This is the ACM Private CA API Reference. It provides descriptions, syntax, and usage examples for each of the actions and data types involved in creating and managing private certificate authorities (CA) for your organization.
The documentation for each action shows the Query API request parameters and the XML response. Alternatively, you can use one of the AWS SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see AWS SDKs.
Each ACM Private CA API action has a quota that determines the number of times the action can be called per second. For more information, see API Rate Quotas in ACM Private CA in the ACM Private CA user guide.
This is the ACM Private CA API Reference. It provides descriptions, syntax, and usage examples for each of the actions and data types involved in creating and managing private certificate authorities (CA) for your organization.
The documentation for each action shows the Query API request parameters and the XML response. Alternatively, you can use one of the AWS SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see AWS SDKs.
Each ACM Private CA API action has a quota that determines the number of times the action can be called per second. For more information, see API Rate Quotas in ACM Private CA in the ACM Private CA user guide.
Creates a root or subordinate private certificate authority (CA). You must specify the CA configuration, the certificate revocation list (CRL) configuration, the CA type, and an optional idempotency token to avoid accidental creation of multiple CAs. The CA configuration specifies the name of the algorithm and key size to be used to create the CA private key, the type of signing algorithm that the CA uses, and X.500 subject information. The CRL configuration specifies the CRL expiration period in days (the validity period of the CRL), the Amazon S3 bucket that will contain the CRL, and a CNAME alias for the S3 bucket that is included in certificates issued by the CA. If successful, this action returns the Amazon Resource Name (ARN) of the CA.
ACM Private CAA assets that are stored in Amazon S3 can be protected with encryption. For more information, see Encrypting Your CRLs.
Both PCA and the IAM principal must have permission to write to the S3 bucket that you specify. If the IAM principal making the call does not have permission to write to the bucket, then an exception is thrown. For more information, see Configure Access to ACM Private CA.
Creates an audit report that lists every time that your CA private key is used. The report is saved in the Amazon S3 bucket that you specify on input. The IssueCertificate and RevokeCertificate actions use the private key.
Both PCA and the IAM principal must have permission to write to the S3 bucket that you specify. If the IAM principal making the call does not have permission to write to the bucket, then an exception is thrown. For more information, see Configure Access to ACM Private CA.
ACM Private CAA assets that are stored in Amazon S3 can be protected with encryption. For more information, see Encrypting Your Audit Reports.
", - "CreatePermission": "Grants one or more permissions on a private CA to the AWS Certificate Manager (ACM) service principal (acm.amazonaws.com). These permissions allow ACM to issue and renew ACM certificates that reside in the same AWS account as the CA.
You can list current permissions with the ListPermissions action and revoke them with the DeletePermission action.
About Permissions
If the private CA and the certificates it issues reside in the same account, you can use CreatePermission to grant permissions for ACM to carry out automatic certificate renewals.
For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list certificates.
If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM Private CA.
Grants one or more permissions on a private CA to the AWS Certificate Manager (ACM) service principal (acm.amazonaws.com). These permissions allow ACM to issue and renew ACM certificates that reside in the same AWS account as the CA.
You can list current permissions with the ListPermissions action and revoke them with the DeletePermission action.
About Permissions
If the private CA and the certificates it issues reside in the same account, you can use CreatePermission to grant permissions for ACM to carry out automatic certificate renewals.
For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list certificates.
If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM Private CA.
Deletes a private certificate authority (CA). You must provide the Amazon Resource Name (ARN) of the private CA that you want to delete. You can find the ARN by calling the ListCertificateAuthorities action.
Deleting a CA will invalidate other CAs and certificates below it in your CA hierarchy.
Before you can delete a CA that you have created and activated, you must disable it. To do this, call the UpdateCertificateAuthority action and set the CertificateAuthorityStatus parameter to DISABLED.
Additionally, you can delete a CA if you are waiting for it to be created (that is, the status of the CA is CREATING). You can also delete it if the CA has been created but you haven't yet imported the signed certificate into ACM Private CA (that is, the status of the CA is PENDING_CERTIFICATE).
When you successfully call DeleteCertificateAuthority, the CA's status changes to DELETED. However, the CA won't be permanently deleted until the restoration period has passed. By default, if you do not set the PermanentDeletionTimeInDays parameter, the CA remains restorable for 30 days. You can set the parameter from 7 to 30 days. The DescribeCertificateAuthority action returns the time remaining in the restoration window of a private CA in the DELETED state. To restore an eligible CA, call the RestoreCertificateAuthority action.
Revokes permissions on a private CA granted to the AWS Certificate Manager (ACM) service principal (acm.amazonaws.com).
These permissions allow ACM to issue and renew ACM certificates that reside in the same AWS account as the CA. If you revoke these permissions, ACM will no longer renew the affected certificates automatically.
Permissions can be granted with the CreatePermission action and listed with the ListPermissions action.
About Permissions
If the private CA and the certificates it issues reside in the same account, you can use CreatePermission to grant permissions for ACM to carry out automatic certificate renewals.
For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list certificates.
If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM Private CA.
Deletes the resource-based policy attached to a private CA. Deletion will remove any access that the policy has granted. If there is no policy attached to the private CA, this action will return successful.
If you delete a policy that was applied through AWS Resource Access Manager (RAM), the CA will be removed from all shares in which it was included.
The AWS Certificate Manager Service Linked Role that the policy supports is not affected when you delete the policy.
The current policy can be shown with GetPolicy and updated with PutPolicy.
About Policies
A policy grants access on a private CA to an AWS customer account, to AWS Organizations, or to an AWS Organizations unit. Policies are under the control of a CA administrator. For more information, see Using a Resource Based Policy with ACM Private CA.
A policy permits a user of AWS Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM Private CA policy. For more information, see Using a Service Linked Role with ACM.
Updates made in AWS Resource Manager (RAM) are reflected in policies. For more information, see Using AWS Resource Access Manager (RAM) with ACM Private CA.
Revokes permissions on a private CA granted to the AWS Certificate Manager (ACM) service principal (acm.amazonaws.com).
These permissions allow ACM to issue and renew ACM certificates that reside in the same AWS account as the CA. If you revoke these permissions, ACM will no longer renew the affected certificates automatically.
Permissions can be granted with the CreatePermission action and listed with the ListPermissions action.
About Permissions
If the private CA and the certificates it issues reside in the same account, you can use CreatePermission to grant permissions for ACM to carry out automatic certificate renewals.
For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list certificates.
If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM Private CA.
Deletes the resource-based policy attached to a private CA. Deletion will remove any access that the policy has granted. If there is no policy attached to the private CA, this action will return successful.
If you delete a policy that was applied through AWS Resource Access Manager (RAM), the CA will be removed from all shares in which it was included.
The AWS Certificate Manager Service Linked Role that the policy supports is not affected when you delete the policy.
The current policy can be shown with GetPolicy and updated with PutPolicy.
About Policies
A policy grants access on a private CA to an AWS customer account, to AWS Organizations, or to an AWS Organizations unit. Policies are under the control of a CA administrator. For more information, see Using a Resource Based Policy with ACM Private CA.
A policy permits a user of AWS Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM Private CA policy. For more information, see Using a Service Linked Role with ACM.
Updates made in AWS Resource Manager (RAM) are reflected in policies. For more information, see Attach a Policy for Cross-Account Access.
Lists information about your private certificate authority (CA) or one that has been shared with you. You specify the private CA on input by its ARN (Amazon Resource Name). The output contains the status of your CA. This can be any of the following:
CREATING - ACM Private CA is creating your private certificate authority.
PENDING_CERTIFICATE - The certificate is pending. You must use your ACM Private CA-hosted or on-premises root or subordinate CA to sign your private CA CSR and then import it into PCA.
ACTIVE - Your private CA is active.
DISABLED - Your private CA has been disabled.
EXPIRED - Your private CA certificate has expired.
FAILED - Your private CA has failed. Your CA can fail because of problems such a network outage or backend AWS failure or other errors. A failed CA can never return to the pending state. You must create a new CA.
DELETED - Your private CA is within the restoration period, after which it is permanently deleted. The length of time remaining in the CA's restoration period is also included in this action's output.
Lists information about a specific audit report created by calling the CreateCertificateAuthorityAuditReport action. Audit information is created every time the certificate authority (CA) private key is used. The private key is used when you call the IssueCertificate action or the RevokeCertificate action.
", "GetCertificate": "Retrieves a certificate from your private CA or one that has been shared with you. The ARN of the certificate is returned when you call the IssueCertificate action. You must specify both the ARN of your private CA and the ARN of the issued certificate when calling the GetCertificate action. You can retrieve the certificate if it is in the ISSUED state. You can call the CreateCertificateAuthorityAuditReport action to create a report that contains information about all of the certificates issued and revoked by your private CA.
