IAMRolesAnywhere / Client / create_trust_anchor

create_trust_anchor#

IAMRolesAnywhere.Client.create_trust_anchor(**kwargs)#

Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA). You can define a trust anchor as a reference to an Private Certificate Authority (Private CA) or by uploading a CA certificate. Your Amazon Web Services workloads can authenticate with the trust anchor using certificates issued by the CA in exchange for temporary Amazon Web Services credentials.

Required permissions: rolesanywhere:CreateTrustAnchor.

See also: AWS API Documentation

Request Syntax

response = client.create_trust_anchor(
    enabled=True|False,
    name='string',
    notificationSettings=[
        {
            'channel': 'ALL',
            'enabled': True|False,
            'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY',
            'threshold': 123
        },
    ],
    source={
        'sourceData': {
            'acmPcaArn': 'string',
            'x509CertificateData': 'string'
        },
        'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
    },
    tags=[
        {
            'key': 'string',
            'value': 'string'
        },
    ]
)
Parameters:
  • enabled (boolean) – Specifies whether the trust anchor is enabled.

  • name (string) –

    [REQUIRED]

    The name of the trust anchor.

  • notificationSettings (list) –

    A list of notification settings to be associated to the trust anchor.

    • (dict) –

      Customizable notification settings that will be applied to notification events. IAM Roles Anywhere consumes these settings while notifying across multiple channels - CloudWatch metrics, EventBridge, and Health Dashboard.

      • channel (string) –

        The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event.

        Note

        In the absence of a specific channel, IAM Roles Anywhere applies this setting to ‘ALL’ channels.

      • enabled (boolean) – [REQUIRED]

        Indicates whether the notification setting is enabled.

      • event (string) – [REQUIRED]

        The event to which this notification setting is applied.

      • threshold (integer) –

        The number of days before a notification event. This value is required for a notification setting that is enabled.

  • source (dict) –

    [REQUIRED]

    The trust anchor type and its related certificate data.

    • sourceData (dict) –

      The data field of the trust anchor depending on its type.

      Note

      This is a Tagged Union structure. Only one of the following top level keys can be set: acmPcaArn, x509CertificateData.

      • acmPcaArn (string) –

        The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type AWS_ACM_PCA.

      • x509CertificateData (string) –

        The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE.

    • sourceType (string) –

      The type of the trust anchor.

  • tags (list) –

    The tags to attach to the trust anchor.

    • (dict) –

      A label that consists of a key and value you define.

      • key (string) – [REQUIRED]

        The tag key.

      • value (string) – [REQUIRED]

        The tag value.

Return type:

dict

Returns:

Response Syntax

{
    'trustAnchor': {
        'createdAt': datetime(2015, 1, 1),
        'enabled': True|False,
        'name': 'string',
        'notificationSettings': [
            {
                'channel': 'ALL',
                'configuredBy': 'string',
                'enabled': True|False,
                'event': 'CA_CERTIFICATE_EXPIRY'|'END_ENTITY_CERTIFICATE_EXPIRY',
                'threshold': 123
            },
        ],
        'source': {
            'sourceData': {
                'acmPcaArn': 'string',
                'x509CertificateData': 'string'
            },
            'sourceType': 'AWS_ACM_PCA'|'CERTIFICATE_BUNDLE'|'SELF_SIGNED_REPOSITORY'
        },
        'trustAnchorArn': 'string',
        'trustAnchorId': 'string',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) –

    • trustAnchor (dict) –

      The state of the trust anchor after a read or write operation.

      • createdAt (datetime) –

        The ISO-8601 timestamp when the trust anchor was created.

      • enabled (boolean) –

        Indicates whether the trust anchor is enabled.

      • name (string) –

        The name of the trust anchor.

      • notificationSettings (list) –

        A list of notification settings to be associated to the trust anchor.

        • (dict) –

          The state of a notification setting.

          A notification setting includes information such as event name, threshold, status of the notification setting, and the channel to notify.

          • channel (string) –

            The specified channel of notification. IAM Roles Anywhere uses CloudWatch metrics, EventBridge, and Health Dashboard to notify for an event.

            Note

            In the absence of a specific channel, IAM Roles Anywhere applies this setting to ‘ALL’ channels.

          • configuredBy (string) –

            The principal that configured the notification setting. For default settings configured by IAM Roles Anywhere, the value is rolesanywhere.amazonaws.com, and for customized notifications settings, it is the respective account ID.

          • enabled (boolean) –

            Indicates whether the notification setting is enabled.

          • event (string) –

            The event to which this notification setting is applied.

          • threshold (integer) –

            The number of days before a notification event.

      • source (dict) –

        The trust anchor type and its related certificate data.

        • sourceData (dict) –

          The data field of the trust anchor depending on its type.

          Note

          This is a Tagged Union structure. Only one of the following top level keys will be set: acmPcaArn, x509CertificateData. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

          'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
          
          • acmPcaArn (string) –

            The root certificate of the Private Certificate Authority specified by this ARN is used in trust validation for temporary credential requests. Included for trust anchors of type AWS_ACM_PCA.

          • x509CertificateData (string) –

            The PEM-encoded data for the certificate anchor. Included for trust anchors of type CERTIFICATE_BUNDLE.

        • sourceType (string) –

          The type of the trust anchor.

      • trustAnchorArn (string) –

        The ARN of the trust anchor.

      • trustAnchorId (string) –

        The unique identifier of the trust anchor.

      • updatedAt (datetime) –

        The ISO-8601 timestamp when the trust anchor was last updated.

Exceptions

  • IAMRolesAnywhere.Client.exceptions.ValidationException

  • IAMRolesAnywhere.Client.exceptions.AccessDeniedException