IAMRolesAnywhere / Client / create_trust_anchor
create_trust_anchor#
- IAMRolesAnywhere.Client.create_trust_anchor(**kwargs)#
Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an Private Certificate Authority (Private CA) or by uploading a CA certificate. Your Amazon Web Services workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary Amazon Web Services credentials.
Required permissions:
rolesanywhere:CreateTrustAnchor
.See also: AWS API Documentation
Request Syntax
response = client.create_trust_anchor( enabled=True|False, name='string', notificationSettings=[ { 'channel': 'ALL', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], source={ 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, tags=[ { 'key': 'string', 'value': 'string' }, ] )
- Parameters:
enabled (boolean) – Specifies whether the trust anchor is enabled.
name (string) –
[REQUIRED]
The name of the trust anchor.
notificationSettings (list) –
A list of notification settings to be associated to the trust anchor.
(dict) –
Customizable notification settings that will be applied to notification events. IAM Roles Anywhere consumes these settings while notifying across multiple channels - CloudWatch metrics, EventBridge, and Health Dashboard.
channel (string) –
The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event.
Note
In the absence of a specific channel, IAM Roles Anywhere applies this setting to ‘ALL’ channels.
enabled (boolean) – [REQUIRED]
Indicates whether the notification setting is enabled.
event (string) – [REQUIRED]
The event to which this notification setting is applied.
threshold (integer) –
The number of days before a notification event. This value is required for a notification setting that is enabled.
source (dict) –
[REQUIRED]
The trust anchor type and its related certificate data.
sourceData (dict) –
The data field of the trust anchor depending on its type.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set:
acmPcaArn
,x509CertificateData
.acmPcaArn (string) –
The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type
AWS_ACM_PCA
.x509CertificateData (string) –
The PEM-encoded data for the certificate anchor. Included for trust anchors of type
CERTIFICATE_BUNDLE
.
sourceType (string) –
The type of the trust anchor.
tags (list) –
The tags to attach to the trust anchor.
(dict) –
A label that consists of a key and value you define.
key (string) – [REQUIRED]
The tag key.
value (string) – [REQUIRED]
The tag value.
- Return type:
dict
- Returns:
Response Syntax
{ 'trustAnchor': { 'createdAt': datetime(2015, 1, 1), 'enabled': True|False, 'name': 'string', 'notificationSettings': [ { 'channel': 'ALL', 'configuredBy': 'string', 'enabled': True|False, 'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY', 'threshold': 123 }, ], 'source': { 'sourceData': { 'acmPcaArn': 'string', 'x509CertificateData': 'string' }, 'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY' }, 'trustAnchorArn': 'string', 'trustAnchorId': 'string', 'updatedAt': datetime(2015, 1, 1) } }
Response Structure
(dict) –
trustAnchor (dict) –
The state of the trust anchor after a read or write operation.
createdAt (datetime) –
The ISO-8601 timestamp when the trust anchor was created.
enabled (boolean) –
Indicates whether the trust anchor is enabled.
name (string) –
The name of the trust anchor.
notificationSettings (list) –
A list of notification settings to be associated to the trust anchor.
(dict) –
The state of a notification setting.
A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify.
channel (string) –
The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event.
Note
In the absence of a specific channel, IAM Roles Anywhere applies this setting to ‘ALL’ channels.
configuredBy (string) –
The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is
rolesanywhere.amazonaws.com
, and for customized notifications settings, it is the respective account ID.enabled (boolean) –
Indicates whether the notification setting is enabled.
event (string) –
The event to which this notification setting is applied.
threshold (integer) –
The number of days before a notification event.
source (dict) –
The trust anchor type and its related certificate data.
sourceData (dict) –
The data field of the trust anchor depending on its type.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set:
acmPcaArn
,x509CertificateData
. If a client receives an unknown member it will setSDK_UNKNOWN_MEMBER
as the top level key, which maps to the name or tag of the unknown member. The structure ofSDK_UNKNOWN_MEMBER
is as follows:'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
acmPcaArn (string) –
The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type
AWS_ACM_PCA
.x509CertificateData (string) –
The PEM-encoded data for the certificate anchor. Included for trust anchors of type
CERTIFICATE_BUNDLE
.
sourceType (string) –
The type of the trust anchor.
trustAnchorArn (string) –
The ARN of the trust anchor.
trustAnchorId (string) –
The unique identifier of the trust anchor.
updatedAt (datetime) –
The ISO-8601 timestamp when the trust anchor was last updated.
Exceptions
IAMRolesAnywhere.Client.exceptions.ValidationException
IAMRolesAnywhere.Client.exceptions.AccessDeniedException