", "GetCertificateAuthorityCertificate": "Retrieves the certificate and certificate chain for your private certificate authority (CA) or one that has been shared with you. Both the certificate and the chain are base64 PEM-encoded. The chain does not include the CA certificate. Each certificate in the chain signs the one before it.
", "GetCertificateAuthorityCsr": "Retrieves the certificate signing request (CSR) for your private certificate authority (CA). The CSR is created when you call the CreateCertificateAuthority action. Sign the CSR with your ACM Private CA-hosted or on-premises root or subordinate CA. Then import the signed certificate back into ACM Private CA by calling the ImportCertificateAuthorityCertificate action. The CSR is returned as a base64 PEM-encoded string.
", - "GetPolicy": "Retrieves the resource-based policy attached to a private CA. If either the private CA resource or the policy cannot be found, this action returns a ResourceNotFoundException.
The policy can be attached or updated with PutPolicy and removed with DeletePolicy.
About Policies
A policy grants access on a private CA to an AWS customer account, to AWS Organizations, or to an AWS Organizations unit. Policies are under the control of a CA administrator. For more information, see Using a Resource Based Policy with ACM Private CA.
A policy permits a user of AWS Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM Private CA policy. For more information, see Using a Service Linked Role with ACM.
Updates made in AWS Resource Manager (RAM) are reflected in policies. For more information, see Using AWS Resource Access Manager (RAM) with ACM Private CA.
Imports a signed private CA certificate into ACM Private CA. This action is used when you are using a chain of trust whose root is located outside ACM Private CA. Before you can call this action, the following preparations must in place:
In ACM Private CA, call the CreateCertificateAuthority action to create the private CA that that you plan to back with the imported certificate.
Call the GetCertificateAuthorityCsr action to generate a certificate signing request (CSR).
Sign the CSR using a root or intermediate CA hosted by either an on-premises PKI hierarchy or by a commercial CA.
Create a certificate chain and copy the signed certificate and the certificate chain to your working directory.
The following requirements apply when you import a CA certificate.
You cannot import a non-self-signed certificate for use as a root CA.
You cannot import a self-signed certificate for use as a subordinate CA.
Your certificate chain must not include the private CA certificate that you are importing.
Your ACM Private CA-hosted or on-premises CA certificate must be the last certificate in your chain. The subordinate certificate, if any, that your root CA signed must be next to last. The subordinate certificate signed by the preceding subordinate CA must come next, and so on until your chain is built.
The chain must be PEM-encoded.
The maximum allowed size of a certificate is 32 KB.
The maximum allowed size of a certificate chain is 2 MB.
Enforcement of Critical Constraints
ACM Private CA allows the following extensions to be marked critical in the imported CA certificate or chain.
Basic constraints (must be marked critical)
Subject alternative names
Key usage
Extended key usage
Authority key identifier
Subject key identifier
Issuer alternative name
Subject directory attributes
Subject information access
Certificate policies
Policy mappings
Inhibit anyPolicy
ACM Private CA rejects the following extensions when they are marked critical in an imported CA certificate or chain.
Name constraints
Policy constraints
CRL distribution points
Authority information access
Freshest CRL
Any other extension
Retrieves the resource-based policy attached to a private CA. If either the private CA resource or the policy cannot be found, this action returns a ResourceNotFoundException.
The policy can be attached or updated with PutPolicy and removed with DeletePolicy.
About Policies
A policy grants access on a private CA to an AWS customer account, to AWS Organizations, or to an AWS Organizations unit. Policies are under the control of a CA administrator. For more information, see Using a Resource Based Policy with ACM Private CA.
A policy permits a user of AWS Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM Private CA policy. For more information, see Using a Service Linked Role with ACM.
Updates made in AWS Resource Manager (RAM) are reflected in policies. For more information, see Attach a Policy for Cross-Account Access.
Imports a signed private CA certificate into ACM Private CA. This action is used when you are using a chain of trust whose root is located outside ACM Private CA. Before you can call this action, the following preparations must in place:
In ACM Private CA, call the CreateCertificateAuthority action to create the private CA that that you plan to back with the imported certificate.
Call the GetCertificateAuthorityCsr action to generate a certificate signing request (CSR).
Sign the CSR using a root or intermediate CA hosted by either an on-premises PKI hierarchy or by a commercial CA.
Create a certificate chain and copy the signed certificate and the certificate chain to your working directory.
ACM Private CA supports three scenarios for installing a CA certificate:
Installing a certificate for a root CA hosted by ACM Private CA.
Installing a subordinate CA certificate whose parent authority is hosted by ACM Private CA.
Installing a subordinate CA certificate whose parent authority is externally hosted.
The following addtitional requirements apply when you import a CA certificate.
Only a self-signed certificate can be imported as a root CA.
A self-signed certificate cannot be imported as a subordinate CA.
Your certificate chain must not include the private CA certificate that you are importing.
Your root CA must be the last certificate in your chain. The subordinate certificate, if any, that your root CA signed must be next to last. The subordinate certificate signed by the preceding subordinate CA must come next, and so on until your chain is built.
The chain must be PEM-encoded.
The maximum allowed size of a certificate is 32 KB.
The maximum allowed size of a certificate chain is 2 MB.
Enforcement of Critical Constraints
ACM Private CA allows the following extensions to be marked critical in the imported CA certificate or chain.
Basic constraints (must be marked critical)
Subject alternative names
Key usage
Extended key usage
Authority key identifier
Subject key identifier
Issuer alternative name
Subject directory attributes
Subject information access
Certificate policies
Policy mappings
Inhibit anyPolicy
ACM Private CA rejects the following extensions when they are marked critical in an imported CA certificate or chain.
Name constraints
Policy constraints
CRL distribution points
Authority information access
Freshest CRL
Any other extension
Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate. This action returns the Amazon Resource Name (ARN) of the certificate. You can retrieve the certificate by calling the GetCertificate action and specifying the ARN.
You cannot use the ACM ListCertificateAuthorities action to retrieve the ARNs of the certificates that you issue by using ACM Private CA.
Lists the private certificate authorities that you created by using the CreateCertificateAuthority action.
", - "ListPermissions": "List all permissions on a private CA, if any, granted to the AWS Certificate Manager (ACM) service principal (acm.amazonaws.com).
These permissions allow ACM to issue and renew ACM certificates that reside in the same AWS account as the CA.
Permissions can be granted with the CreatePermission action and revoked with the DeletePermission action.
About Permissions
If the private CA and the certificates it issues reside in the same account, you can use CreatePermission to grant permissions for ACM to carry out automatic certificate renewals.
For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list certificates.
If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM Private CA.
List all permissions on a private CA, if any, granted to the AWS Certificate Manager (ACM) service principal (acm.amazonaws.com).
These permissions allow ACM to issue and renew ACM certificates that reside in the same AWS account as the CA.
Permissions can be granted with the CreatePermission action and revoked with the DeletePermission action.
About Permissions
If the private CA and the certificates it issues reside in the same account, you can use CreatePermission to grant permissions for ACM to carry out automatic certificate renewals.
For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list certificates.
If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM Private CA.
Lists the tags, if any, that are associated with your private CA or one that has been shared with you. Tags are labels that you can use to identify and organize your CAs. Each tag consists of a key and an optional value. Call the TagCertificateAuthority action to add one or more tags to your CA. Call the UntagCertificateAuthority action to remove tags.
", - "PutPolicy": "Attaches a resource-based policy to a private CA.
A policy can also be applied by sharing a private CA through AWS Resource Access Manager (RAM).
The policy can be displayed with GetPolicy and removed with DeletePolicy.
About Policies
A policy grants access on a private CA to an AWS customer account, to AWS Organizations, or to an AWS Organizations unit. Policies are under the control of a CA administrator. For more information, see Using a Resource Based Policy with ACM Private CA.
A policy permits a user of AWS Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM Private CA policy. For more information, see Using a Service Linked Role with ACM.
Updates made in AWS Resource Manager (RAM) are reflected in policies. For more information, see Using AWS Resource Access Manager (RAM) with ACM Private CA.
Attaches a resource-based policy to a private CA.
A policy can also be applied by sharing a private CA through AWS Resource Access Manager (RAM). For more information, see Attach a Policy for Cross-Account Access.
The policy can be displayed with GetPolicy and removed with DeletePolicy.
