Package software.amazon.awscdk.services.acmpca

Class CfnPermission

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.acmpca.CfnPermission
All Implemented Interfaces:
IInspectable, IPermissionRef, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
@Generated(value="jsii-pacmak/1.116.0 (build 0eddcff)", date="2025-10-24T13:34:30.010Z") @Stability(Stable) public class CfnPermission extends CfnResource implements IInspectable, IPermissionRef
Grants permissions to the Certificate Manager ( ACM ) service principal ( acm.amazonaws.com ) to perform IssueCertificate , GetCertificate , and ListPermissions actions on a CA. These actions are needed for the ACM principal to renew private PKI certificates requested through ACM and residing in the same AWS account as the CA.

About permissions - If the private CA and the certificates it issues reside in the same account, you can use AWS::ACMPCA::Permission to grant permissions for ACM to carry out automatic certificate renewals.

  • For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve, and list permissions.
  • If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable cross-account issuance and renewals. For more information, see Using a Resource Based Policy with AWS Private CA .

To update an AWS::ACMPCA::Permission resource, you must first delete the existing permission resource from the CloudFormation stack and then create a new permission resource with updated properties.

Example: 

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.acmpca.*;
 CfnPermission cfnPermission = CfnPermission.Builder.create(this, "MyCfnPermission")
         .actions(List.of("actions"))
         .certificateAuthorityArn("certificateAuthorityArn")
         .principal("principal")
         // the properties below are optional
         .sourceAccount("sourceAccount")
         .build();

See Also:

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnPermission

      protected CfnPermission(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnPermission

      protected CfnPermission(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnPermission

      @Stability(Stable) public CfnPermission(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnPermissionProps props)
      Parameters:
      scope - Scope in which this resource is defined. This parameter is required.
      id - Construct identifier for this resource (unique in its scope). This parameter is required.
      props - Resource properties. This parameter is required.

  • Method Details

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector - tree inspector to collect and process attributes. This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getPermissionRef

      @Stability(Stable) @NotNull public PermissionReference getPermissionRef()
      A reference to a Permission resource.
      Specified by:
      getPermissionRef in interface IPermissionRef

    • getActions

      @Stability(Stable) @NotNull public List<String> getActions()
      The private CA actions that can be performed by the designated AWS service.

    • setActions

      @Stability(Stable) public void setActions(@NotNull List<String> value)
      The private CA actions that can be performed by the designated AWS service.

    • getCertificateAuthorityArn

      @Stability(Stable) @NotNull public String getCertificateAuthorityArn()
      The Amazon Resource Number (ARN) of the private CA from which the permission was issued.

    • setCertificateAuthorityArn

      @Stability(Stable) public void setCertificateAuthorityArn(@NotNull String value)
      The Amazon Resource Number (ARN) of the private CA from which the permission was issued.

    • getPrincipal

      @Stability(Stable) @NotNull public String getPrincipal()
      The AWS service or entity that holds the permission.

    • setPrincipal

      @Stability(Stable) public void setPrincipal(@NotNull String value)
      The AWS service or entity that holds the permission.

    • getSourceAccount

      @Stability(Stable) @Nullable public String getSourceAccount()
      The ID of the account that assigned the permission.

    • setSourceAccount

      @Stability(Stable) public void setSourceAccount(@Nullable String value)
      The ID of the account that assigned the permission.