Sign the CSR with your ACM # Private CA-hosted or on-premises root or subordinate CA. Then import # the signed certificate back into ACM Private CA by calling the # [ImportCertificateAuthorityCertificate][2] action. The CSR is returned # as a base64 PEM-encoded string. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called the # [CreateCertificateAuthority][1] action. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @return [Types::GetCertificateAuthorityCsrResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::GetCertificateAuthorityCsrResponse#csr #csr} => String # # @example Request syntax with placeholder values # # resp = client.get_certificate_authority_csr({ # certificate_authority_arn: "Arn", # required # }) # # @example Response structure # # resp.csr #=> String # # # The following waiters are defined for this operation (see {Client#wait_until} for detailed usage): # # * certificate_authority_csr_created # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetCertificateAuthorityCsr AWS API Documentation # # @overload get_certificate_authority_csr(params = {}) # @param [Hash] params ({}) def get_certificate_authority_csr(params = {}, options = {}) req = build_request(:get_certificate_authority_csr, params) req.send_request(options) end # Retrieves the resource-based policy attached to a private CA. If # either the private CA resource or the policy cannot be found, this # action returns a `ResourceNotFoundException`. # # The policy can be attached or updated with [PutPolicy][1] and removed # with [DeletePolicy][2]. # # **About Policies** # # * A policy grants access on a private CA to an AWS customer account, # to AWS Organizations, or to an AWS Organizations unit. Policies are # under the control of a CA administrator. For more information, see # [Using a Resource Based Policy with ACM Private CA][3]. # # * A policy permits a user of AWS Certificate Manager (ACM) to issue # ACM certificates signed by a CA in another account. # # * For ACM to manage automatic renewal of these certificates, the ACM # user must configure a Service Linked Role (SLR). The SLR allows the # ACM service to assume the identity of the user, subject to # confirmation against the ACM Private CA policy. For more # information, see [Using a Service Linked Role with ACM][4]. # # * Updates made in AWS Resource Manager (RAM) are reflected in # policies. For more information, see [Attach a Policy for # Cross-Account Access][5]. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html # [4]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html # [5]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html # # @option params [required, String] :resource_arn # The Amazon Resource Number (ARN) of the private CA that will have its # policy retrieved. You can find the CA's ARN by calling the # ListCertificateAuthorities action. # # @return [Types::GetPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::GetPolicyResponse#policy #policy} => String # # @example Request syntax with placeholder values # # resp = client.get_policy({ # resource_arn: "Arn", # required # }) # # @example Response structure # # resp.policy #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/GetPolicy AWS API Documentation # # @overload get_policy(params = {}) # @param [Hash] params ({}) def get_policy(params = {}, options = {}) req = build_request(:get_policy, params) req.send_request(options) end # Imports a signed private CA certificate into ACM Private CA. This # action is used when you are using a chain of trust whose root is # located outside ACM Private CA. Before you can call this action, the # following preparations must in place: # # 1. In ACM Private CA, call the [CreateCertificateAuthority][1] action # to create the private CA that you plan to back with the imported # certificate. # # 2. Call the [GetCertificateAuthorityCsr][2] action to generate a # certificate signing request (CSR). # # 3. Sign the CSR using a root or intermediate CA hosted by either an # on-premises PKI hierarchy or by a commercial CA. # # 4. Create a certificate chain and copy the signed certificate and the # certificate chain to your working directory. # # ACM Private CA supports three scenarios for installing a CA # certificate: # # * Installing a certificate for a root CA hosted by ACM Private CA. # # * Installing a subordinate CA certificate whose parent authority is # hosted by ACM Private CA. # # * Installing a subordinate CA certificate whose parent authority is # externally hosted. # # The following additional requirements apply when you import a CA # certificate. # # * Only a self-signed certificate can be imported as a root CA. # # * A self-signed certificate cannot be imported as a subordinate CA. # # * Your certificate chain must not include the private CA certificate # that you are importing. # # * Your root CA must be the last certificate in your chain. The # subordinate certificate, if any, that your root CA signed must be # next to last. The subordinate certificate signed by the preceding # subordinate CA must come next, and so on until your chain is built. # # * The chain must be PEM-encoded. # # * The maximum allowed size of a certificate is 32 KB. # # * The maximum allowed size of a certificate chain is 2 MB. # # *Enforcement of Critical Constraints* # # ACM Private CA allows the following extensions to be marked critical # in the imported CA certificate or chain. # # * Basic constraints (*must* be marked critical) # # * Subject alternative names # # * Key usage # # * Extended key usage # # * Authority key identifier # # * Subject key identifier # # * Issuer alternative name # # * Subject directory attributes # # * Subject information access # # * Certificate policies # # * Policy mappings # # * Inhibit anyPolicy # # ACM Private CA rejects the following extensions when they are marked # critical in an imported CA certificate or chain. # # * Name constraints # # * Policy constraints # # * CRL distribution points # # * Authority information access # # * Freshest CRL # # * Any other extension # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificateAuthorityCsr.