software.amazon.awssdk.services.acmpca.DefaultAcmPcaClient Maven / Gradle / Ivy
Show all versions of acmpca Show documentation
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with
* the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
package software.amazon.awssdk.services.acmpca;
import java.util.Collections;
import java.util.List;
import java.util.function.Consumer;
import software.amazon.awssdk.annotations.Generated;
import software.amazon.awssdk.annotations.SdkInternalApi;
import software.amazon.awssdk.awscore.AwsRequestOverrideConfiguration;
import software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler;
import software.amazon.awssdk.awscore.exception.AwsServiceException;
import software.amazon.awssdk.core.ApiName;
import software.amazon.awssdk.core.RequestOverrideConfiguration;
import software.amazon.awssdk.core.client.config.SdkClientConfiguration;
import software.amazon.awssdk.core.client.config.SdkClientOption;
import software.amazon.awssdk.core.client.handler.ClientExecutionParams;
import software.amazon.awssdk.core.client.handler.SyncClientHandler;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.core.http.HttpResponseHandler;
import software.amazon.awssdk.core.metrics.CoreMetric;
import software.amazon.awssdk.core.util.VersionInfo;
import software.amazon.awssdk.metrics.MetricCollector;
import software.amazon.awssdk.metrics.MetricPublisher;
import software.amazon.awssdk.metrics.NoOpMetricCollector;
import software.amazon.awssdk.protocols.core.ExceptionMetadata;
import software.amazon.awssdk.protocols.json.AwsJsonProtocol;
import software.amazon.awssdk.protocols.json.AwsJsonProtocolFactory;
import software.amazon.awssdk.protocols.json.BaseAwsJsonProtocolFactory;
import software.amazon.awssdk.protocols.json.JsonOperationMetadata;
import software.amazon.awssdk.services.acmpca.model.AcmPcaException;
import software.amazon.awssdk.services.acmpca.model.AcmPcaRequest;
import software.amazon.awssdk.services.acmpca.model.CertificateMismatchException;
import software.amazon.awssdk.services.acmpca.model.ConcurrentModificationException;
import software.amazon.awssdk.services.acmpca.model.CreateCertificateAuthorityAuditReportRequest;
import software.amazon.awssdk.services.acmpca.model.CreateCertificateAuthorityAuditReportResponse;
import software.amazon.awssdk.services.acmpca.model.CreateCertificateAuthorityRequest;
import software.amazon.awssdk.services.acmpca.model.CreateCertificateAuthorityResponse;
import software.amazon.awssdk.services.acmpca.model.CreatePermissionRequest;
import software.amazon.awssdk.services.acmpca.model.CreatePermissionResponse;
import software.amazon.awssdk.services.acmpca.model.DeleteCertificateAuthorityRequest;
import software.amazon.awssdk.services.acmpca.model.DeleteCertificateAuthorityResponse;
import software.amazon.awssdk.services.acmpca.model.DeletePermissionRequest;
import software.amazon.awssdk.services.acmpca.model.DeletePermissionResponse;
import software.amazon.awssdk.services.acmpca.model.DeletePolicyRequest;
import software.amazon.awssdk.services.acmpca.model.DeletePolicyResponse;
import software.amazon.awssdk.services.acmpca.model.DescribeCertificateAuthorityAuditReportRequest;
import software.amazon.awssdk.services.acmpca.model.DescribeCertificateAuthorityAuditReportResponse;
import software.amazon.awssdk.services.acmpca.model.DescribeCertificateAuthorityRequest;
import software.amazon.awssdk.services.acmpca.model.DescribeCertificateAuthorityResponse;
import software.amazon.awssdk.services.acmpca.model.GetCertificateAuthorityCertificateRequest;
import software.amazon.awssdk.services.acmpca.model.GetCertificateAuthorityCertificateResponse;
import software.amazon.awssdk.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import software.amazon.awssdk.services.acmpca.model.GetCertificateAuthorityCsrResponse;
import software.amazon.awssdk.services.acmpca.model.GetCertificateRequest;
import software.amazon.awssdk.services.acmpca.model.GetCertificateResponse;
import software.amazon.awssdk.services.acmpca.model.GetPolicyRequest;
import software.amazon.awssdk.services.acmpca.model.GetPolicyResponse;
import software.amazon.awssdk.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import software.amazon.awssdk.services.acmpca.model.ImportCertificateAuthorityCertificateResponse;
import software.amazon.awssdk.services.acmpca.model.InvalidArgsException;
import software.amazon.awssdk.services.acmpca.model.InvalidArnException;
import software.amazon.awssdk.services.acmpca.model.InvalidNextTokenException;
import software.amazon.awssdk.services.acmpca.model.InvalidPolicyException;
import software.amazon.awssdk.services.acmpca.model.InvalidRequestException;
import software.amazon.awssdk.services.acmpca.model.InvalidStateException;
