Created
November 19, 2020 13:12
-
-
Save kenichi-shibata/c8e06f0a14127530c4672ca9a05e87f0 to your computer and use it in GitHub Desktop.
private ca cross acccount https://forums.aws.amazon.com/thread.jspa?threadID=291254
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hello, | |
We have a recent update on a workaround to achieve the PCA cross account setup. | |
As of now AWS Private CA does not offer a resource-based policy to provide access to Private CAs across accounts, however you may create a role with (with issue-certificates and get-certificates permissions) in the Account hosting the CA trusting cross-accounts where users would issue certificates using the private CA using CLI by creating a private key and CSR without using the Certificate Manager. Please find the below steps that explains this process, | |
Setup: | |
Account A - Hosting Private CA, Example ARN: arn:aws:acm-pca:us-east-2:12345678901:certificate-authority/d85a56xx-6591-4ca4-bf0c-97badb11c87c | |
Account A - Role: "CrossAccountPCA" - ARN: arn:aws:iam::12345678901:role/CrossAccountPCA | |
The below IAM policy would give permissions to issue private certificates using a specific private Certificate Authority only. If you wish to allow permissions across all CAs, you may replace the resource section with a wild-card (*) instead of a specific CA ARN. | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "VisualEditor0", | |
"Effect": "Allow", | |
"Action": [ | |
"acm-pca:IssueCertificate", | |
"acm-pca:GetCertificate", | |
"acm-pca:DescribeCertificateAuthority" | |
], | |
"Resource": "arn:aws:acm-pca:us-east-2:12345678901:certificate-authority/d85a56xx-6591-4ca4-bf0c-97badb11c87c" | |
} | |
] | |
} | |
CrossAccountPCA role trust policy, | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Effect": "Allow", | |
"Principal": { | |
"AWS": "arn:aws:iam::9876543210CrossAccountID:root" | |
}, | |
"Action": "sts:AssumeRole" | |
} | |
] | |
} | |
Account B - Create a profile in cross-account users CLI - something like below, | |
Under .aws/config | |
https://forums.aws.amazon.com/ | |
role_arn = arn:aws:iam::12345678901:role/CrossAccountPCA | |
source_profile = ctest2 | |
Under .aws/credentials | |
https://forums.aws.amazon.com/ | |
aws_access_key_id = YOUR_AWS_ACCESS_KEY_ID | |
aws_secret_access_key = YOUR_AWS_SECRET_ACCESS_KEY | |
Generate a Private Key and CSR using OpenSSL: | |
openssl req -new -newkey rsa:2048 -days 365 -keyout test_cert_priv_key.pem -out test_cert_.csr | |
Using the generated CSR, you may now issue private certificates using the acm-pca, Issue Certificate API. For Example, | |
aws --profile crosspca acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-east-2:12345678901:certificate-authority/d85a56xx-6591-4ca4-bf0c-97badb11c87c --csr file://test_cert_.csr --signing-algorithm "SHA256WITHRSA" --validity Value=365,Type="DAYS" --region us-east-2 | |
{ | |
"CertificateArn": "arn:aws:acm-pca:us-east-2:12345678901:certificate-authority/d85a56ab-6591-4ca4-bf0c-97badb00c73c/certificate/d6814be98237d22491f523a766e118e9" | |
} | |
Certificate body can be retrieved using the below get-certificate API call: | |