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called # [CreateCertificateAuthority][1]. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @option params [required, String, StringIO, File] :certificate # The PEM-encoded certificate for a private CA. This may be a # self-signed certificate in the case of a root CA, or it may be signed # by another CA that you control. # # @option params [String, StringIO, File] :certificate_chain # A PEM-encoded file that contains all of your certificates, other than # the certificate you're importing, chaining up to your root CA. Your # ACM Private CA-hosted or on-premises root certificate is the last in # the chain, and each certificate in the chain signs the one preceding. # # This parameter must be supplied when you import a subordinate CA. When # you import a root CA, there is no chain. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.import_certificate_authority_certificate({ # certificate_authority_arn: "Arn", # required # certificate: "data", # required # certificate_chain: "data", # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ImportCertificateAuthorityCertificate AWS API Documentation # # @overload import_certificate_authority_certificate(params = {}) # @param [Hash] params ({}) def import_certificate_authority_certificate(params = {}, options = {}) req = build_request(:import_certificate_authority_certificate, params) req.send_request(options) end # Uses your private certificate authority (CA), or one that has been # shared with you, to issue a client certificate. This action returns # the Amazon Resource Name (ARN) of the certificate. You can retrieve # the certificate by calling the [GetCertificate][1] action and # specifying the ARN. # # You cannot use the ACM **ListCertificateAuthorities** action to # retrieve the ARNs of the certificates that you issue by using ACM # Private CA. # # # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html # # @option params [Types::ApiPassthrough] :api_passthrough # Specifies X.509 certificate information to be included in the issued # certificate. An `APIPassthrough` or `APICSRPassthrough` template # variant must be selected, or else this parameter is ignored. For more # information about using these templates, see [Understanding # Certificate Templates][1]. # # If conflicting or duplicate certificate information is supplied during # certificate issuance, ACM Private CA applies [order of operation # rules][2] to determine what information is used. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html#template-order-of-operations # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called # [CreateCertificateAuthority][1]. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @option params [required, String, StringIO, File] :csr # The certificate signing request (CSR) for the certificate you want to # issue. As an example, you can use the following OpenSSL command to # create the CSR and a 2048 bit RSA private key. # # `openssl req -new -newkey rsa:2048 -days 365 -keyout # private/test_cert_priv_key.pem -out csr/test_cert_.csr` # # If you have a configuration file, you can then use the following # OpenSSL command. The `usr_cert` block in the configuration file # contains your X509 version 3 extensions. # # `openssl req -new -config openssl_rsa.cnf -extensions usr_cert -newkey # rsa:2048 -days -365 -keyout private/test_cert_priv_key.pem -out # csr/test_cert_.csr` # # Note: A CSR must provide either a *subject name* or a *subject # alternative name* or the request will be rejected. # # @option params [required, String] :signing_algorithm # The name of the algorithm that will be used to sign the certificate to # be issued. # # This parameter should not be confused with the `SigningAlgorithm` # parameter used to sign a CSR in the `CreateCertificateAuthority` # action. # # @option params [String] :template_arn # Specifies a custom configuration template to use when issuing a # certificate. If this parameter is not provided, ACM Private CA # defaults to the `EndEntityCertificate/V1` template. For CA # certificates, you should choose the shortest path length that meets # your needs. The path length is indicated by the PathLen*N* portion of # the ARN, where *N* is the [CA depth][1]. # # Note: The CA depth configured on a subordinate CA certificate must not # exceed the limit set by its parents in the CA hierarchy. # # For a list of `TemplateArn` values supported by ACM Private CA, see # [Understanding Certificate Templates][2]. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaTerms.html#terms-cadepth # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html # # @option params [required, Types::Validity] :validity # Information describing the end of the validity period of the # certificate. This parameter sets the “Not After” date for the # certificate. # # Certificate validity is the period of time during which a certificate # is valid. Validity can be expressed as an explicit date and time when # the certificate expires, or as a span of time after issuance, stated # in days, months, or years. For more information, see [Validity][1] in # RFC 5280. # # This value is unaffected when `ValidityNotBefore` is also specified. # For example, if `Validity` is set to 20 days in the future, the # certificate will expire 20 days from issuance time regardless of the # `ValidityNotBefore` value. # # The end of the validity period configured on a certificate must not # exceed the limit set on its parents in the CA hierarchy. # # # # [1]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5 # # @option params [Types::Validity] :validity_not_before # Information describing the start of the validity period of the # certificate. This parameter sets the “Not Before" date for the # certificate. # # By default, when issuing a certificate, ACM Private CA sets the "Not # Before" date to the issuance time minus 60 minutes. This compensates # for clock inconsistencies across computer systems. The # `ValidityNotBefore` parameter can be used to customize the “Not # Before” value. # # Unlike the `Validity` parameter, the `ValidityNotBefore` parameter is # optional. # # The `ValidityNotBefore` value is expressed as an explicit date and # time, using the `Validity` type value `ABSOLUTE`. For more # information, see [Validity][1] in this API reference and [Validity][2] # in RFC 5280. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_Validity.html # [2]: https://tools.ietf.org/html/rfc5280#section-4.1.2.5 # # @option params [String] :idempotency_token # Alphanumeric string that can be used to distinguish between calls to # the **IssueCertificate** action. Idempotency tokens for # **IssueCertificate** time out after one minute. Therefore, if you call # **IssueCertificate** multiple times with the same idempotency token # within one minute, ACM Private CA recognizes that you are requesting # only one certificate and will issue only one. If you change the # idempotency token for each call, PCA recognizes that you are # requesting multiple certificates. # # @return [Types::IssueCertificateResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::IssueCertificateResponse#certificate_arn #certificate_arn} => String # # @example Request syntax with placeholder values # # resp = client.issue_certificate({ # api_passthrough: { # extensions: { # certificate_policies: [ # { # cert_policy_id: "CustomObjectIdentifier", # required # policy_qualifiers: [ # { # policy_qualifier_id: "CPS", # required, accepts CPS # qualifier: { # required # cps_uri: "String256", # required # }, # }, # ], # }, # ], # extended_key_usage: [ # { # extended_key_usage_type: "SERVER_AUTH", # accepts SERVER_AUTH, CLIENT_AUTH, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, SMART_CARD_LOGIN, DOCUMENT_SIGNING, CERTIFICATE_TRANSPARENCY # extended_key_usage_object_identifier: "CustomObjectIdentifier", # }, # ], # key_usage: { # digital_signature: false, # non_repudiation: false, # key_encipherment: false, # data_encipherment: false, # key_agreement: false, # key_cert_sign: false, # crl_sign: false, # encipher_only: false, # decipher_only: false, # }, # subject_alternative_names: [ # { # other_name: { # type_id: "CustomObjectIdentifier", # required # value: "String256", # required # }, # rfc_822_name: "String256", # dns_name: "String253", # directory_name: { # country: "CountryCodeString", # organization: "String64", # organizational_unit: "String64", # distinguished_name_qualifier: "ASN1PrintableString64", # state: "String128", # common_name: "String64", # serial_number: "ASN1PrintableString64", # locality: "String128", # title: "String64", # surname: "String40", # given_name: "String16", # initials: "String5", # pseudonym: "String128", # generation_qualifier: "String3", # }, # edi_party_name: { # party_name: "String256", # required # name_assigner: "String256", # }, # uniform_resource_identifier: "String253", # ip_address: "String39", # registered_id: "CustomObjectIdentifier", # }, # ], # }, # subject: { # country: "CountryCodeString", # organization: "String64", # organizational_unit: "String64", # distinguished_name_qualifier: "ASN1PrintableString64", # state: "String128", # common_name: "String64", # serial_number: "ASN1PrintableString64", # locality: "String128", # title: "String64", # surname: "String40", # given_name: "String16", # initials: "String5", # pseudonym: "String128", # generation_qualifier: "String3", # }, # }, # certificate_authority_arn: "Arn", # required # csr: "data", # required # signing_algorithm: "SHA256WITHECDSA", # required, accepts SHA256WITHECDSA, SHA384WITHECDSA, SHA512WITHECDSA, SHA256WITHRSA, SHA384WITHRSA, SHA512WITHRSA # template_arn: "Arn", # validity: { # required # value: 1, # required # type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS # }, # validity_not_before: { # value: 1, # required # type: "END_DATE", # required, accepts END_DATE, ABSOLUTE, DAYS, MONTHS, YEARS # }, # idempotency_token: "IdempotencyToken", # }) # # @example Response structure # # resp.certificate_arn #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/IssueCertificate AWS API Documentation # # @overload issue_certificate(params = {}) # @param [Hash] params ({}) def issue_certificate(params = {}, options = {}) req = build_request(:issue_certificate, params) req.send_request(options) end # Lists the private certificate authorities that you created by using # the [CreateCertificateAuthority][1] action. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @option params [String] :next_token # Use this parameter when paginating results in a subsequent request # after you receive a response with truncated results. Set it to the # value of the `NextToken` parameter from the response you just # received. # # @option params [Integer] :max_results # Use this parameter when paginating results to specify the maximum # number of items to return in the response on each page. If additional # items exist beyond the number you specify, the `NextToken` element is # sent in the response. Use this `NextToken` value in a subsequent # request to retrieve additional items. # # @option params [String] :resource_owner # Use this parameter to filter the returned set of certificate # authorities based on their owner. The default is SELF. # # @return [Types::ListCertificateAuthoritiesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListCertificateAuthoritiesResponse#certificate_authorities #certificate_authorities} => Array<Types::CertificateAuthority> # * {Types::ListCertificateAuthoritiesResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # @example Request syntax with placeholder values # # resp = client.list_certificate_authorities({ # next_token: "NextToken", # max_results: 1, # resource_owner: "SELF", # accepts SELF, OTHER_ACCOUNTS # }) # # @example Response structure # # resp.certificate_authorities #=> Array # resp.certificate_authorities[0].arn #=> String # resp.certificate_authorities[0].owner_account #=> String # resp.certificate_authorities[0].created_at #=> Time # resp.certificate_authorities[0].last_state_change_at #=> Time # resp.certificate_authorities[0].type #=> String, one of "ROOT", "SUBORDINATE" # resp.certificate_authorities[0].serial #=> String # resp.certificate_authorities[0].status #=> String, one of "CREATING", "PENDING_CERTIFICATE", "ACTIVE", "DELETED", "DISABLED", "EXPIRED", "FAILED" # resp.certificate_authorities[0].not_before #=> Time # resp.certificate_authorities[0].not_after #=> Time # resp.certificate_authorities[0].failure_reason #=> String, one of "REQUEST_TIMED_OUT", "UNSUPPORTED_ALGORITHM", "OTHER" # resp.certificate_authorities[0].certificate_authority_configuration.key_algorithm #=> String, one of "RSA_2048", "RSA_4096", "EC_prime256v1", "EC_secp384r1" # resp.certificate_authorities[0].certificate_authority_configuration.signing_algorithm #=> String, one of "SHA256WITHECDSA", "SHA384WITHECDSA", "SHA512WITHECDSA", "SHA256WITHRSA", "SHA384WITHRSA", "SHA512WITHRSA" # resp.certificate_authorities[0].certificate_authority_configuration.subject.country #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.organization #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.organizational_unit #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.distinguished_name_qualifier #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.state #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.common_name #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.serial_number #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.locality #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.title #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.surname #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.given_name #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.initials #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.pseudonym #=> String # resp.certificate_authorities[0].certificate_authority_configuration.subject.generation_qualifier #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.digital_signature #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.non_repudiation #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_encipherment #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.data_encipherment #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_agreement #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.key_cert_sign #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.crl_sign #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.encipher_only #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.key_usage.decipher_only #=> Boolean # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access #=> Array # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.custom_object_identifier #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_method.access_method_type #=> String, one of "CA_REPOSITORY", "RESOURCE_PKI_MANIFEST", "RESOURCE_PKI_NOTIFY" # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.type_id #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.other_name.value #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.rfc_822_name #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.dns_name #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.country #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organization #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.organizational_unit #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.distinguished_name_qualifier #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.state #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.common_name #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.serial_number #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.locality #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.title #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.surname #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.given_name #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.initials #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.pseudonym #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.directory_name.generation_qualifier #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.party_name #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.edi_party_name.name_assigner #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.uniform_resource_identifier #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.ip_address #=> String # resp.certificate_authorities[0].certificate_authority_configuration.csr_extensions.subject_information_access[0].access_location.registered_id #=> String # resp.certificate_authorities[0].revocation_configuration.crl_configuration.enabled #=> Boolean # resp.certificate_authorities[0].revocation_configuration.crl_configuration.expiration_in_days #=> Integer # resp.certificate_authorities[0].revocation_configuration.crl_configuration.custom_cname #=> String # resp.certificate_authorities[0].revocation_configuration.crl_configuration.s3_bucket_name #=> String # resp.certificate_authorities[0].revocation_configuration.crl_configuration.s3_object_acl #=> String, one of "PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL" # resp.certificate_authorities[0].revocation_configuration.ocsp_configuration.enabled #=> Boolean # resp.certificate_authorities[0].revocation_configuration.ocsp_configuration.ocsp_custom_cname #=> String # resp.certificate_authorities[0].restorable_until #=> Time # resp.certificate_authorities[0].key_storage_security_standard #=> String, one of "FIPS_140_2_LEVEL_2_OR_HIGHER", "FIPS_140_2_LEVEL_3_OR_HIGHER" # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListCertificateAuthorities AWS API Documentation # # @overload list_certificate_authorities(params = {}) # @param [Hash] params ({}) def list_certificate_authorities(params = {}, options = {}) req = build_request(:list_certificate_authorities, params) req.send_request(options) end # List all permissions on a private CA, if any, granted to the AWS # Certificate Manager (ACM) service principal (acm.amazonaws.com). # # These permissions allow ACM to issue and renew ACM certificates that # reside in the same AWS account as the CA. # # Permissions can be granted with the [CreatePermission][1] action and # revoked with the [DeletePermission][2] action. # # **About Permissions** # # * If the private CA and the certificates it issues reside in the same # account, you can use `CreatePermission` to grant permissions for ACM # to carry out automatic certificate renewals. # # * For automatic certificate renewal to succeed, the ACM service # principal needs permissions to create, retrieve, and list # certificates. # # * If the private CA and the ACM certificates reside in different # accounts, then permissions cannot be used to enable automatic # renewals. Instead, the ACM certificate owner must set up a # resource-based policy to enable cross-account issuance and renewals. # For more information, see [Using a Resource Based Policy with ACM # Private CA][3]. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreatePermission.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePermission.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Number (ARN) of the private CA to inspect. You can # find the ARN by calling the [ListCertificateAuthorities][1] action. # This must be of the form: # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012` # You can get a private CA's ARN by running the # [ListCertificateAuthorities][1] action. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html # # @option params [String] :next_token # When paginating results, use this parameter in a subsequent request # after you receive a response with truncated results. Set it to the # value of **NextToken** from the response you just received. # # @option params [Integer] :max_results # When paginating results, use this parameter to specify the maximum # number of items to return in the response. If additional items exist # beyond the number you specify, the **NextToken** element is sent in # the response. Use this **NextToken** value in a subsequent request to # retrieve additional items. # # @return [Types::ListPermissionsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListPermissionsResponse#permissions #permissions} => Array<Types::Permission> # * {Types::ListPermissionsResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # @example Request syntax with placeholder values # # resp = client.list_permissions({ # certificate_authority_arn: "Arn", # required # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.permissions #=> Array # resp.permissions[0].certificate_authority_arn #=> String # resp.permissions[0].created_at #=> Time # resp.permissions[0].principal #=> String # resp.permissions[0].source_account #=> String # resp.permissions[0].actions #=> Array # resp.permissions[0].actions[0] #=> String, one of "IssueCertificate", "GetCertificate", "ListPermissions" # resp.permissions[0].policy #=> String # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListPermissions AWS API Documentation # # @overload list_permissions(params = {}) # @param [Hash] params ({}) def list_permissions(params = {}, options = {}) req = build_request(:list_permissions, params) req.send_request(options) end # Lists the tags, if any, that are associated with your private CA or # one that has been shared with you. Tags are labels that you can use to # identify and organize your CAs. Each tag consists of a key and an # optional value. Call the [TagCertificateAuthority][1] action to add # one or more tags to your CA. Call the [UntagCertificateAuthority][2] # action to remove tags. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called the # [CreateCertificateAuthority][1] action. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @option params [String] :next_token # Use this parameter when paginating results in a subsequent request # after you receive a response with truncated results. Set it to the # value of **NextToken** from the response you just received. # # @option params [Integer] :max_results # Use this parameter when paginating results to specify the maximum # number of items to return in the response. If additional items exist # beyond the number you specify, the **NextToken** element is sent in # the response. Use this **NextToken** value in a subsequent request to # retrieve additional items. # # @return [Types::ListTagsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListTagsResponse#tags #tags} => Array<Types::Tag> # * {Types::ListTagsResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # @example Request syntax with placeholder values # # resp = client.list_tags({ # certificate_authority_arn: "Arn", # required # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.tags #=> Array # resp.tags[0].key #=> String # resp.tags[0].value #=> String # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/ListTags