import software.amazon.awssdk.services.acmpca.model.InvalidTagException;
import software.amazon.awssdk.services.acmpca.model.IssueCertificateRequest;
import software.amazon.awssdk.services.acmpca.model.IssueCertificateResponse;
import software.amazon.awssdk.services.acmpca.model.LimitExceededException;
import software.amazon.awssdk.services.acmpca.model.ListCertificateAuthoritiesRequest;
import software.amazon.awssdk.services.acmpca.model.ListCertificateAuthoritiesResponse;
import software.amazon.awssdk.services.acmpca.model.ListPermissionsRequest;
import software.amazon.awssdk.services.acmpca.model.ListPermissionsResponse;
import software.amazon.awssdk.services.acmpca.model.ListTagsRequest;
import software.amazon.awssdk.services.acmpca.model.ListTagsResponse;
import software.amazon.awssdk.services.acmpca.model.LockoutPreventedException;
import software.amazon.awssdk.services.acmpca.model.MalformedCertificateException;
import software.amazon.awssdk.services.acmpca.model.MalformedCsrException;
import software.amazon.awssdk.services.acmpca.model.PermissionAlreadyExistsException;
import software.amazon.awssdk.services.acmpca.model.PutPolicyRequest;
import software.amazon.awssdk.services.acmpca.model.PutPolicyResponse;
import software.amazon.awssdk.services.acmpca.model.RequestAlreadyProcessedException;
import software.amazon.awssdk.services.acmpca.model.RequestFailedException;
import software.amazon.awssdk.services.acmpca.model.RequestInProgressException;
import software.amazon.awssdk.services.acmpca.model.ResourceNotFoundException;
import software.amazon.awssdk.services.acmpca.model.RestoreCertificateAuthorityRequest;
import software.amazon.awssdk.services.acmpca.model.RestoreCertificateAuthorityResponse;
import software.amazon.awssdk.services.acmpca.model.RevokeCertificateRequest;
import software.amazon.awssdk.services.acmpca.model.RevokeCertificateResponse;
import software.amazon.awssdk.services.acmpca.model.TagCertificateAuthorityRequest;
import software.amazon.awssdk.services.acmpca.model.TagCertificateAuthorityResponse;
import software.amazon.awssdk.services.acmpca.model.TooManyTagsException;
import software.amazon.awssdk.services.acmpca.model.UntagCertificateAuthorityRequest;
import software.amazon.awssdk.services.acmpca.model.UntagCertificateAuthorityResponse;
import software.amazon.awssdk.services.acmpca.model.UpdateCertificateAuthorityRequest;
import software.amazon.awssdk.services.acmpca.model.UpdateCertificateAuthorityResponse;
import software.amazon.awssdk.services.acmpca.paginators.ListCertificateAuthoritiesIterable;
import software.amazon.awssdk.services.acmpca.paginators.ListPermissionsIterable;
import software.amazon.awssdk.services.acmpca.paginators.ListTagsIterable;
import software.amazon.awssdk.services.acmpca.transform.CreateCertificateAuthorityAuditReportRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.CreateCertificateAuthorityRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.CreatePermissionRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.DeleteCertificateAuthorityRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.DeletePermissionRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.DeletePolicyRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.DescribeCertificateAuthorityAuditReportRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.DescribeCertificateAuthorityRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.GetCertificateAuthorityCertificateRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.GetCertificateAuthorityCsrRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.GetCertificateRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.GetPolicyRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.ImportCertificateAuthorityCertificateRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.IssueCertificateRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.ListCertificateAuthoritiesRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.ListPermissionsRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.ListTagsRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.PutPolicyRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.RestoreCertificateAuthorityRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.RevokeCertificateRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.TagCertificateAuthorityRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.UntagCertificateAuthorityRequestMarshaller;
import software.amazon.awssdk.services.acmpca.transform.UpdateCertificateAuthorityRequestMarshaller;
import software.amazon.awssdk.services.acmpca.waiters.AcmPcaWaiter;
import software.amazon.awssdk.utils.Logger;
/**
* Internal implementation of {@link AcmPcaClient}.
