Can we export private certificate from ACM cross account?

Question

When building a PKI with AWS PCA and AWS Certificate Manager, one requirement is to retrieve the certificate and associated private key from ACM, and store them in AWS Secrets Manager across accounts, as we deploy our applications that rely on the certificate in a cross-account manner.

I am not sure if ACM supports invoking the ExportCertificate API across accounts. Please help.

Riku_Kobayashi · Answer

Hello.

I think it is possible to export certificates across accounts by using AssumeRole to assume the IAM role of the AWS account that has ACM.  
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html

By the way, it seems that resource-based policies can also be used, so I think it is possible to allow access by setting these.  
https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html

Can we export private certificate from ACM cross account?

添加回答

相关内容