AWS Certificate Manager Spoke

Go to solution
GauravS69173284
Tera Contributor

‎07-09-2025 11:56 PM

Hi All, I have a question regarding the AWS Certificate Manager spoke prerequisite. In the prerequisite section of the documentation, it is mentioned that we need a user with full access to AWS Certificate Manager.

What does full access mean? could anyone help me with what all roles and policies the IAM user needs?
Also, how does this spoke retrieves certificates from a multi account AWS setup?

I would really appreciate any answers to my questions.

0 Helpfuls
  • 323 Views
1 ACCEPTED SOLUTION

Go to solution
dbook
Kilo Sage

‎07-10-2025 01:59 AM

AWS provides two managed policies tailored for ACM:

  1. AWSCertificateManagerFullAccess: Grants full access to all ACM actions and resources. 

  2. AWSCertificateManagerReadOnly: Provides read-only access, allowing users to describe, list, and retrieve ACM certificates. 

These policies can be attached to IAM users, groups, or roles to quickly assign permissions and should be sufficient for the Spoke, if you are only using Get / Lookup actions I would use option 2 follow least priviledge pricinples. 

 

For a multi account set up, as far as I can tell you would need to clone/copy the spoke actions and configure an additional Connection & Credential alias and map this to the copied action's credential alias used in the REST Step.

 

dbook_0-1752137892906.png

 

 

 

View solution in original post

2 REPLIES 2

Go to solution
dbook
Kilo Sage

‎07-10-2025 01:59 AM

AWS provides two managed policies tailored for ACM:

  1. AWSCertificateManagerFullAccess: Grants full access to all ACM actions and resources. 

  2. AWSCertificateManagerReadOnly: Provides read-only access, allowing users to describe, list, and retrieve ACM certificates. 

These policies can be attached to IAM users, groups, or roles to quickly assign permissions and should be sufficient for the Spoke, if you are only using Get / Lookup actions I would use option 2 follow least priviledge pricinples. 

 

For a multi account set up, as far as I can tell you would need to clone/copy the spoke actions and configure an additional Connection & Credential alias and map this to the copied action's credential alias used in the REST Step.

 

dbook_0-1752137892906.png

 

 

 

Go to solution
GauravS69173284
Tera Contributor
In response to dbook

‎07-10-2025 03:08 AM

@dbook  Thank you for your reply. I really appreciate it. I will test the setup based on the information you have provided and will share the results here.

0 Helpfuls