- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-09-2025 11:56 PM
Hi All, I have a question regarding the AWS Certificate Manager spoke prerequisite. In the prerequisite section of the documentation, it is mentioned that we need a user with full access to AWS Certificate Manager.
What does full access mean? could anyone help me with what all roles and policies the IAM user needs?
Also, how does this spoke retrieves certificates from a multi account AWS setup?
I would really appreciate any answers to my questions.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-10-2025 01:59 AM
AWS provides two managed policies tailored for ACM:
AWSCertificateManagerFullAccess: Grants full access to all ACM actions and resources.
AWSCertificateManagerReadOnly: Provides read-only access, allowing users to describe, list, and retrieve ACM certificates.
These policies can be attached to IAM users, groups, or roles to quickly assign permissions and should be sufficient for the Spoke, if you are only using Get / Lookup actions I would use option 2 follow least priviledge pricinples.
For a multi account set up, as far as I can tell you would need to clone/copy the spoke actions and configure an additional Connection & Credential alias and map this to the copied action's credential alias used in the REST Step.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-10-2025 01:59 AM
AWS provides two managed policies tailored for ACM:
AWSCertificateManagerFullAccess: Grants full access to all ACM actions and resources.
AWSCertificateManagerReadOnly: Provides read-only access, allowing users to describe, list, and retrieve ACM certificates.
These policies can be attached to IAM users, groups, or roles to quickly assign permissions and should be sufficient for the Spoke, if you are only using Get / Lookup actions I would use option 2 follow least priviledge pricinples.
For a multi account set up, as far as I can tell you would need to clone/copy the spoke actions and configure an additional Connection & Credential alias and map this to the copied action's credential alias used in the REST Step.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-10-2025 03:08 AM
@dbook Thank you for your reply. I really appreciate it. I will test the setup based on the information you have provided and will share the results here.