About Policies
A policy grants access on a private CA to an AWS customer account, to AWS Organizations, or to an AWS Organizations unit. Policies are under the control of a CA administrator. For more information, see Using a Resource Based Policy with ACM Private CA.
A policy permits a user of AWS Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM Private CA policy. For more information, see Using a Service Linked Role with ACM.
Updates made in AWS Resource Manager (RAM) are reflected in policies. For more information, see Attach a Policy for Cross-Account Access.
Restores a certificate authority (CA) that is in the DELETED state. You can restore a CA during the period that you defined in the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthority action. Currently, you can specify 7 to 30 days. If you did not specify a PermanentDeletionTimeInDays value, by default you can restore the CA at any time in a 30 day period. You can check the time remaining in the restoration period of a private CA in the DELETED state by calling the DescribeCertificateAuthority or ListCertificateAuthorities actions. The status of a restored CA is set to its pre-deletion status when the RestoreCertificateAuthority action returns. To change its status to ACTIVE, call the UpdateCertificateAuthority action. If the private CA was in the PENDING_CERTIFICATE state at deletion, you must use the ImportCertificateAuthorityCertificate action to import a certificate authority into the private CA before it can be activated. You cannot restore a CA after the restoration period has ended.
Revokes a certificate that was issued inside ACM Private CA. If you enable a certificate revocation list (CRL) when you create or update your private CA, information about the revoked certificates will be included in the CRL. ACM Private CA writes the CRL to an S3 bucket that you specify. A CRL is typically updated approximately 30 minutes after a certificate is revoked. If for any reason the CRL update fails, ACM Private CA attempts makes further attempts every 15 minutes. With Amazon CloudWatch, you can create alarms for the metrics CRLGenerated and MisconfiguredCRLBucket. For more information, see Supported CloudWatch Metrics.
Both PCA and the IAM principal must have permission to write to the S3 bucket that you specify. If the IAM principal making the call does not have permission to write to the bucket, then an exception is thrown. For more information, see Configure Access to ACM Private CA.
ACM Private CA also writes revocation information to the audit report. For more information, see CreateCertificateAuthorityAuditReport.
You cannot revoke a root CA self-signed certificate.
Adds one or more tags to your private CA. Tags are labels that you can use to identify and organize your AWS resources. Each tag consists of a key and an optional value. You specify the private CA on input by its Amazon Resource Name (ARN). You specify the tag by using a key-value pair. You can apply a tag to just one private CA if you want to identify a specific characteristic of that CA, or you can apply the same tag to multiple private CAs if you want to filter for a common relationship among those CAs. To remove one or more tags, use the UntagCertificateAuthority action. Call the ListTags action to see what tags are associated with your CA.
", @@ -37,7 +37,8 @@ "ASN1Subject": { "base": "Contains information about the certificate subject. The certificate can be one issued by your private certificate authority (CA) or it can be your private CA certificate. The Subject field in the certificate identifies the entity that owns or controls the public key in the certificate. The entity can be a user, computer, device, or service. The Subject must contain an X.500 distinguished name (DN). A DN is a sequence of relative distinguished names (RDNs). The RDNs are separated by commas in the certificate. The DN must be unique for each entity, but your private CA can issue more than one certificate with the same DN to the same entity.
", "refs": { - "CertificateAuthorityConfiguration$Subject": "Structure that contains X.500 distinguished name information for your private CA.
" + "CertificateAuthorityConfiguration$Subject": "Structure that contains X.500 distinguished name information for your private CA.
", + "GeneralName$DirectoryName": null } }, "AWSPolicy": { @@ -48,6 +49,30 @@ "PutPolicyRequest$Policy": "The path and filename of a JSON-formatted IAM policy to attach to the specified private CA resource. If this policy does not contain all required statements or if it includes any statement that is not allowed, the PutPolicy action returns an InvalidPolicyException. For information about IAM policy and statement structure, see Overview of JSON Policies.
Provides access information used by the authorityInfoAccess and subjectInfoAccess extensions described in RFC 5280.
For CA certificates, provides a path to additional information pertaining to the CA, such as revocation and policy. For more information, see Subject Information Access in RFC 5280.
" + } + }, + "AccessMethod": { + "base": "Describes the type and format of extension access. Only one of CustomObjectIdentifier or AccessMethodType may be provided. Providing both results in InvalidArgsException.
The type and format of AccessDescription information.
Specifies the AccessMethod.
Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action.
" + "CrlConfiguration$Enabled": "Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. You can use this value to enable certificate revocation for a new CA when you call the CreateCertificateAuthority action or for an existing CA when you call the UpdateCertificateAuthority action.
", + "KeyUsage$DigitalSignature": "Key can be used for digital signing.
", + "KeyUsage$NonRepudiation": "Key can be used for non-repudiation.
", + "KeyUsage$KeyEncipherment": "Key can be used to encipher data.
", + "KeyUsage$DataEncipherment": "Key can be used to decipher data.
", + "KeyUsage$KeyAgreement": "Key can be used in a key-agreement protocol.
", + "KeyUsage$KeyCertSign": "Key can be used to sign certificates.
", + "KeyUsage$CRLSign": "Key can be used to sign CRLs.
", + "KeyUsage$EncipherOnly": "Key can be used only to encipher data.
", + "KeyUsage$DecipherOnly": "Key can be used only to decipher data.
" } }, "CertificateAuthorities": { @@ -177,8 +211,8 @@ "CertificateChain": { "base": null, "refs": { - "GetCertificateAuthorityCertificateResponse$CertificateChain": "Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. If this is a root CA, the value will be null.
", - "GetCertificateResponse$CertificateChain": "The base64 PEM-encoded certificate chain that chains up to the on-premises root CA certificate that you used to sign your private CA certificate.
" + "GetCertificateAuthorityCertificateResponse$CertificateChain": "Base64-encoded certificate chain that includes any intermediate certificates and chains up to root certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. If this is a root CA, the value will be null.
", + "GetCertificateResponse$CertificateChain": "The base64 PEM-encoded certificate chain that chains up to the root CA certificate that you used to sign your private CA certificate.
" } }, "CertificateChainBlob": { @@ -246,6 +280,20 @@ "GetCertificateAuthorityCsrResponse$Csr": "The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
" } }, + "CsrExtensions": { + "base": "Describes the certificate extensions to be added to the certificate signing request (CSR).
", + "refs": { + "CertificateAuthorityConfiguration$CsrExtensions": "Specifies information to be added to the extension section of the certificate signing request (CSR).
" + } + }, + "CustomObjectIdentifier": { + "base": null, + "refs": { + "AccessMethod$CustomObjectIdentifier": "An object identifier (OID) specifying the AccessMethod. The OID must satisfy the regular expression shown below. For more information, see NIST's definition of Object Identifier (OID).
Represents GeneralName as an object identifier (OID).
Specifies an OID.
" + } + }, "DeleteCertificateAuthorityRequest": { "base": null, "refs": { @@ -281,12 +329,24 @@ "refs": { } }, + "EdiPartyName": { + "base": "Describes an Electronic Data Interchange (EDI) entity as described in as defined in Subject Alternative Name in RFC 5280.
", + "refs": { + "GeneralName$EdiPartyName": "Represents GeneralName as an EdiPartyName object.
Reason the request to create your private CA failed.
" } }, + "GeneralName": { + "base": "Describes an ASN.1 X.400 GeneralName as defined in RFC 5280. Only one of the following naming options should be providied. Providing more than one option results in an InvalidArgsException error.
The location of AccessDescription information.
Number of days until a certificate expires.
" + "CrlConfiguration$ExpirationInDays": "Validity period of the CRL in days.
" } }, "InvalidArgsException": { @@ -361,7 +421,7 @@ } }, "InvalidPolicyException": { - "base": "The resource policy is invalid or is missing a required statement. For general information about IAM policy and statement structure, see Overview of JSON Policies.
", + "base": "The resource policy is invalid or is missing a required statement. For general information about IAM policy and statement structure, see Overview of JSON Policies.
", "refs": { } }, @@ -396,6 +456,12 @@ "CertificateAuthorityConfiguration$KeyAlgorithm": "Type of the public key algorithm and size, in bits, of the key pair that your CA creates when it issues a certificate. When you create a subordinate CA, you must use a key algorithm supported by the parent CA.
" } }, + "KeyUsage": { + "base": "Defines one or more purposes for which the key contained in the certificate can be used. Default value for each option is false.
", + "refs": { + "CsrExtensions$KeyUsage": "Indicates the purpose of the certificate and of the key contained in the certificate.
" + } + }, "LimitExceededException": { "base": "An ACM Private CA quota has been exceeded. See the exception message returned to determine the quota that was exceeded.