aws --profile crosspca acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:us-east-2:12345678901:certificate-authority/d85a56xx-6591-4ca4-bf0c-97badb11c87c --certificate-arn arn:aws:acm-pca:us-east-2: 12345678901:certificate-authority/d85a56ab-6591-4ca4-bf0c-97badb00c73c/certificate/d6814be98237d22491f523a766e118e9 --region us-east-2 | |
{ | |
"CertificateChain": "-----BEGIN CERTIFICATE-----\nMIIDvTCCAqWgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCVVMx\nEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFzAVBgNVBAoM\nDkV4YW1wbGVDb21wYW55MRkwFwYDVQQDDBBnb3Bpa2lyYW5wY2EuY29tMB4XDTE4\nMDkyNzIyMDgzM1oXDTI4MDkyNDIyMDgzM1owczELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMRUwEwYDVQQKDAxFeGFtcGxlIENvcnAx\nCzAJBgNVBAsMAklUMSEwHwYDVQQDDBh0ZXN0Q0ExLmdvcGlraXJhbnBjYS5jb20w\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxhPWk2En/o2se0nS40TWh\nmskPsldhMP5hctR7s3cV2kF9rXj9hcqVkWpSQ1p0e7mkCla3wHu6Rc5K7xiZUr9f\nBPS8hWzOjLcJjN42ppB4gE97gSfin1nsiVU25TEYmy4zOJaZ1yVDoGzUhZpH2H8O\n32Hr8OuVMJrX8yXkW70AT17pzOvfvR+h4JR8kjqbJv8DEtRKzOyi21NH8TgahVaT\nurdqWpRAl6RnbMKp0+d1J1rIllgqOdZWdhlwhKFm3Q+XVbKuOQrTgO4QgInfHwW9\nHZk42t+lYDWRUFXe6pSn9sTrS8vqalRLImVJ/egpedcOLTpVI/R+sLsJRntxj4Dp\nAgMBAAGjZjBkMB0GA1UdDgQWBBTGAKFkI15D7vBZbbYkRBPeDG9FDzAfBgNVHSME\nGDAWgBQB1SACI4PC5WF4uZaPxRrkhQiR6DASBgNVHRMBAf8ECDAGAQH/AgEAMA4G\nA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAB0+k3xfYwGke2jzmy+/v\nDblEToK8AzUO2mVeIkM5icntwGg7h80jhr+QhfTTcHSG95WrPzT5OeOIwIG068wV\n859EcmbG9Sheq71H19S/sDJLQEHIA0KsXJctNBjjFpfqboVzfDODa7ESzVnTVT3n\nM+fQgJaQ5Vl3pDR9sRkVETC751RnTWbYbQaDL6/HlbTDGYwEGPkN13j+VuaJVxwz\nG4HWQfFXl7Blm/I79qA+jr4Rj9zdPr5Oh6AFNty7WogsXCIKEX/GPW5bG11rLXfN\n1Jd2DzlcrDV4sHDA9jEiV4Mpp1RKmdruYObGNw4Q02aJXwh5P127FH38cbXvk2Vu\n4Q==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDtjCCAp6gAwIBAgIJAIi5uFnkE4yyMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRcw\nFQYDVQQKDA5FeGFtcGxlQ29tcGFueTEZMBcGA1UEAwwQZ29waWtpcmFucGNhLmNv\nbTAeFw0xODA5MjcxNTM0MDNaFw0yMDA5MjYxNTM0MDNaMGgxCzAJBgNVBAYTAlVT\nMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRcwFQYDVQQK\nDA5FeGFtcGxlQ29tcGFueTEZMBcGA1UEAwwQZ29waWtpcmFucGNhLmNvbTCCASIw\nDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3TY6bW07TgzPN+MZfn+91DRKtt\nUar9bKDpoZdDxpE3ULoF7wrLF1B/8NuRx1ghVJt3A5fkCPY3bhVioh7Bld5PzJRy\nNmhepk1tzeVrN50vyTYXr4dcK5i/ieMpc3sOz6gEjiSab/Aqs6AeB8fDZ0D64nKD\nxROtiZXCaG/pNYcZSihtqwLKYkPMUHAfReYVb6DhMWrJWUhUFZennHHvM3/ISUa9\nl0VPuXFP/lLyEXTZo1/NXaHOoNeDjvKq7a5KOtGSpHMjvnbnm8htRcbdErEMUhcu\nnOfIAPMjSQYBDcE4QOe+I89RWxvMiUgTmgh0firiRI5JzR0y4uGJwFkTw+MCAwEA\nAaNjMGEwHQYDVR0OBBYEFAHVIAIjg8LlYXi5lo/FGuSFCJHoMB8GA1UdIwQYMBaA\nFAHVIAIjg8LlYXi5lo/FGuSFCJHoMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/\nBAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQCxrSch4KnIpJ/edwdvff0eojmYihhp\nPBLTu6mUPfH2peOIIZkI+wBA4EVRX/DAMpBa7CpI6PZbELqHzB3wqUF9ALgG2vTQ\nhHvrsq/tMKn/UnY4slHaKdp8IDcyC+m7I1xh8JTD/3udz5F/fLS/93s+8BqDFRz3\n7QjEiMuqvpiEysl0HDHj+vLKMdLwTL2lLCa5xr3PDZID0H15XM895bzdnMLvoYd3\ntaOOgB1UXC4/XcUB+jr1BO0dEEnUioaNlkgWrGmA9u7L78mD1rh3x1BQ/b8VhO/3\nkEUfXrjh+pbJa1IFOSri2MZm2sMuCszvUPwRTuHm3BScOi87mg2VZLhQ\n-----END CERTIFICATE-----", | |