*
* @see AcmPcaClient#builder()
*/
@Generated("software.amazon.awssdk:codegen")
@SdkInternalApi
final class DefaultAcmPcaClient implements AcmPcaClient {
private static final Logger log = Logger.loggerFor(DefaultAcmPcaClient.class);
private final SyncClientHandler clientHandler;
private final AwsJsonProtocolFactory protocolFactory;
private final SdkClientConfiguration clientConfiguration;
protected DefaultAcmPcaClient(SdkClientConfiguration clientConfiguration) {
this.clientHandler = new AwsSyncClientHandler(clientConfiguration);
this.clientConfiguration = clientConfiguration;
this.protocolFactory = init(AwsJsonProtocolFactory.builder()).build();
}
@Override
public final String serviceName() {
return SERVICE_NAME;
}
/**
*
* Creates a root or subordinate private certificate authority (CA). You must specify the CA configuration, an
* optional configuration for Online Certificate Status Protocol (OCSP) and/or a certificate revocation list (CRL),
* the CA type, and an optional idempotency token to avoid accidental creation of multiple CAs. The CA configuration
* specifies the name of the algorithm and key size to be used to create the CA private key, the type of signing
* algorithm that the CA uses, and X.500 subject information. The OCSP configuration can optionally specify a custom
* URL for the OCSP responder. The CRL configuration specifies the CRL expiration period in days (the validity
* period of the CRL), the Amazon S3 bucket that will contain the CRL, and a CNAME alias for the S3 bucket that is
* included in certificates issued by the CA. If successful, this action returns the Amazon Resource Name (ARN) of
* the CA.
*
*
* ACM Private CA assets that are stored in Amazon S3 can be protected with encryption. For more information, see Encrypting Your
* CRLs.
*
*
*
* Both PCA and the IAM principal must have permission to write to the S3 bucket that you specify. If the IAM
* principal making the call does not have permission to write to the bucket, then an exception is thrown. For more
* information, see Access policies for
* CRLs in Amazon S3.
*
*
*
* @param createCertificateAuthorityRequest
* @return Result of the CreateCertificateAuthority operation returned by the service.
* @throws InvalidArgsException
* One or more of the specified arguments was not valid.
* @throws InvalidPolicyException
* The resource policy is invalid or is missing a required statement. For general information about IAM
* policy and statement structure, see Overview of JSON Policies.
* @throws InvalidTagException
* The tag associated with the CA is not valid. The invalid argument is contained in the message field.
* @throws LimitExceededException
* An ACM Private CA quota has been exceeded. See the exception message returned to determine the quota that
* was exceeded.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.CreateCertificateAuthority
* @see AWS API Documentation
*/
@Override
public CreateCertificateAuthorityResponse createCertificateAuthority(
CreateCertificateAuthorityRequest createCertificateAuthorityRequest) throws InvalidArgsException,
InvalidPolicyException, InvalidTagException, LimitExceededException, AwsServiceException, SdkClientException,
AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, CreateCertificateAuthorityResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, createCertificateAuthorityRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CreateCertificateAuthority");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("CreateCertificateAuthority").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(createCertificateAuthorityRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CreateCertificateAuthorityRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Creates an audit report that lists every time that your CA private key is used. The report is saved in the Amazon
* S3 bucket that you specify on input. The IssueCertificate and
* RevokeCertificate
* actions use the private key.
*
*
*
* Both PCA and the IAM principal must have permission to write to the S3 bucket that you specify. If the IAM
* principal making the call does not have permission to write to the bucket, then an exception is thrown. For more
* information, see Access policies for
* CRLs in Amazon S3.
*
*
*
* ACM Private CA assets that are stored in Amazon S3 can be protected with encryption. For more information, see Encrypting
* Your Audit Reports.
*
*
*
* You can generate a maximum of one report every 30 minutes.
*
*
*
* @param createCertificateAuthorityAuditReportRequest
* @return Result of the CreateCertificateAuthorityAuditReport operation returned by the service.