AWS API Documentation # # @overload list_tags(params = {}) # @param [Hash] params ({}) def list_tags(params = {}, options = {}) req = build_request(:list_tags, params) req.send_request(options) end # Attaches a resource-based policy to a private CA. # # A policy can also be applied by sharing a private CA through AWS # Resource Access Manager (RAM). For more information, see [Attach a # Policy for Cross-Account Access][1]. # # The policy can be displayed with [GetPolicy][2] and removed with # [DeletePolicy][3]. # # **About Policies** # # * A policy grants access on a private CA to an AWS customer account, # to AWS Organizations, or to an AWS Organizations unit. Policies are # under the control of a CA administrator. For more information, see # [Using a Resource Based Policy with ACM Private CA][4]. # # * A policy permits a user of AWS Certificate Manager (ACM) to issue # ACM certificates signed by a CA in another account. # # * For ACM to manage automatic renewal of these certificates, the ACM # user must configure a Service Linked Role (SLR). The SLR allows the # ACM service to assume the identity of the user, subject to # confirmation against the ACM Private CA policy. For more # information, see [Using a Service Linked Role with ACM][5]. # # * Updates made in AWS Resource Manager (RAM) are reflected in # policies. For more information, see [Attach a Policy for # Cross-Account Access][1]. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html # [4]: https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html # [5]: https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html # # @option params [required, String] :resource_arn # The Amazon Resource Number (ARN) of the private CA to associate with # the policy. The ARN of the CA can be found by calling the # [ListCertificateAuthorities][1] action. # # # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html # # @option params [required, String] :policy # The path and file name of a JSON-formatted IAM policy to attach to the # specified private CA resource. If this policy does not contain all # required statements or if it includes any statement that is not # allowed, the `PutPolicy` action returns an `InvalidPolicyException`. # For information about IAM policy and statement structure, see # [Overview of JSON Policies][1]. # # # # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.put_policy({ # resource_arn: "Arn", # required # policy: "AWSPolicy", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/PutPolicy AWS API Documentation # # @overload put_policy(params = {}) # @param [Hash] params ({}) def put_policy(params = {}, options = {}) req = build_request(:put_policy, params) req.send_request(options) end # Restores a certificate authority (CA) that is in the `DELETED` state. # You can restore a CA during the period that you defined in the # **PermanentDeletionTimeInDays** parameter of the # [DeleteCertificateAuthority][1] action. Currently, you can specify 7 # to 30 days. If you did not specify a **PermanentDeletionTimeInDays** # value, by default you can restore the CA at any time in a 30 day # period. You can check the time remaining in the restoration period of # a private CA in the `DELETED` state by calling the # [DescribeCertificateAuthority][2] or [ListCertificateAuthorities][3] # actions. The status of a restored CA is set to its pre-deletion status # when the **RestoreCertificateAuthority** action returns. To change its # status to `ACTIVE`, call the [UpdateCertificateAuthority][4] action. # If the private CA was in the `PENDING_CERTIFICATE` state at deletion, # you must use the [ImportCertificateAuthorityCertificate][5] action to # import a certificate authority into the private CA before it can be # activated. You cannot restore a CA after the restoration period has # ended. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeleteCertificateAuthority.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DescribeCertificateAuthority.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListCertificateAuthorities.html # [4]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html # [5]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called the # [CreateCertificateAuthority][1] action. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.restore_certificate_authority({ # certificate_authority_arn: "Arn", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RestoreCertificateAuthority AWS API Documentation # # @overload restore_certificate_authority(params = {}) # @param [Hash] params ({}) def restore_certificate_authority(params = {}, options = {}) req = build_request(:restore_certificate_authority, params) req.send_request(options) end # Revokes a certificate that was issued inside ACM Private CA. If you # enable a certificate revocation list (CRL) when you create or update # your private CA, information about the revoked certificates will be # included in the CRL. ACM Private CA writes the CRL to an S3 bucket # that you specify. A CRL is typically updated approximately 30 minutes # after a certificate is revoked. If for any reason the CRL update # fails, ACM Private CA attempts makes further attempts every 15 # minutes. With Amazon CloudWatch, you can create alarms for the metrics # `CRLGenerated` and `MisconfiguredCRLBucket`. For more information, see # [Supported CloudWatch Metrics][1]. # # Both PCA and the IAM principal must have permission to write to the S3 # bucket that you specify. If the IAM principal making the call does not # have permission to write to the bucket, then an exception is thrown. # For more information, see [Configure Access to ACM Private CA][2]. # # # # ACM Private CA also writes revocation information to the audit report. # For more information, see [CreateCertificateAuthorityAuditReport][3]. # # You cannot revoke a root CA self-signed certificate. # # # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCloudWatch.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html # [3]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html # # @option params [required, String] :certificate_authority_arn # Amazon Resource Name (ARN) of the private CA that issued the # certificate to be revoked. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # @option params [required, String] :certificate_serial # Serial number of the certificate to be revoked. This must be in # hexadecimal format. You can retrieve the serial number by calling # [GetCertificate][1] with the Amazon Resource Name (ARN) of the # certificate you want and the ARN of your private CA. The # **GetCertificate** action retrieves the certificate in the PEM format. # You can use the following OpenSSL command to list the certificate in # text format and copy the hexadecimal serial number. # # `openssl x509 -in file_path -text -noout` # # You can also copy the serial number from the console or use the # [DescribeCertificate][2] action in the *AWS Certificate Manager API # Reference*. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetCertificate.html # [2]: https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html # # @option params [required, String] :revocation_reason # Specifies why you revoked the certificate. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.revoke_certificate({ # certificate_authority_arn: "Arn", # required # certificate_serial: "String128", # required # revocation_reason: "UNSPECIFIED", # required, accepts UNSPECIFIED, KEY_COMPROMISE, CERTIFICATE_AUTHORITY_COMPROMISE, AFFILIATION_CHANGED, SUPERSEDED, CESSATION_OF_OPERATION, PRIVILEGE_WITHDRAWN, A_A_COMPROMISE # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/RevokeCertificate AWS API Documentation # # @overload revoke_certificate(params = {}) # @param [Hash] params ({}) def revoke_certificate(params = {}, options = {}) req = build_request(:revoke_certificate, params) req.send_request(options) end # Adds one or more tags to your private CA. Tags are labels that you can # use to identify and organize your AWS resources. Each tag consists of # a key and an optional value. You specify the private CA on input by # its Amazon Resource Name (ARN). You specify the tag by using a # key-value pair. You can apply a tag to just one private CA if you want # to identify a specific characteristic of that CA, or you can apply the # same tag to multiple private CAs if you want to filter for a common # relationship among those CAs. To remove one or more tags, use the # [UntagCertificateAuthority][1] action. Call the [ListTags][2] action # to see what tags are associated with your CA. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UntagCertificateAuthority.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called # [CreateCertificateAuthority][1]. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @option params [required, Array] :tags # List of tags to be associated with the CA. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.tag_certificate_authority({ # certificate_authority_arn: "Arn", # required # tags: [ # required # { # key: "TagKey", # required # value: "TagValue", # }, # ], # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/TagCertificateAuthority AWS API Documentation # # @overload tag_certificate_authority(params = {}) # @param [Hash] params ({}) def tag_certificate_authority(params = {}, options = {}) req = build_request(:tag_certificate_authority, params) req.send_request(options) end # Remove one or more tags from your private CA. A tag consists of a # key-value pair. If you do not specify the value portion of the tag # when calling this action, the tag will be removed regardless of value. # If you specify a value, the tag is removed only if it is associated # with the specified value. To add tags to a private CA, use the # [TagCertificateAuthority][1]. Call the [ListTags][2] action to see # what tags are associated with your CA. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_TagCertificateAuthority.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_ListTags.html # # @option params [required, String] :certificate_authority_arn # The Amazon Resource Name (ARN) that was returned when you called # [CreateCertificateAuthority][1]. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CreateCertificateAuthority.html # # @option params [required, Array] :tags # List of tags to be removed from the CA. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.untag_certificate_authority({ # certificate_authority_arn: "Arn", # required # tags: [ # required # { # key: "TagKey", # required # value: "TagValue", # }, # ], # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/UntagCertificateAuthority AWS API Documentation # # @overload untag_certificate_authority(params = {}) # @param [Hash] params ({}) def untag_certificate_authority(params = {}, options = {}) req = build_request(:untag_certificate_authority, params) req.send_request(options) end # Updates the status or configuration of a private certificate authority # (CA). Your private CA must be in the `ACTIVE` or `DISABLED` state # before you can update it. You can disable a private CA that is in the # `ACTIVE` state or make a CA that is in the `DISABLED` state active # again. # # Both PCA and the IAM principal must have permission to write to the S3 # bucket that you specify. If the IAM principal making the call does not # have permission to write to the bucket, then an exception is thrown. # For more information, see [Configure Access to ACM Private CA][1]. # # # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html # # @option params [required, String] :certificate_authority_arn # Amazon Resource Name (ARN) of the private CA that issued the # certificate to be revoked. This must be of the form: # # `arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012 # ` # # @option params [Types::RevocationConfiguration] :revocation_configuration # Contains information to enable Online Certificate Status Protocol # (OCSP) support, to enable a certificate revocation list (CRL), to # enable both, or to enable neither. If this parameter is not supplied, # existing capibilites remain unchanged. For more information, see the # [OcspConfiguration][1] and [CrlConfiguration][2] types. # # # # [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_OcspConfiguration.html # [2]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_CrlConfiguration.html # # @option params [String] :status # Status of your private CA. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.update_certificate_authority({ # certificate_authority_arn: "Arn", # required # revocation_configuration: { # crl_configuration: { # enabled: false, # required # expiration_in_days: 1, # custom_cname: "String253", # s3_bucket_name: "String3To255", # s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL # }, # ocsp_configuration: { # enabled: false, # required # ocsp_custom_cname: "String253", # }, # }, # status: "CREATING", # accepts CREATING, PENDING_CERTIFICATE, ACTIVE, DELETED, DISABLED, EXPIRED, FAILED # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/UpdateCertificateAuthority AWS API Documentation # # @overload update_certificate_authority(params = {}) # @param [Hash] params ({}) def update_certificate_authority(params = {}, options = {}) req = build_request(:update_certificate_authority, params) req.send_request(options) end # @!endgroup # @param params ({}) # @api private def build_request(operation_name, params = {}) handlers = @handlers.for(operation_name) context = Seahorse::Client::RequestContext.new( operation_name: operation_name, operation: config.api.operation(operation_name), client: self, params: params, config: config) context[:gem_name] = 'aws-sdk-acmpca' context[:gem_version] = '1.45.0' Seahorse::Client::Request.new(handlers, context) end # Polls an API operation until a resource enters a desired state. # # ## Basic Usage # # A waiter will call an API operation until: # # * It is successful # * It enters a terminal state # * It makes the maximum number of attempts # # In between attempts, the waiter will sleep. # # # polls in a loop, sleeping between attempts # client.wait_until(waiter_name, params) # # ## Configuration # # You can configure the maximum number of polling attempts, and the # delay (in seconds) between each polling attempt. You can pass # configuration as the final arguments hash. # # # poll for ~25 seconds # client.wait_until(waiter_name, params, { # max_attempts: 5, # delay: 5, # }) # # ## Callbacks # # You can be notified before each polling attempt and before each # delay. If you throw `:success` or `:failure` from these callbacks, # it will terminate the waiter. # # started_at = Time.now # client.wait_until(waiter_name, params, { # # # disable max attempts # max_attempts: nil, # # # poll for 1 hour, instead of a number of attempts # before_wait: -> (attempts, response) do # throw :failure if Time.now - started_at > 3600 # end # }) # # ## Handling Errors # # When a waiter is unsuccessful, it will raise an error. # All of the failure errors extend from # {Aws::Waiters::Errors::WaiterFailed}. # # begin # client.wait_until(...) # rescue Aws::Waiters::Errors::WaiterFailed # # resource did not enter the desired state in time # end # # ## Valid Waiters # # The following table lists the valid waiter names, the operations they call, # and the default `:delay` and `:max_attempts` values. # # | waiter_name | params | :delay | :max_attempts | # | --------------------------------- | ---------------------------------------------------- | -------- | ------------- | # | audit_report_created | {Client#describe_certificate_authority_audit_report} | 3 | 60 | # | certificate_authority_csr_created | {Client#get_certificate_authority_csr} | 3 | 60 | # | certificate_issued | {Client#get_certificate} | 3 | 60 | # # @raise [Errors::FailureStateError] Raised when the waiter terminates # because the waiter has entered a state that it will not transition # out of, preventing success. # # @raise [Errors::TooManyAttemptsError] Raised when the configured # maximum number of attempts have been made, and the waiter is not # yet successful. # # @raise [Errors::UnexpectedError] Raised when an error is encounted # while polling for a resource that is not expected. # # @raise [Errors::NoSuchWaiterError] Raised when you request to wait # for an unknown state. # # @return [Boolean] Returns `true` if the waiter was successful. # @param [Symbol] waiter_name # @param [Hash] params ({}) # @param [Hash] options ({}) # @option options [Integer] :max_attempts # @option options [Integer] :delay # @option options [Proc] :before_attempt # @option options [Proc] :before_wait def wait_until(waiter_name, params = {}, options = {}) w = waiter(waiter_name, options) yield(w.waiter) if block_given? # deprecated w.wait(params) end # @api private # @deprecated def waiter_names waiters.keys end private # @param [Symbol] waiter_name # @param [Hash] options ({}) def waiter(waiter_name, options = {}) waiter_class = waiters[waiter_name] if waiter_class waiter_class.new(options.merge(client: self)) else raise Aws::Waiters::Errors::NoSuchWaiterError.new(waiter_name, waiters.keys) end end def waiters { audit_report_created: Waiters::AuditReportCreated, certificate_authority_csr_created: Waiters::CertificateAuthorityCSRCreated, certificate_issued: Waiters::CertificateIssued } end class << self # @api private attr_reader :identifier # @api private def errors_module Errors end end end end