", "refs": { @@ -465,6 +531,12 @@ "ListTagsResponse$NextToken": "When the list is truncated, this value is present and should be used for the NextToken parameter in a subsequent pagination request.
" } }, + "OtherName": { + "base": "Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID) and value. The OID must satisfy the regular expression shown below. For more information, see NIST's definition of Object Identifier (OID).
Represents GeneralName using an OtherName object.
Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
" + "CrlConfiguration$CustomCname": "Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public.
", + "GeneralName$DnsName": "Represents GeneralName as a DNS name.
Represents GeneralName as a URI.
Specifies the party name.
", + "EdiPartyName$NameAssigner": "Specifies the name assigner.
", + "GeneralName$Rfc822Name": "Represents GeneralName as an RFC 822 email address.
Specifies an OID value.
" } }, "String3": { @@ -630,6 +713,12 @@ "ASN1Subject$GenerationQualifier": "Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third.
" } }, + "String39": { + "base": null, + "refs": { + "GeneralName$IpAddress": "Represents GeneralName as an IPv4 or IPv6 address.
Legal name of the organization with which the certificate subject is affiliated.
", "ASN1Subject$OrganizationalUnit": "A subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated.
", - "ASN1Subject$CommonName": "Fully qualified domain name (FQDN) associated with the certificate subject.
", + "ASN1Subject$CommonName": "For CA and end-entity certificates in a private PKI, the common name (CN) can be any string within the length limit.
Note: In publicly trusted certificates, the common name must be a fully qualified domain name (FQDN) associated with the certificate subject.
", "ASN1Subject$Title": "A title such as Mr. or Ms., which is pre-pended to the name to refer formally to the certificate subject.
" } }, @@ -725,7 +814,7 @@ "ValidityPeriodType": { "base": null, "refs": { - "Validity$Type": "Determines how ACM Private CA interprets the Value parameter, an integer. Supported validity types include those listed below. Type definitions with values include a sample input value and the resulting output.
END_DATE: The specific date and time when the certificate will expire, expressed using UTCTime (YYMMDDHHMMSS) or GeneralizedTime (YYYYMMDDHHMMSS) format. When UTCTime is used, if the year field (YY) is greater than or equal to 50, the year is interpreted as 19YY. If the year field is less than 50, the year is interpreted as 20YY.
Sample input value: 491231235959 (UTCTime format)
Output expiration date/time: 12/31/2049 23:59:59
ABSOLUTE: The specific date and time when the certificate will expire, expressed in seconds since the Unix Epoch.
Sample input value: 2524608000
Output expiration date/time: 01/01/2050 00:00:00
DAYS, MONTHS, YEARS: The relative time from the moment of issuance until the certificate will expire, expressed in days, months, or years.
Example if DAYS, issued on 10/12/2020 at 12:34:54 UTC:
Sample input value: 90
Output expiration date: 01/10/2020 12:34:54 UTC
Determines how ACM Private CA interprets the Value parameter, an integer. Supported validity types include those listed below. Type definitions with values include a sample input value and the resulting output.
END_DATE: The specific date and time when the certificate will expire, expressed using UTCTime (YYMMDDHHMMSS) or GeneralizedTime (YYYYMMDDHHMMSS) format. When UTCTime is used, if the year field (YY) is greater than or equal to 50, the year is interpreted as 19YY. If the year field is less than 50, the year is interpreted as 20YY.
Sample input value: 491231235959 (UTCTime format)
Output expiration date/time: 12/31/2049 23:59:59
ABSOLUTE: The specific date and time when the certificate will expire, expressed in seconds since the Unix Epoch.
Sample input value: 2524608000
Output expiration date/time: 01/01/2050 00:00:00
DAYS, MONTHS, YEARS: The relative time from the moment of issuance until the certificate will expire, expressed in days, months, or years.
Example if DAYS, issued on 10/12/2020 at 12:34:54 UTC:
Sample input value: 90
Output expiration date: 01/10/2020 12:34:54 UTC
The minimum validity duration for a certificate using relative time (DAYS) is one day. The minimum validity for a certificate using absolute time (ABSOLUTE or END_DATE) is one second.
A key-value map specifying response parameters that are passed to the method response from the backend. The key is a method response header parameter name and the mapped value is an integration response header value, a static value enclosed within a pair of single quotes, or a JSON expression from the integration response body. The mapping key must match the pattern of method.response.header.{name}, where name is a valid and unique header name. The mapped non-static value must match the pattern of integration.response.header.{name} or integration.response.body.{JSON-expression}, where name is a valid and unique response header name and JSON-expression is a valid JSON expression without the $ prefix.
", + "base" : "For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of method.request.
For HTTP API integrations with a specified integrationSubtype, request parameters are a key-value map specifying parameters that are passed to AWS_PROXY integrations. You can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Working with AWS service integrations for HTTP APIs.
For HTTP API integrations without a specified integrationSubtype request parameters are a key-value map specifying how to transform HTTP requests before sending them to the backend. The key should follow the pattern <action>:<header|querystring|path>.<location> where action can be append, overwrite or remove. For values, you can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Transforming API requests and responses.
", "refs" : { - "CreateIntegrationInput$RequestParameters" : "For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of method.request.
For HTTP APIs, request parameters are a key-value map specifying parameters that are passed to AWS_PROXY integrations with a specified integrationSubtype. You can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Working with AWS service integrations for HTTP APIs.
", + "CreateIntegrationInput$RequestParameters" : "For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of method.request.
For HTTP API integrations with a specified integrationSubtype, request parameters are a key-value map specifying parameters that are passed to AWS_PROXY integrations. You can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Working with AWS service integrations for HTTP APIs.
For HTTP API integrations without a specified integrationSubtype request parameters are a key-value map specifying how to transform HTTP requests before sending them to the backend. The key should follow the pattern <action>:<header|querystring|path>.<location> where action can be append, overwrite or remove. For values, you can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Transforming API requests and responses.
", "CreateIntegrationResponseInput$ResponseParameters" : "A key-value map specifying response parameters that are passed to the method response from the backend. The key is a method response header parameter name and the mapped value is an integration response header value, a static value enclosed within a pair of single quotes, or a JSON expression from the integration response body. The mapping key must match the pattern of method.response.header.{name}, where {name} is a valid and unique header name. The mapped non-static value must match the pattern of integration.response.header.{name} or integration.response.body.{JSON-expression}, where {name} is a valid and unique response header name and {JSON-expression} is a valid JSON expression without the $ prefix.
", - "Integration$RequestParameters" : "For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of method.request.
For HTTP APIs, request parameters are a key-value map specifying parameters that are passed to AWS_PROXY integrations with a specified integrationSubtype. You can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Working with AWS service integrations for HTTP APIs.
", + "Integration$RequestParameters" : "For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of method.request.
For HTTP API integrations with a specified integrationSubtype, request parameters are a key-value map specifying parameters that are passed to AWS_PROXY integrations. You can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Working with AWS service integrations for HTTP APIs.
For HTTP API itegrations, without a specified integrationSubtype request parameters are a key-value map specifying how to transform HTTP requests before sending them to backend integrations. The key should follow the pattern <action>:<header|querystring|path>.<location>. The action can be append, overwrite or remove. For values, you can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Transforming API requests and responses.
", "IntegrationResponse$ResponseParameters" : "A key-value map specifying response parameters that are passed to the method response from the backend. The key is a method response header parameter name and the mapped value is an integration response header value, a static value enclosed within a pair of single quotes, or a JSON expression from the integration response body. The mapping key must match the pattern of method.response.header.{name}, where name is a valid and unique header name. The mapped non-static value must match the pattern of integration.response.header.{name} or integration.response.body.{JSON-expression}, where name is a valid and unique response header name and JSON-expression is a valid JSON expression without the $ prefix.
", - "UpdateIntegrationInput$RequestParameters" : "For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of method.request.
For HTTP APIs, request parameters are a key-value map specifying parameters that are passed to AWS_PROXY integrations with a specified integrationSubtype. You can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Working with AWS service integrations for HTTP APIs.
", + "ResponseParameters$member" : null, + "UpdateIntegrationInput$RequestParameters" : "For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend. The key is an integration request parameter name and the associated value is a method request parameter value or static value that must be enclosed within single quotes and pre-encoded as required by the backend. The method request parameter value must match the pattern of method.request.
For HTTP API integrations with a specified integrationSubtype, request parameters are a key-value map specifying parameters that are passed to AWS_PROXY integrations. You can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Working with AWS service integrations for HTTP APIs.