* @throws RequestInProgressException
* Your request is already in progress.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidArgsException
* One or more of the specified arguments was not valid.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.CreateCertificateAuthorityAuditReport
* @see AWS API Documentation
*/
@Override
public CreateCertificateAuthorityAuditReportResponse createCertificateAuthorityAuditReport(
CreateCertificateAuthorityAuditReportRequest createCertificateAuthorityAuditReportRequest)
throws RequestInProgressException, RequestFailedException, ResourceNotFoundException, InvalidArnException,
InvalidArgsException, InvalidStateException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory
.createResponseHandler(operationMetadata, CreateCertificateAuthorityAuditReportResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration,
createCertificateAuthorityAuditReportRequest.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CreateCertificateAuthorityAuditReport");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("CreateCertificateAuthorityAuditReport").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler)
.withInput(createCertificateAuthorityAuditReportRequest).withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CreateCertificateAuthorityAuditReportRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Grants one or more permissions on a private CA to the Certificate Manager (ACM) service principal (
* acm.amazonaws.com
). These permissions allow ACM to issue and renew ACM certificates that reside in
* the same Amazon Web Services account as the CA.
*
*
* You can list current permissions with the ListPermissions
* action and revoke them with the DeletePermission
* action.
*
*
* About Permissions
*
*
* -
*
* If the private CA and the certificates it issues reside in the same account, you can use
* CreatePermission
to grant permissions for ACM to carry out automatic certificate renewals.
*
*
* -
*
* For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve,
* and list certificates.
*
*
* -
*
* If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to
* enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable
* cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM
* Private CA.
*
*
*
*
* @param createPermissionRequest
* @return Result of the CreatePermission operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws PermissionAlreadyExistsException
* The designated permission has already been given to the user.
* @throws LimitExceededException
* An ACM Private CA quota has been exceeded. See the exception message returned to determine the quota that
* was exceeded.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.CreatePermission
* @see AWS API
* Documentation
*/
@Override
public CreatePermissionResponse createPermission(CreatePermissionRequest createPermissionRequest)
throws ResourceNotFoundException, InvalidArnException, PermissionAlreadyExistsException, LimitExceededException,
InvalidStateException, RequestFailedException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
CreatePermissionResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, createPermissionRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "CreatePermission");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("CreatePermission").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(createPermissionRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new CreatePermissionRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes a private certificate authority (CA). You must provide the Amazon Resource Name (ARN) of the private CA
* that you want to delete. You can find the ARN by calling the ListCertificateAuthorities action.
*
*
*
* Deleting a CA will invalidate other CAs and certificates below it in your CA hierarchy.
*
*
*
* Before you can delete a CA that you have created and activated, you must disable it. To do this, call the
* UpdateCertificateAuthority action and set the CertificateAuthorityStatus parameter to
* DISABLED
.
*
*
* Additionally, you can delete a CA if you are waiting for it to be created (that is, the status of the CA is
* CREATING
). You can also delete it if the CA has been created but you haven't yet imported the signed
* certificate into ACM Private CA (that is, the status of the CA is PENDING_CERTIFICATE
).
*
*
* When you successfully call DeleteCertificateAuthority, the CA's status changes to DELETED
. However, the CA won't be
* permanently deleted until the restoration period has passed. By default, if you do not set the
* PermanentDeletionTimeInDays
parameter, the CA remains restorable for 30 days. You can set the
* parameter from 7 to 30 days. The DescribeCertificateAuthority action returns the time remaining in the restoration window of a private CA in
* the DELETED
state. To restore an eligible CA, call the RestoreCertificateAuthority action.
*
*
* @param deleteCertificateAuthorityRequest
* @return Result of the DeleteCertificateAuthority operation returned by the service.
* @throws ConcurrentModificationException
* A previous update to your private CA is still ongoing.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.DeleteCertificateAuthority
* @see AWS API Documentation
*/
@Override
public DeleteCertificateAuthorityResponse deleteCertificateAuthority(
DeleteCertificateAuthorityRequest deleteCertificateAuthorityRequest) throws ConcurrentModificationException,
ResourceNotFoundException, InvalidArnException, InvalidStateException, AwsServiceException, SdkClientException,
AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, DeleteCertificateAuthorityResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, deleteCertificateAuthorityRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DeleteCertificateAuthority");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("DeleteCertificateAuthority").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(deleteCertificateAuthorityRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DeleteCertificateAuthorityRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Revokes permissions on a private CA granted to the Certificate Manager (ACM) service principal
* (acm.amazonaws.com).
*
*
* These permissions allow ACM to issue and renew ACM certificates that reside in the same Amazon Web Services
* account as the CA. If you revoke these permissions, ACM will no longer renew the affected certificates
* automatically.
*
*
* Permissions can be granted with the CreatePermission
* action and listed with the ListPermissions
* action.
