By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Adding UUID tag while creating certificates via ACM

0

While creating a private certificate via ACM, i have added tag as key: UUID value: "xxxxx"

While adding a condition in IAMRolesAnywhere trust policy i added below: "Condition": { "StringEquals": { "aws:ResourceTag/UUID": "xxxxx" } }

If i do that, while generating temporary credentials, i get error: 2023/04/11 08:48:11 AccessDeniedException: Unable to assume role for arn:aws:iam::977695881:role/testIAMRolesAnywhere.

If i remove condition, it works fine.

Is there anything wrong with the condition?

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity CenterAWS Certificate ManagerIAM Policies
Language
English
rePost-User-4222090
asked a year ago230 views
1 Answer
0

That condition is testing the tags of the role, since that is the resource specified in the policy and the resource the policy is attached to.

Instead of testing the tag of a certificate, test the attributes that are extracted from the cert. See: Trust policy.

I would put it in the Subject Name Alternative, DirName, CommonName. But you will need to use the CLI to generate this as the console does not have this option. See: issue-certificate.

profile pictureAWS
EXPERT
kentrad
answered a year ago
  • rePost-User-4222090
    a year ago

    Ok, thanks. In certificates, subject CN is the domain name we provide while ACM creates the certificate. My use case needs to add UUID in the certificates to differentiate between 2 devices. Where should UUID be added?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content