For HTTP API integrations, without a specified integrationSubtype request parameters are a key-value map specifying how to transform HTTP requests before sending them to the backend. The key should follow the pattern <action>:<header|querystring|path>.<location> where action can be append, overwrite or remove. For values, you can provide static values, or map request data, stage variables, or context variables that are evaluated at runtime. To learn more, see Transforming API requests and responses.
", "UpdateIntegrationResponseInput$ResponseParameters" : "A key-value map specifying response parameters that are passed to the method response from the backend. The key is a method response header parameter name and the mapped value is an integration response header value, a static value enclosed within a pair of single quotes, or a JSON expression from the integration response body. The mapping key must match the pattern of method.response.header.
Overwrites the configuration of an existing API using the provided definition. Supported only for HTTP APIs.
", "refs" : { } }, + "ResponseParameters" : { + "base" : "Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients.
", + "refs" : { + "CreateIntegrationInput$ResponseParameters" : "Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match pattern <action>:<header>.<location> or overwrite.statuscode. The action can be append, overwrite or remove. The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. To learn more, see Transforming API requests and responses.
", + "Integration$ResponseParameters" : "Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match pattern <action>:<header>.<location> or overwrite.statuscode. The action can be append, overwrite or remove. The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. To learn more, see Transforming API requests and responses.
", + "UpdateIntegrationInput$ResponseParameters" : "Supported only for HTTP APIs. You use response parameters to transform the HTTP response from a backend integration before returning the response to clients. Specify a key-value map from a selection key to response parameters. The selection key must be a valid HTTP status code within the range of 200-599. Response parameters are a key-value map. The key must match pattern <action>:<header>.<location> or overwrite.statuscode. The action can be append, overwrite or remove. The value can be a static value, or map to response data, stage variables, or context variables that are evaluated at runtime. To learn more, see Transforming API requests and responses.
" + } + }, "Route" : { "base" : "Represents a route.
", "refs" : { @@ -880,8 +889,8 @@ "CreateIntegrationInput$IntegrationUri" : "For a Lambda integration, specify the URI of a Lambda function.
For an HTTP integration, specify a fully-qualified URL.
For an HTTP API private integration, specify the ARN of an Application Load Balancer listener, Network Load Balancer listener, or AWS Cloud Map service. If you specify the ARN of an AWS Cloud Map service, API Gateway uses DiscoverInstances to identify resources. You can use query parameters to target specific resources. To learn more, see DiscoverInstances. For private integrations, all resources must be owned by the same AWS account.
", "Integration$IntegrationUri" : "For a Lambda integration, specify the URI of a Lambda function.
For an HTTP integration, specify a fully-qualified URL.
For an HTTP API private integration, specify the ARN of an Application Load Balancer listener, Network Load Balancer listener, or AWS Cloud Map service. If you specify the ARN of an AWS Cloud Map service, API Gateway uses DiscoverInstances to identify resources. You can use query parameters to target specific resources. To learn more, see DiscoverInstances. For private integrations, all resources must be owned by the same AWS account.
", "JWTConfiguration$Issuer" : "The base domain of the identity provider that issues JSON Web Tokens. For example, an Amazon Cognito user pool has the following format: https://cognito-idp.
An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://
An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://
An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://
An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://
This property is part of quick create. For HTTP integrations, specify a fully qualified URL. For Lambda integrations, specify a function ARN. The type of the integration will be HTTP_PROXY or AWS_PROXY, respectively. The value provided updates the integration URI and integration type. You can update a quick-created target, but you can't remove it from an API. Supported only for HTTP APIs.
", "UpdateAuthorizerInput$AuthorizerUri" : "The authorizer's Uniform Resource Identifier (URI). For REQUEST authorizers, this must be a well-formed Lambda function URI, for example, arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:
For a Lambda integration, specify the URI of a Lambda function.
For an HTTP integration, specify a fully-qualified URL.
For an HTTP API private integration, specify the ARN of an Application Load Balancer listener, Network Load Balancer listener, or AWS Cloud Map service. If you specify the ARN of an AWS Cloud Map service, API Gateway uses DiscoverInstances to identify resources. You can use query parameters to target specific resources. To learn more, see DiscoverInstances. For private integrations, all resources must be owned by the same AWS account.
" diff --git a/service/acmpca/api.go b/service/acmpca/api.go index 2f07f7f1e3a..5a44121539d 100644 --- a/service/acmpca/api.go +++ b/service/acmpca/api.go @@ -90,7 +90,7 @@ func (c *ACMPCA) CreateCertificateAuthorityRequest(input *CreateCertificateAutho // * InvalidPolicyException // The resource policy is invalid or is missing a required statement. For general // information about IAM policy and statement structure, see Overview of JSON -// Policies (https://docs.aws.amazon.com/https:/docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). +// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). // // * InvalidTagException // The tag associated with the CA is not valid. The invalid argument is contained @@ -296,7 +296,7 @@ func (c *ACMPCA) CreatePermissionRequest(input *CreatePermissionInput) (req *req // then permissions cannot be used to enable automatic renewals. Instead, // the ACM certificate owner must set up a resource-based policy to enable // cross-account issuance and renewals. For more information, see Using a -// Resource Based Policy with ACM Private CA (acm-pca/latest/userguide/pca-rbp.html). +// Resource Based Policy with ACM Private CA (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -533,7 +533,7 @@ func (c *ACMPCA) DeletePermissionRequest(input *DeletePermissionInput) (req *req // then permissions cannot be used to enable automatic renewals. Instead, // the ACM certificate owner must set up a resource-based policy to enable // cross-account issuance and renewals. For more information, see Using a -// Resource Based Policy with ACM Private CA (acm-pca/latest/userguide/pca-rbp.html). +// Resource Based Policy with ACM Private CA (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -641,7 +641,7 @@ func (c *ACMPCA) DeletePolicyRequest(input *DeletePolicyInput) (req *request.Req // * A policy grants access on a private CA to an AWS customer account, to // AWS Organizations, or to an AWS Organizations unit. Policies are under // the control of a CA administrator. For more information, see Using a Resource -// Based Policy with ACM Private CA (acm-pca/latest/userguide/pca-rbp.html). +// Based Policy with ACM Private CA (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html). // // * A policy permits a user of AWS Certificate Manager (ACM) to issue ACM // certificates signed by a CA in another account. @@ -653,8 +653,7 @@ func (c *ACMPCA) DeletePolicyRequest(input *DeletePolicyInput) (req *request.Req // Role with ACM (https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html). // // * Updates made in AWS Resource Manager (RAM) are reflected in policies. -// For more information, see Using AWS Resource Access Manager (RAM) with -// ACM Private CA (acm-pca/latest/userguide/pca-ram.html). +// For more information, see Attach a Policy for Cross-Account Access (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -1241,14 +1240,14 @@ func (c *ACMPCA) GetPolicyRequest(input *GetPolicyInput) (req *request.Request, // ResourceNotFoundException. // // The policy can be attached or updated with PutPolicy (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_PutPolicy.html) -// and removed with DeletePolicy (acm-pca/latest/APIReference/API_DeletePolicy.html). +// and removed with DeletePolicy (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html). // // About Policies // // * A policy grants access on a private CA to an AWS customer account, to // AWS Organizations, or to an AWS Organizations unit. Policies are under // the control of a CA administrator. For more information, see Using a Resource -// Based Policy with ACM Private CA (acm-pca/latest/userguide/pca-rbp.html). +// Based Policy with ACM Private CA (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html). // // * A policy permits a user of AWS Certificate Manager (ACM) to issue ACM // certificates signed by a CA in another account. @@ -1260,8 +1259,7 @@ func (c *ACMPCA) GetPolicyRequest(input *GetPolicyInput) (req *request.Request, // Role with ACM (https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html). // // * Updates made in AWS Resource Manager (RAM) are reflected in policies. -// For more information, see Using AWS Resource Access Manager (RAM) with -// ACM Private CA (acm-pca/latest/userguide/pca-ram.html). +// For more information, see Attach a Policy for Cross-Account Access (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -1369,21 +1367,29 @@ func (c *ACMPCA) ImportCertificateAuthorityCertificateRequest(input *ImportCerti // Create a certificate chain and copy the signed certificate and the certificate // chain to your working directory. // -// The following requirements apply when you import a CA certificate. +// ACM Private CA supports three scenarios for installing a CA certificate: +// +// * Installing a certificate for a root CA hosted by ACM Private CA. +// +// * Installing a subordinate CA certificate whose parent authority is hosted +// by ACM Private CA. +// +// * Installing a subordinate CA certificate whose parent authority is externally +// hosted. +// +// The following addtitional requirements apply when you import a CA certificate. // -// * You cannot import a non-self-signed certificate for use as a root CA. +// * Only a self-signed certificate can be imported as a root CA. // -// * You cannot import a self-signed certificate for use as a subordinate -// CA. +// * A self-signed certificate cannot be imported as a subordinate CA. // // * Your certificate chain must not include the private CA certificate that // you are importing. // -// * Your ACM Private CA-hosted or on-premises CA certificate must be the -// last certificate in your chain. The subordinate certificate, if any, that -// your root CA signed must be next to last. The subordinate certificate -// signed by the preceding subordinate CA must come next, and so on until -// your chain is built. +// * Your root CA must be the last certificate in your chain. The subordinate +// certificate, if any, that your root CA signed must be next to last. The +// subordinate certificate signed by the preceding subordinate CA must come +// next, and so on until your chain is built. // // * The chain must be PEM-encoded. // @@ -1810,7 +1816,7 @@ func (c *ACMPCA) ListPermissionsRequest(input *ListPermissionsInput) (req *reque // then permissions cannot be used to enable automatic renewals. Instead, // the ACM certificate owner must set up a resource-based policy to enable // cross-account issuance and renewals. For more information, see Using a -// Resource Based Policy with ACM Private CA (acm-pca/latest/userguide/pca-rbp.html). +// Resource Based Policy with ACM Private CA (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -2108,8 +2114,9 @@ func (c *ACMPCA) PutPolicyRequest(input *PutPolicyInput) (req *request.Request, // // Attaches a resource-based policy to a private CA. // -// A policy can also be applied by sharing (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html) -// a private CA through AWS Resource Access Manager (RAM). +// A policy can also be applied by sharing a private CA through AWS Resource +// Access Manager (RAM). For more information, see Attach a Policy for Cross-Account +// Access (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html). // // The policy can be displayed with GetPolicy (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_GetPolicy.html) // and removed with DeletePolicy (https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_DeletePolicy.html). @@ -2119,7 +2126,7 @@ func (c *ACMPCA) PutPolicyRequest(input *PutPolicyInput) (req *request.Request, // * A policy grants access on a private CA to an AWS customer account, to // AWS Organizations, or to an AWS Organizations unit. Policies are under // the control of a CA administrator. For more information, see Using a Resource -// Based Policy with ACM Private CA (acm-pca/latest/userguide/pca-rbp.html). +// Based Policy with ACM Private CA (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-rbp.html). // // * A policy permits a user of AWS Certificate Manager (ACM) to issue ACM // certificates signed by a CA in another account. @@ -2131,8 +2138,7 @@ func (c *ACMPCA) PutPolicyRequest(input *PutPolicyInput) (req *request.Request, // Role with ACM (https://docs.aws.amazon.com/acm/latest/userguide/acm-slr.html). // // * Updates made in AWS Resource Manager (RAM) are reflected in policies. -// For more information, see Using AWS Resource Access Manager (RAM) with -// ACM Private CA (acm-pca/latest/userguide/pca-ram.html). +// For more information, see Attach a Policy for Cross-Account Access (https://docs.aws.amazon.com/acm-pca/latest/userguide/pca-ram.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -2154,7 +2160,7 @@ func (c *ACMPCA) PutPolicyRequest(input *PutPolicyInput) (req *request.Request, // * InvalidPolicyException // The resource policy is invalid or is missing a required statement. For general // information about IAM policy and statement structure, see Overview of JSON -// Policies (https://docs.aws.amazon.com/https:/docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). +// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). // // * LockoutPreventedException // The current action was prevented because it would lock the caller out from @@ -2699,7 +2705,7 @@ func (c *ACMPCA) UpdateCertificateAuthorityRequest(input *UpdateCertificateAutho // * InvalidPolicyException // The resource policy is invalid or is missing a required statement. For general // information about IAM policy and statement structure, see Overview of JSON -// Policies (https://docs.aws.amazon.com/https:/docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). +// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). // // See also, https://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/UpdateCertificateAuthority func (c *ACMPCA) UpdateCertificateAuthority(input *UpdateCertificateAuthorityInput) (*UpdateCertificateAuthorityOutput, error) { @@ -2735,7 +2741,11 @@ func (c *ACMPCA) UpdateCertificateAuthorityWithContext(ctx aws.Context, input *U type ASN1Subject struct { _ struct{} `type:"structure"` - // Fully qualified domain name (FQDN) associated with the certificate subject. + // For CA and end-entity certificates in a private PKI, the common name (CN) + // can be any string within the length limit. + // + // Note: In publicly trusted certificates, the common name must be a fully qualified + // domain name (FQDN) associated with the certificate subject. CommonName *string `type:"string"` // Two-digit code that specifies the country in which the certificate subject @@ -2895,6 +2905,101 @@ func (s *ASN1Subject) SetTitle(v string) *ASN1Subject { return s } +// Provides access information used by the authorityInfoAccess and subjectInfoAccess +// extensions described in RFC 5280 (https://tools.ietf.org/html/rfc5280). +type AccessDescription struct { + _ struct{} `type:"structure"` + + // The location of AccessDescription information. + // + // AccessLocation is a required field + AccessLocation *GeneralName `type:"structure" required:"true"` + + // The type and format of AccessDescription information. + // + // AccessMethod is a required field + AccessMethod *AccessMethod `type:"structure" required:"true"` +} + +// String returns the string representation +func (s AccessDescription) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AccessDescription) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *AccessDescription) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "AccessDescription"} + if s.AccessLocation == nil { + invalidParams.Add(request.NewErrParamRequired("AccessLocation")) + } + if s.AccessMethod == nil { + invalidParams.Add(request.NewErrParamRequired("AccessMethod")) + } + if s.AccessLocation != nil { + if err := s.AccessLocation.Validate(); err != nil { + invalidParams.AddNested("AccessLocation", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAccessLocation sets the AccessLocation field's value. +func (s *AccessDescription) SetAccessLocation(v *GeneralName) *AccessDescription { + s.AccessLocation = v + return s +} + +// SetAccessMethod sets the AccessMethod field's value. +func (s *AccessDescription) SetAccessMethod(v *AccessMethod) *AccessDescription { + s.AccessMethod = v + return s +} + +// Describes the type and format of extension access. Only one of CustomObjectIdentifier +// or AccessMethodType may be provided. Providing both results in InvalidArgsException. +type AccessMethod struct { + _ struct{} `type:"structure"` + + // Specifies the AccessMethod. + AccessMethodType *string `type:"string" enum:"AccessMethodType"` + + // An object identifier (OID) specifying the AccessMethod. The OID must satisfy + // the regular expression shown below. For more information, see NIST's definition + // of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier). + CustomObjectIdentifier *string `type:"string"` +} + +// String returns the string representation +func (s AccessMethod) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AccessMethod) GoString() string { + return s.String() +} + +// SetAccessMethodType sets the AccessMethodType field's value. +func (s *AccessMethod) SetAccessMethodType(v string) *AccessMethod { + s.AccessMethodType = &v + return s +} + +// SetCustomObjectIdentifier sets the CustomObjectIdentifier field's value. +func (s *AccessMethod) SetCustomObjectIdentifier(v string) *AccessMethod { + s.CustomObjectIdentifier = &v + return s +} + // Contains information about your private certificate authority (CA). Your // private CA can issue and revoke X.509 digital certificates. Digital certificates // verify that the entity named in the certificate Subject field owns or controls @@ -3052,6 +3157,10 @@ func (s *CertificateAuthority) SetType(v string) *CertificateAuthority { type CertificateAuthorityConfiguration struct { _ struct{} `type:"structure"` + // Specifies information to be added to the extension section of the certificate + // signing request (CSR). + CsrExtensions *CsrExtensions `type:"structure"` + // Type of the public key algorithm and size, in bits, of the key pair that // your CA creates when it issues a certificate. When you create a subordinate // CA, you must use a key algorithm supported by the parent CA. @@ -3096,6 +3205,11 @@ func (s *CertificateAuthorityConfiguration) Validate() error { if s.Subject == nil { invalidParams.Add(request.NewErrParamRequired("Subject")) } + if s.CsrExtensions != nil { + if err := s.CsrExtensions.Validate(); err != nil { + invalidParams.AddNested("CsrExtensions", err.(request.ErrInvalidParams)) + } + } if s.Subject != nil { if err := s.Subject.Validate(); err != nil { invalidParams.AddNested("Subject", err.(request.ErrInvalidParams)) @@ -3108,6 +3222,12 @@ func (s *CertificateAuthorityConfiguration) Validate() error { return nil } +// SetCsrExtensions sets the CsrExtensions field's value. +func (s *CertificateAuthorityConfiguration) SetCsrExtensions(v *CsrExtensions) *CertificateAuthorityConfiguration { + s.CsrExtensions = v + return s +} + // SetKeyAlgorithm sets the KeyAlgorithm field's value. func (s *CertificateAuthorityConfiguration) SetKeyAlgorithm(v string) *CertificateAuthorityConfiguration { s.KeyAlgorithm = &v @@ -3664,7 +3784,7 @@ type CrlConfiguration struct { // Enabled is a required field Enabled *bool `type:"boolean" required:"true"` - // Number of days until a certificate expires. + // Validity period of the CRL in days. ExpirationInDays *int64 `min:"1" type:"integer"` // Name of the S3 bucket that contains the CRL. If you do not provide a value @@ -3729,6 +3849,64 @@ func (s *CrlConfiguration) SetS3BucketName(v string) *CrlConfiguration { return s } +// Describes the certificate extensions to be added to the certificate signing +// request (CSR). +type CsrExtensions struct { + _ struct{} `type:"structure"` + + // Indicates the purpose of the certificate and of the key contained in the + // certificate. + KeyUsage *KeyUsage `type:"structure"` + + // For CA certificates, provides a path to additional information pertaining + // to the CA, such as revocation and policy. For more information, see Subject + // Information Access (https://tools.ietf.org/html/rfc5280#section-4.2.2.2) + // in RFC 5280. + SubjectInformationAccess []*AccessDescription `type:"list"` +} + +// String returns the string representation +func (s CsrExtensions) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CsrExtensions) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CsrExtensions) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CsrExtensions"} + if s.SubjectInformationAccess != nil { + for i, v := range s.SubjectInformationAccess { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "SubjectInformationAccess", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyUsage sets the KeyUsage field's value. +func (s *CsrExtensions) SetKeyUsage(v *KeyUsage) *CsrExtensions { + s.KeyUsage = v + return s +} + +// SetSubjectInformationAccess sets the SubjectInformationAccess field's value. +func (s *CsrExtensions) SetSubjectInformationAccess(v []*AccessDescription) *CsrExtensions { + s.SubjectInformationAccess = v + return s +} + type DeleteCertificateAuthorityInput struct { _ struct{} `type:"structure"` @@ -4126,6 +4304,179 @@ func (s *DescribeCertificateAuthorityOutput) SetCertificateAuthority(v *Certific return s } +// Describes an Electronic Data Interchange (EDI) entity as described in as +// defined in Subject Alternative Name (https://tools.ietf.org/html/rfc5280) +// in RFC 5280. +type EdiPartyName struct { + _ struct{} `type:"structure"` + + // Specifies the name assigner. + NameAssigner *string `type:"string"` + + // Specifies the party name. + // + // PartyName is a required field + PartyName *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s EdiPartyName) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EdiPartyName) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EdiPartyName) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EdiPartyName"} + if s.PartyName == nil { + invalidParams.Add(request.NewErrParamRequired("PartyName")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetNameAssigner sets the NameAssigner field's value. +func (s *EdiPartyName) SetNameAssigner(v string) *EdiPartyName { + s.NameAssigner = &v + return s +} + +// SetPartyName sets the PartyName field's value. +func (s *EdiPartyName) SetPartyName(v string) *EdiPartyName { + s.PartyName = &v + return s +} + +// Describes an ASN.1 X.400 GeneralName as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280). +// Only one of the following naming options should be providied. Providing more +// than one option results in an InvalidArgsException error. +type GeneralName struct { + _ struct{} `type:"structure"` + + // Contains information about the certificate subject. The certificate can be + // one issued by your private certificate authority (CA) or it can be your private + // CA certificate. The Subject field in the certificate identifies the entity + // that owns or controls the public key in the certificate. The entity can be + // a user, computer, device, or service. The Subject must contain an X.500 distinguished + // name (DN). A DN is a sequence of relative distinguished names (RDNs). The + // RDNs are separated by commas in the certificate. The DN must be unique for + // each entity, but your private CA can issue more than one certificate with + // the same DN to the same entity. + DirectoryName *ASN1Subject `type:"structure"` + + // Represents GeneralName as a DNS name. + DnsName *string `type:"string"` + + // Represents GeneralName as an EdiPartyName object. + EdiPartyName *EdiPartyName `type:"structure"` + + // Represents GeneralName as an IPv4 or IPv6 address. + IpAddress *string `type:"string"` + + // Represents GeneralName using an OtherName object. + OtherName *OtherName `type:"structure"` + + // Represents GeneralName as an object identifier (OID). + RegisteredId *string `type:"string"` + + // Represents GeneralName as an RFC 822 (https://tools.ietf.org/html/rfc822) + // email address. + Rfc822Name *string `type:"string"` + + // Represents GeneralName as a URI. + UniformResourceIdentifier *string `type:"string"` +} + +// String returns the string representation +func (s GeneralName) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GeneralName) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GeneralName) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GeneralName"} + if s.DirectoryName != nil { + if err := s.DirectoryName.Validate(); err != nil { + invalidParams.AddNested("DirectoryName", err.(request.ErrInvalidParams)) + } + } + if s.EdiPartyName != nil { + if err := s.EdiPartyName.Validate(); err != nil { + invalidParams.AddNested("EdiPartyName", err.(request.ErrInvalidParams)) + } + } + if s.OtherName != nil { + if err := s.OtherName.Validate(); err != nil { + invalidParams.AddNested("OtherName", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDirectoryName sets the DirectoryName field's value. +func (s *GeneralName) SetDirectoryName(v *ASN1Subject) *GeneralName { + s.DirectoryName = v + return s +} + +// SetDnsName sets the DnsName field's value. +func (s *GeneralName) SetDnsName(v string) *GeneralName { + s.DnsName = &v + return s +} + +// SetEdiPartyName sets the EdiPartyName field's value. +func (s *GeneralName) SetEdiPartyName(v *EdiPartyName) *GeneralName { + s.EdiPartyName = v + return s +} + +// SetIpAddress sets the IpAddress field's value. +func (s *GeneralName) SetIpAddress(v string) *GeneralName { + s.IpAddress = &v + return s +} + +// SetOtherName sets the OtherName field's value. +func (s *GeneralName) SetOtherName(v *OtherName) *GeneralName { + s.OtherName = v + return s +} + +// SetRegisteredId sets the RegisteredId field's value. +func (s *GeneralName) SetRegisteredId(v string) *GeneralName { + s.RegisteredId = &v + return s +} + +// SetRfc822Name sets the Rfc822Name field's value. +func (s *GeneralName) SetRfc822Name(v string) *GeneralName { + s.Rfc822Name = &v + return s +} + +// SetUniformResourceIdentifier sets the UniformResourceIdentifier field's value. +func (s *GeneralName) SetUniformResourceIdentifier(v string) *GeneralName { + s.UniformResourceIdentifier = &v + return s +} + type GetCertificateAuthorityCertificateInput struct { _ struct{} `type:"structure"` @@ -4176,9 +4527,9 @@ type GetCertificateAuthorityCertificateOutput struct { Certificate *string `type:"string"` // Base64-encoded certificate chain that includes any intermediate certificates - // and chains up to root on-premises certificate that you used to sign your - // private CA certificate. The chain does not include your private CA certificate. - // If this is a root CA, the value will be null. + // and chains up to root certificate that you used to sign your private CA certificate. + // The chain does not include your private CA certificate. If this is a root + // CA, the value will be null. CertificateChain *string `type:"string"` } @@ -4344,8 +4695,8 @@ type GetCertificateOutput struct { // The base64 PEM-encoded certificate specified by the CertificateArn parameter. Certificate *string `type:"string"` - // The base64 PEM-encoded certificate chain that chains up to the on-premises - // root CA certificate that you used to sign your private CA certificate. + // The base64 PEM-encoded certificate chain that chains up to the root CA certificate + // that you used to sign your private CA certificate. CertificateChain *string `type:"string"` } @@ -4704,7 +5055,7 @@ func (s *InvalidNextTokenException) RequestID() string { // The resource policy is invalid or is missing a required statement. For general // information about IAM policy and statement structure, see Overview of JSON -// Policies (https://docs.aws.amazon.com/https:/docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). +// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). type InvalidPolicyException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -5149,6 +5500,103 @@ func (s *IssueCertificateOutput) SetCertificateArn(v string) *IssueCertificateOu return s } +// Defines one or more purposes for which the key contained in the certificate +// can be used. Default value for each option is false. +type KeyUsage struct { + _ struct{} `type:"structure"` + + // Key can be used to sign CRLs. + CRLSign *bool `type:"boolean"` + + // Key can be used to decipher data. + DataEncipherment *bool `type:"boolean"` + + // Key can be used only to decipher data. + DecipherOnly *bool `type:"boolean"` + + // Key can be used for digital signing. + DigitalSignature *bool `type:"boolean"` + + // Key can be used only to encipher data. + EncipherOnly *bool `type:"boolean"` + + // Key can be used in a key-agreement protocol. + KeyAgreement *bool `type:"boolean"` + + // Key can be used to sign certificates. + KeyCertSign *bool `type:"boolean"` + + // Key can be used to encipher data. + KeyEncipherment *bool `type:"boolean"` + + // Key can be used for non-repudiation. + NonRepudiation *bool `type:"boolean"` +} + +// String returns the string representation +func (s KeyUsage) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s KeyUsage) GoString() string { + return s.String() +} + +// SetCRLSign sets the CRLSign field's value. +func (s *KeyUsage) SetCRLSign(v bool) *KeyUsage { + s.CRLSign = &v + return s +} + +// SetDataEncipherment sets the DataEncipherment field's value. +func (s *KeyUsage) SetDataEncipherment(v bool) *KeyUsage { + s.DataEncipherment = &v + return s +} + +// SetDecipherOnly sets the DecipherOnly field's value. +func (s *KeyUsage) SetDecipherOnly(v bool) *KeyUsage { + s.DecipherOnly = &v + return s +} + +// SetDigitalSignature sets the DigitalSignature field's value. +func (s *KeyUsage) SetDigitalSignature(v bool) *KeyUsage { + s.DigitalSignature = &v + return s +} + +// SetEncipherOnly sets the EncipherOnly field's value. +func (s *KeyUsage) SetEncipherOnly(v bool) *KeyUsage { + s.EncipherOnly = &v + return s +} + +// SetKeyAgreement sets the KeyAgreement field's value. +func (s *KeyUsage) SetKeyAgreement(v bool) *KeyUsage { + s.KeyAgreement = &v + return s +} + +// SetKeyCertSign sets the KeyCertSign field's value. +func (s *KeyUsage) SetKeyCertSign(v bool) *KeyUsage { + s.KeyCertSign = &v + return s +} + +// SetKeyEncipherment sets the KeyEncipherment field's value. +func (s *KeyUsage) SetKeyEncipherment(v bool) *KeyUsage { + s.KeyEncipherment = &v + return s +} + +// SetNonRepudiation sets the NonRepudiation field's value. +func (s *KeyUsage) SetNonRepudiation(v bool) *KeyUsage { + s.NonRepudiation = &v + return s +} + // An ACM Private CA quota has been exceeded. See the exception message returned // to determine the quota that was exceeded. type LimitExceededException struct { @@ -5688,6 +6136,61 @@ func (s *MalformedCertificateException) RequestID() string { return s.RespMetadata.RequestID } +// Defines a custom ASN.1 X.400 GeneralName using an object identifier (OID) +// and value. The OID must satisfy the regular expression shown below. For more +// information, see NIST's definition of Object Identifier (OID) (https://csrc.nist.gov/glossary/term/Object_Identifier). +type OtherName struct { + _ struct{} `type:"structure"` + + // Specifies an OID. + // + // TypeId is a required field + TypeId *string `type:"string" required:"true"` + + // Specifies an OID value. + // + // Value is a required field + Value *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s OtherName) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s OtherName) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *OtherName) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "OtherName"} + if s.TypeId == nil { + invalidParams.Add(request.NewErrParamRequired("TypeId")) + } + if s.Value == nil { + invalidParams.Add(request.NewErrParamRequired("Value")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetTypeId sets the TypeId field's value. +func (s *OtherName) SetTypeId(v string) *OtherName { + s.TypeId = &v + return s +} + +// SetValue sets the Value field's value. +func (s *OtherName) SetValue(v string) *OtherName { + s.Value = &v + return s +} + // Permissions designate which private CA actions can be performed by an AWS // service or entity. In order for ACM to automatically renew private certificates, // you must give the ACM service principal all available permissions (IssueCertificate, @@ -6734,6 +7237,10 @@ type Validity struct { // // * Output expiration date: 01/10/2020 12:34:54 UTC // + // The minimum validity duration for a certificate using relative time (DAYS) + // is one day. The minimum validity for a certificate using absolute time (ABSOLUTE + // or END_DATE) is one second. + // // Type is a required field Type *string `type:"string" required:"true" enum:"ValidityPeriodType"` @@ -6784,6 +7291,26 @@ func (s *Validity) SetValue(v int64) *Validity { return s } +const ( + // AccessMethodTypeCaRepository is a AccessMethodType enum value + AccessMethodTypeCaRepository = "CA_REPOSITORY" + + // AccessMethodTypeResourcePkiManifest is a AccessMethodType enum value + AccessMethodTypeResourcePkiManifest = "RESOURCE_PKI_MANIFEST" + + // AccessMethodTypeResourcePkiNotify is a AccessMethodType enum value + AccessMethodTypeResourcePkiNotify = "RESOURCE_PKI_NOTIFY" +) + +// AccessMethodType_Values returns all elements of the AccessMethodType enum +func AccessMethodType_Values() []string { + return []string{ + AccessMethodTypeCaRepository, + AccessMethodTypeResourcePkiManifest, + AccessMethodTypeResourcePkiNotify, + } +} + const ( // ActionTypeIssueCertificate is a ActionType enum value ActionTypeIssueCertificate = "IssueCertificate" diff --git a/service/acmpca/doc.go b/service/acmpca/doc.go index bc8c55b61a8..99e3fd918ca 100644 --- a/service/acmpca/doc.go +++ b/service/acmpca/doc.go @@ -3,7 +3,6 @@ // Package acmpca provides the client and types for making API // requests to AWS Certificate Manager Private Certificate Authority. // -// // This is the ACM Private CA API Reference. It provides descriptions, syntax, // and usage examples for each of the actions and data types involved in creating // and managing private certificate authorities (CA) for your organization. diff --git a/service/acmpca/errors.go b/service/acmpca/errors.go index a95d1ccca45..860c6bd15c9 100644 --- a/service/acmpca/errors.go +++ b/service/acmpca/errors.go @@ -45,7 +45,7 @@ const ( // // The resource policy is invalid or is missing a required statement. For general // information about IAM policy and statement structure, see Overview of JSON - // Policies (https://docs.aws.amazon.com/https:/docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). + // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json). ErrCodeInvalidPolicyException = "InvalidPolicyException" // ErrCodeInvalidRequestException for service response error code diff --git a/service/apigatewayv2/api.go b/service/apigatewayv2/api.go index d86d09fd33f..16498f659f7 100644 --- a/service/apigatewayv2/api.go +++ b/service/apigatewayv2/api.go @@ -8034,16 +8034,28 @@ type CreateIntegrationInput struct { // A string with a length between [1-64]. PayloadFormatVersion *string `locationName:"payloadFormatVersion" type:"string"` - // A key-value map specifying response parameters that are passed to the method - // response from the backend. The key is a method response header parameter - // name and the mapped value is an integration response header value, a static - // value enclosed within a pair of single quotes, or a JSON expression from - // the integration response body. The mapping key must match the pattern of - // method.response.header.{name}, where name is a valid and unique header name. - // The mapped non-static value must match the pattern of integration.response.header.{name} - // or integration.response.body.{JSON-expression}, where name is a valid and - // unique response header name and JSON-expression is a valid JSON expression - // without the $ prefix. + // For WebSocket APIs, a key-value map specifying request parameters that are + // passed from the method request to the backend. The key is an integration + // request parameter name and the associated value is a method request parameter + // value or static value that must be enclosed within single quotes and pre-encoded + // as required by the backend. The method request parameter value must match + // the pattern of method.request.{location}.{name} , where {location} is querystring, + // path, or header; and {name} must be a valid and unique method request parameter + // name. + // + // For HTTP API integrations with a specified integrationSubtype, request parameters + // are a key-value map specifying parameters that are passed to AWS_PROXY integrations. + // You can provide static values, or map request data, stage variables, or context + // variables that are evaluated at runtime. To learn more, see Working with + // AWS service integrations for HTTP APIs (https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-aws-services.html). + // + // For HTTP API integrations without a specified integrationSubtype request + // parameters are a key-value map specifying how to transform HTTP requests + // before sending them to the backend. The key should follow the pattern