"Certificate": "-----BEGIN CERTIFICATE-----\nMIID1zCCAr+gAwIBAgIRANaBS+mCN9IkkfUjp2bhGOkwDQYJKoZIhvcNAQELBQAw\nczELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxlMRUw\nEwYDVQQKDAxFeGFtcGxlIENvcnAxCzAJBgNVBAsMAklUMSEwHwYDVQQDDBh0ZXN0\nQ0ExLmdvcGlraXJhbnBjYS5jb20wHhcNMTkwOTI5MTY1ODE2WhcNMjAwOTI4MTc1\nODE2WjBdMQswCQYDVQQGEwJVUzELMAkGA1UECAwCVFgxDzANBgNVBAcMBkRhbGxh\nczEMMAoGA1UECgwDRGV2MQ4wDAYDVQQLDAVIZWxsbzESMBAGA1UEAwwJaGVsbG8u\nY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0I/AFxgw2NvhdPMp\nbHjLCaKtyqce6+MbfT76VVMLBzjxVZNVuMI/eIRF4MhTfnh27/M9foONHz9hNPtP\nbfKX9mVHmdbD1vLPS0d/waykBUz/d15SWFp61Kya7C9q/yS5Z5sYZijerrS97Ps1\n67zC4asEq1vWjzkxj6ByZ7WnzjgpGYz96crYcAbWuZjPV+RSF0J/0wSQTTjwMND2\nHxbJD2QZEUCc3kga0y5vfVUgxgwP3eL5OzX5THHDtYRjujlaCBMMpln1DU9WvU+d\nqL/4CbkeUZWI+mqBzPVyRu0TF1CLjRmsKnb2Phh0EcUjGACV6RbUr0wwnW0U7mt0\neRcShQIDAQABo3wwejAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFMYAoWQjXkPu8Flt\ntiREE94Mb0UPMB0GA1UdDgQWBBTZKU1tulV7TYqsM2n1JK3ceLfimzAOBgNVHQ8B\nAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3\nDQEBCwUAA4IBAQCcJfXqWmt9bvrjCD4KQgWTg/Dqff7NEme0cUldolhx3xKCbwVR\nIF1mNiX2qCacKFwi1RGvzTxtLVZNzS0Xj9Oy3i5sJE3HTKcgzmQsNOwueJady3Q9\ntR2sjnIiuoQvTIJnoiz1+i6j9cktxf9MuH6sfFq8UWaWsIGqJ2YOfYrt0ofbtA8H\n0atKYEG3d5bO4tPBk7+uok/uS1/IW2flN+UdkpjtMeHL+ZV8nGnDqXI4BiAMR4x3\nYNqzEMVvveYAotCpoNrDNYag5r/DAqhBdMFZwjM08epR5yslwlHfolN+JuCKpoou\nsKn20rwKNx+abHnOOUh/RW8XKQmVT2ZACMhQ\n-----END CERTIFICATE-----" | |
} | |
Alternatively, if you would like to request private certificates using the ACM "request-certificate" API, you may "Allow" the "RequestCertificate" action in the role policy. However, the "RequestCertificate" API cannot be restricted to a specific issuing private CA, since the API does not support Private CA resource level permissions. Hence the role would have permissions to request both public and private certificates from the CLI without any restrictions. | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "VisualEditor0", | |
"Effect": "Allow", | |
"Action": [ | |
"acm-pca:IssueCertificate", | |
"acm-pca:GetCertificate", | |
"acm-pca:DescribeCertificateAuthority" | |
], | |
"Resource": "arn:aws:acm-pca:us-east-2:12345678901:certificate-authority/d85a56xx-6591-4ca4-bf0c-97badb11c87c" | |
}, | |
{ | |
"Sid": "VisualEditor1", | |
"Effect": "Allow", | |
"Action": "acm:RequestCertificate", | |
"Resource": "*" | |
} | |
] | |
} | |
Using the above policy, the role can issue private certificates using the specified CA in the policy and also request privates certificates from any CA using the acm:RequestCertificate API call. | |
aws acm --profile crosspca request-certificate --domain-name www.example.com --certificate-authority-arn arn:aws:acm-pca:us-east-2:12345678901:certificate-authority/d85a56xx-6591-4ca4-bf0c-97badb11c87c --region us-east-2 | |
{ | |
"CertificateArn": "arn:aws:acm:us-east-2:12345678901:certificate/c9366fcf-bf7b-443a-952a-7e59740c45f5" | |
} | |
Hope this helps. Let us know of any queries you have. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment