Comments (6)
mshantanu
commented on July 18, 2024
2
Ah, Thank you very much @divyansh-gupta it worked like a charm.
from aws-privateca-issuer.
divyansh-gupta
commented on July 18, 2024
Hi, could you please post the relevant portion of the policy you are using for arn:aws:sts::XXXXXXXX:assumed-role/shared-dev-1-cert-manager/1657793931500012209, and the policy or RAM permission attached to your CA?
And what template type are you issuing with? Cross-account supports a limited set of template types. The plugin picks the template type based off the Usage Type you specify. Check this section in our Readme for information: Mapping Cert-Manager Usage Types to AWS PCA Template Arns.
Thank you.
from aws-privateca-issuer.
mshantanu
commented on July 18, 2024
Hi @divyansh-gupta , the policy looks like this,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "awspcaissuer",
"Effect": "Allow",
"Action": [
"acm-pca:IssueCertificate",
"acm-pca:GetCertificate",
"acm-pca:DescribeCertificateAuthority"
],
"Resource": "*"
}
]
}
and RAM permission attached to the CA is the one provided by AWS permission library named AWSRAMDefaultPermissionCertificateAuthority
from aws-privateca-issuer.
divyansh-gupta
commented on July 18, 2024
Thank you. That RAM policy is:
[
{
"Effect": "Allow",
"Action": [
"acm-pca:IssueCertificate"
],
"Condition": {
"StringEquals": {
"acm-pca:TemplateArn": "arn::acm-pca:::template/EndEntityCertificate/V1"
}
}
},
{
"Effect": "Allow",
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificate",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:ListPermissions",
"acm-pca:ListTags"
]
}
]
Are you issuing a arn::acm-pca:::template/EndEntityCertificate/V1 through the plugin, based off the Mapping Cert-Manager Usage Types to AWS PCA Template Arns section of the README?
from aws-privateca-issuer.
mshantanu
commented on July 18, 2024
Thanks for your reply @divyansh-gupta . Sorry I didn't get this point. I just installed the cert-manager, then installed this plugin using helm chart and then created the issuer. Do I need to do something else? please suggest.
from aws-privateca-issuer.
divyansh-gupta
commented on July 18, 2024
Hi @Kumar-shantanu, no problem, happy to help. Each Certificate CRD has an optional usages section, as defined in https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources. The plugin translates those usages to templateArns based off this chart: https://github.com/cert-manager/aws-privateca-issuer#mapping-cert-manager-usage-types-to-aws-pca-template-arns
Your user is authorized to issue an EndEntityCertificate/V1 certificate. The chart shows that you need ClientAuth, ServerAuth usages for that. Here is an example of what you need to add to your Certificate CRD to do that:
aws-privateca-issuer/config/examples/certificates/ecdsa-521.yaml
Lines 17 to 19 in 16fdb56
Let me know if that works out for you.
from aws-privateca-issuer.
Related Issues (20)
- [Feature Request]: List the chart repository on artifacthub.io HOT 1
- [Feature Request]: Integration with cert-manager 1.10 HOT 4
- [Bug]: Using the default version causes image pull failures HOT 4
- Integration with cert-manager, istio-csr fails pod to pod mTLS. HOT 5
- [Bug]: Image Tag in Helm Chart doesn't match Contianer Image Tag HOT 9
- topologySpreadConstraints support in helm chart HOT 6
- [Bug]: cert-manager.io/cluster-issuer annotation does not work for AWSPCAClusterIssuer HOT 12
- [Feature Request]: helm chart: support optional podDisruptionBudget HOT 1
- [Feature Request]: Documentation of useage with ingress annotations HOT 2
- [Bug]: panic: runtime error: invalid memory address or nil pointer dereference HOT 8
- security HOT 3
- [Feature Request]: Support temporary AWS credentials (including AWS_SESSION_TOKEN) HOT 1
- [Bug]: Error: failed to sts.GetCallerIdentity when using IRSA HOT 11
- [Bug]: awspca-issuer not using secretRef to obtain CA HOT 7
- [Feature Request]: Issue image out of more official ECR Public Repo HOT 2
- [Feature Request]: Support ARM64 architecture HOT 4
- [Feature Request]: Add feature to call kubernetes secrets for the AWSPCAClusterIssuer spec.arn value HOT 3
- [Bug]: Issuer is not ready and certificate creation fails HOT 10
- [Bug]: Connection to AWS PCA not working HOT 5
- [Feature Request]: Replace deprecated `set-output` command with environment file HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-privateca-issuer.