AWS Certificate Manager Spoke

GauravS69173284
Tera Contributor

Hi All, I have a question regarding the AWS Certificate Manager spoke prerequisite. In the prerequisite section of the documentation, it is mentioned that we need a user with full access to AWS Certificate Manager.

What does full access mean? could anyone help me with what all roles and policies the IAM user needs?
Also, how does this spoke retrieves certificates from a multi account AWS setup?

I would really appreciate any answers to my questions.

1 ACCEPTED SOLUTION

dbook
Kilo Sage

AWS provides two managed policies tailored for ACM:

  1. AWSCertificateManagerFullAccess: Grants full access to all ACM actions and resources. 

  2. AWSCertificateManagerReadOnly: Provides read-only access, allowing users to describe, list, and retrieve ACM certificates. 

These policies can be attached to IAM users, groups, or roles to quickly assign permissions and should be sufficient for the Spoke, if you are only using Get / Lookup actions I would use option 2 follow least priviledge pricinples. 

 

For a multi account set up, as far as I can tell you would need to clone/copy the spoke actions and configure an additional Connection & Credential alias and map this to the copied action's credential alias used in the REST Step.

 

dbook_0-1752137892906.png

 

 

 

View solution in original post

2 REPLIES 2

dbook
Kilo Sage

AWS provides two managed policies tailored for ACM:

  1. AWSCertificateManagerFullAccess: Grants full access to all ACM actions and resources. 

  2. AWSCertificateManagerReadOnly: Provides read-only access, allowing users to describe, list, and retrieve ACM certificates. 

These policies can be attached to IAM users, groups, or roles to quickly assign permissions and should be sufficient for the Spoke, if you are only using Get / Lookup actions I would use option 2 follow least priviledge pricinples. 

 

For a multi account set up, as far as I can tell you would need to clone/copy the spoke actions and configure an additional Connection & Credential alias and map this to the copied action's credential alias used in the REST Step.

 

dbook_0-1752137892906.png

 

 

 

@dbook  Thank you for your reply. I really appreciate it. I will test the setup based on the information you have provided and will share the results here.