*
*
* About Permissions
*
*
* -
*
* If the private CA and the certificates it issues reside in the same account, you can use
* CreatePermission
to grant permissions for ACM to carry out automatic certificate renewals.
*
*
* -
*
* For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve,
* and list certificates.
*
*
* -
*
* If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to
* enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable
* cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM
* Private CA.
*
*
*
*
* @param deletePermissionRequest
* @return Result of the DeletePermission operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.DeletePermission
* @see AWS API
* Documentation
*/
@Override
public DeletePermissionResponse deletePermission(DeletePermissionRequest deletePermissionRequest)
throws ResourceNotFoundException, InvalidArnException, InvalidStateException, RequestFailedException,
AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
DeletePermissionResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, deletePermissionRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DeletePermission");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DeletePermission").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(deletePermissionRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DeletePermissionRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Deletes the resource-based policy attached to a private CA. Deletion will remove any access that the policy has
* granted. If there is no policy attached to the private CA, this action will return successful.
*
*
* If you delete a policy that was applied through Amazon Web Services Resource Access Manager (RAM), the CA will be
* removed from all shares in which it was included.
*
*
* The Certificate Manager Service Linked Role that the policy supports is not affected when you delete the policy.
*
*
* The current policy can be shown with GetPolicy and updated with
* PutPolicy.
*
*
* About Policies
*
*
* -
*
* A policy grants access on a private CA to an Amazon Web Services customer account, to Amazon Web Services
* Organizations, or to an Amazon Web Services Organizations unit. Policies are under the control of a CA
* administrator. For more information, see Using a Resource Based Policy with ACM
* Private CA.
*
*
* -
*
* A policy permits a user of Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
*
*
* -
*
* For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role
* (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM
* Private CA policy. For more information, see Using a Service Linked Role with ACM.
*
*
* -
*
* Updates made in Amazon Web Services Resource Manager (RAM) are reflected in policies. For more information, see
* Attach a Policy for Cross-Account
* Access.
*
*
*
*
* @param deletePolicyRequest
* @return Result of the DeletePolicy operation returned by the service.
* @throws ConcurrentModificationException
* A previous update to your private CA is still ongoing.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws LockoutPreventedException
* The current action was prevented because it would lock the caller out from performing subsequent actions.
* Verify that the specified parameters would not result in the caller being denied access to the resource.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.DeletePolicy
* @see AWS API
* Documentation
*/
@Override
public DeletePolicyResponse deletePolicy(DeletePolicyRequest deletePolicyRequest) throws ConcurrentModificationException,
InvalidArnException, InvalidStateException, LockoutPreventedException, RequestFailedException,
ResourceNotFoundException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
DeletePolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, deletePolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DeletePolicy");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("DeletePolicy").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(deletePolicyRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DeletePolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Lists information about your private certificate authority (CA) or one that has been shared with you. You specify
* the private CA on input by its ARN (Amazon Resource Name). The output contains the status of your CA. This can be
* any of the following:
*
*
* -
*
* CREATING
- ACM Private CA is creating your private certificate authority.
*
*
* -
*
* PENDING_CERTIFICATE
- The certificate is pending. You must use your ACM Private CA-hosted or
* on-premises root or subordinate CA to sign your private CA CSR and then import it into PCA.
*
*
* -
*
* ACTIVE
- Your private CA is active.
*
*
* -
*
* DISABLED
- Your private CA has been disabled.
*
*
* -
*
* EXPIRED
- Your private CA certificate has expired.
*
*
* -
*
* FAILED
- Your private CA has failed. Your CA can fail because of problems such a network outage or
* back-end Amazon Web Services failure or other errors. A failed CA can never return to the pending state. You must
* create a new CA.
*
*
* -
*
* DELETED
- Your private CA is within the restoration period, after which it is permanently deleted.
* The length of time remaining in the CA's restoration period is also included in this action's output.
*
*
*
*
* @param describeCertificateAuthorityRequest
* @return Result of the DescribeCertificateAuthority operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.DescribeCertificateAuthority
* @see AWS API Documentation
*/
@Override
public DescribeCertificateAuthorityResponse describeCertificateAuthority(
DescribeCertificateAuthorityRequest describeCertificateAuthorityRequest) throws ResourceNotFoundException,
InvalidArnException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, DescribeCertificateAuthorityResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, describeCertificateAuthorityRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DescribeCertificateAuthority");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("DescribeCertificateAuthority").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(describeCertificateAuthorityRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DescribeCertificateAuthorityRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Lists information about a specific audit report created by calling the CreateCertificateAuthorityAuditReport action. Audit information is created every time the certificate
* authority (CA) private key is used. The private key is used when you call the IssueCertificate
* action or the RevokeCertificate
* action.
*
*
* @param describeCertificateAuthorityAuditReportRequest
* @return Result of the DescribeCertificateAuthorityAuditReport operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidArgsException
* One or more of the specified arguments was not valid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.DescribeCertificateAuthorityAuditReport
* @see AWS API Documentation
*/
@Override
public DescribeCertificateAuthorityAuditReportResponse describeCertificateAuthorityAuditReport(
DescribeCertificateAuthorityAuditReportRequest describeCertificateAuthorityAuditReportRequest)
throws ResourceNotFoundException, InvalidArnException, InvalidArgsException, AwsServiceException, SdkClientException,
AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory
.createResponseHandler(operationMetadata, DescribeCertificateAuthorityAuditReportResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration,
describeCertificateAuthorityAuditReportRequest.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "DescribeCertificateAuthorityAuditReport");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("DescribeCertificateAuthorityAuditReport").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler)
.withInput(describeCertificateAuthorityAuditReportRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new DescribeCertificateAuthorityAuditReportRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Retrieves a certificate from your private CA or one that has been shared with you. The ARN of the certificate is
* returned when you call the IssueCertificate
* action. You must specify both the ARN of your private CA and the ARN of the issued certificate when calling the
* GetCertificate action. You can retrieve the certificate if it is in the ISSUED state. You can call
* the CreateCertificateAuthorityAuditReport action to create a report that contains information about all of the
* certificates issued and revoked by your private CA.
*
*
* @param getCertificateRequest
* @return Result of the GetCertificate operation returned by the service.
* @throws RequestInProgressException
* Your request is already in progress.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.GetCertificate
* @see AWS API
* Documentation
*/
@Override
public GetCertificateResponse getCertificate(GetCertificateRequest getCertificateRequest) throws RequestInProgressException,
RequestFailedException, ResourceNotFoundException, InvalidArnException, InvalidStateException, AwsServiceException,
SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GetCertificateResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getCertificateRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetCertificate");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GetCertificate").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(getCertificateRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetCertificateRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Retrieves the certificate and certificate chain for your private certificate authority (CA) or one that has been
* shared with you. Both the certificate and the chain are base64 PEM-encoded. The chain does not include the CA
* certificate. Each certificate in the chain signs the one before it.
*
*
* @param getCertificateAuthorityCertificateRequest
* @return Result of the GetCertificateAuthorityCertificate operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.GetCertificateAuthorityCertificate
* @see AWS API Documentation
*/
@Override
public GetCertificateAuthorityCertificateResponse getCertificateAuthorityCertificate(
GetCertificateAuthorityCertificateRequest getCertificateAuthorityCertificateRequest)
throws ResourceNotFoundException, InvalidStateException, InvalidArnException, AwsServiceException,
SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, GetCertificateAuthorityCertificateResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration,
getCertificateAuthorityCertificateRequest.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetCertificateAuthorityCertificate");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("GetCertificateAuthorityCertificate").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(getCertificateAuthorityCertificateRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetCertificateAuthorityCertificateRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Retrieves the certificate signing request (CSR) for your private certificate authority (CA). The CSR is created
* when you call the CreateCertificateAuthority action. Sign the CSR with your ACM Private CA-hosted or on-premises root or
* subordinate CA. Then import the signed certificate back into ACM Private CA by calling the ImportCertificateAuthorityCertificate action. The CSR is returned as a base64 PEM-encoded string.
*
*
* @param getCertificateAuthorityCsrRequest
* @return Result of the GetCertificateAuthorityCsr operation returned by the service.
* @throws RequestInProgressException
* Your request is already in progress.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.GetCertificateAuthorityCsr
* @see AWS API Documentation
*/
@Override
public GetCertificateAuthorityCsrResponse getCertificateAuthorityCsr(
GetCertificateAuthorityCsrRequest getCertificateAuthorityCsrRequest) throws RequestInProgressException,
RequestFailedException, ResourceNotFoundException, InvalidArnException, InvalidStateException, AwsServiceException,
SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, GetCertificateAuthorityCsrResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getCertificateAuthorityCsrRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetCertificateAuthorityCsr");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("GetCertificateAuthorityCsr").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(getCertificateAuthorityCsrRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new GetCertificateAuthorityCsrRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Retrieves the resource-based policy attached to a private CA. If either the private CA resource or the policy
* cannot be found, this action returns a ResourceNotFoundException
.
*
*
* The policy can be attached or updated with PutPolicy and removed with
* DeletePolicy.
*
*
* About Policies
*
*
* -
*
* A policy grants access on a private CA to an Amazon Web Services customer account, to Amazon Web Services
* Organizations, or to an Amazon Web Services Organizations unit. Policies are under the control of a CA
* administrator. For more information, see Using a Resource Based Policy with ACM
* Private CA.
*
*
* -
*
* A policy permits a user of Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
*
*
* -
*
* For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role
* (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM
* Private CA policy. For more information, see Using a Service Linked Role with ACM.
*
*
* -
*
* Updates made in Amazon Web Services Resource Manager (RAM) are reflected in policies. For more information, see
* Attach a Policy for Cross-Account
* Access.
*
*
*
*
* @param getPolicyRequest
* @return Result of the GetPolicy operation returned by the service.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.GetPolicy
* @see AWS API
* Documentation
*/
@Override
public GetPolicyResponse getPolicy(GetPolicyRequest getPolicyRequest) throws InvalidArnException, InvalidStateException,
RequestFailedException, ResourceNotFoundException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
GetPolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, getPolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "GetPolicy");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("GetPolicy").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(getPolicyRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new GetPolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Imports a signed private CA certificate into ACM Private CA. This action is used when you are using a chain of
* trust whose root is located outside ACM Private CA. Before you can call this action, the following preparations
* must in place:
*
*
* -
*
* In ACM Private CA, call the CreateCertificateAuthority action to create the private CA that you plan to back with the imported
* certificate.
*
*
* -
*
* Call the
* GetCertificateAuthorityCsr action to generate a certificate signing request (CSR).
*
*
* -
*
* Sign the CSR using a root or intermediate CA hosted by either an on-premises PKI hierarchy or by a commercial CA.
*
*
* -
*
* Create a certificate chain and copy the signed certificate and the certificate chain to your working directory.
*
*
*
*
* ACM Private CA supports three scenarios for installing a CA certificate:
*
*
* -
*
* Installing a certificate for a root CA hosted by ACM Private CA.
*
*
* -
*
* Installing a subordinate CA certificate whose parent authority is hosted by ACM Private CA.
*
*
* -
*
* Installing a subordinate CA certificate whose parent authority is externally hosted.
*
*
*
*
* The following additional requirements apply when you import a CA certificate.
*
*
* -
*
* Only a self-signed certificate can be imported as a root CA.
*
*
* -
*
* A self-signed certificate cannot be imported as a subordinate CA.
*
*
* -
*
* Your certificate chain must not include the private CA certificate that you are importing.
*
*
* -
*
* Your root CA must be the last certificate in your chain. The subordinate certificate, if any, that your root CA
* signed must be next to last. The subordinate certificate signed by the preceding subordinate CA must come next,
* and so on until your chain is built.
*
*
* -
*
* The chain must be PEM-encoded.
*
*
* -
*
* The maximum allowed size of a certificate is 32 KB.
*
*
* -
*
* The maximum allowed size of a certificate chain is 2 MB.
*
*
*
*
* Enforcement of Critical Constraints
*
*
* ACM Private CA allows the following extensions to be marked critical in the imported CA certificate or chain.
*
*
* -
*
* Basic constraints (must be marked critical)
*
*
* -
*
* Subject alternative names
*
*
* -
*
* Key usage
*
*
* -
*
* Extended key usage
*
*
* -
*
* Authority key identifier
*
*
* -
*
* Subject key identifier
*
*
* -
*
* Issuer alternative name
*
*
* -
*
* Subject directory attributes
*
*
* -
*
* Subject information access
*
*
* -
*
* Certificate policies
*
*
* -
*
* Policy mappings
*
*
* -
*
* Inhibit anyPolicy
*
*
*
*
* ACM Private CA rejects the following extensions when they are marked critical in an imported CA certificate or
* chain.
*
*
* -
*
* Name constraints
*
*
* -
*
* Policy constraints
*
*
* -
*
* CRL distribution points
*
*
* -
*
* Authority information access
*
*
* -
*
* Freshest CRL
*
*
* -
*
* Any other extension
*
*
*
*
* @param importCertificateAuthorityCertificateRequest
* @return Result of the ImportCertificateAuthorityCertificate operation returned by the service.
* @throws ConcurrentModificationException
* A previous update to your private CA is still ongoing.
* @throws RequestInProgressException
* Your request is already in progress.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidRequestException
* The request action cannot be performed or is prohibited.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws MalformedCertificateException
* One or more fields in the certificate are invalid.
* @throws CertificateMismatchException
* The certificate authority certificate you are importing does not comply with conditions specified in the
* certificate that signed it.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.ImportCertificateAuthorityCertificate
* @see AWS API Documentation
*/
@Override
public ImportCertificateAuthorityCertificateResponse importCertificateAuthorityCertificate(
ImportCertificateAuthorityCertificateRequest importCertificateAuthorityCertificateRequest)
throws ConcurrentModificationException, RequestInProgressException, RequestFailedException,
ResourceNotFoundException, InvalidArnException, InvalidRequestException, InvalidStateException,
MalformedCertificateException, CertificateMismatchException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory
.createResponseHandler(operationMetadata, ImportCertificateAuthorityCertificateResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration,
importCertificateAuthorityCertificateRequest.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ImportCertificateAuthorityCertificate");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("ImportCertificateAuthorityCertificate").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler)
.withInput(importCertificateAuthorityCertificateRequest).withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ImportCertificateAuthorityCertificateRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Uses your private certificate authority (CA), or one that has been shared with you, to issue a client
* certificate. This action returns the Amazon Resource Name (ARN) of the certificate. You can retrieve the
* certificate by calling the GetCertificate action
* and specifying the ARN.
*
*
*
* You cannot use the ACM ListCertificateAuthorities action to retrieve the ARNs of the certificates that you
* issue by using ACM Private CA.
*
*
*
* @param issueCertificateRequest
* @return Result of the IssueCertificate operation returned by the service.
* @throws LimitExceededException
* An ACM Private CA quota has been exceeded. See the exception message returned to determine the quota that
* was exceeded.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidArgsException
* One or more of the specified arguments was not valid.
* @throws MalformedCsrException
* The certificate signing request is invalid.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.IssueCertificate
* @see AWS API
* Documentation
*/
@Override
public IssueCertificateResponse issueCertificate(IssueCertificateRequest issueCertificateRequest)
throws LimitExceededException, ResourceNotFoundException, InvalidStateException, InvalidArnException,
InvalidArgsException, MalformedCsrException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
IssueCertificateResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, issueCertificateRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "IssueCertificate");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("IssueCertificate").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(issueCertificateRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new IssueCertificateRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Lists the private certificate authorities that you created by using the CreateCertificateAuthority action.
*
*
* @param listCertificateAuthoritiesRequest
* @return Result of the ListCertificateAuthorities operation returned by the service.
* @throws InvalidNextTokenException
* The token specified in the NextToken
argument is not valid. Use the token returned from your
* previous call to ListCertificateAuthorities.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.ListCertificateAuthorities
* @see AWS API Documentation
*/
@Override
public ListCertificateAuthoritiesResponse listCertificateAuthorities(
ListCertificateAuthoritiesRequest listCertificateAuthoritiesRequest) throws InvalidNextTokenException,
AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, ListCertificateAuthoritiesResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listCertificateAuthoritiesRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListCertificateAuthorities");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("ListCertificateAuthorities").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(listCertificateAuthoritiesRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListCertificateAuthoritiesRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Lists the private certificate authorities that you created by using the CreateCertificateAuthority action.
*
*
*
* This is a variant of
* {@link #listCertificateAuthorities(software.amazon.awssdk.services.acmpca.model.ListCertificateAuthoritiesRequest)}
* operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will
* internally handle making service calls for you.
*
*
* When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no
* guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response
* pages by making service calls until there are no pages left or your iteration stops. If there are errors in your
* request, you will see the failures only after you start iterating through the iterable.
*
*
*
* The following are few ways to iterate through the response pages:
*
* 1) Using a Stream
*
*
* {@code
* software.amazon.awssdk.services.acmpca.paginators.ListCertificateAuthoritiesIterable responses = client.listCertificateAuthoritiesPaginator(request);
* responses.stream().forEach(....);
* }
*
*
* 2) Using For loop
*
*
* {
* @code
* software.amazon.awssdk.services.acmpca.paginators.ListCertificateAuthoritiesIterable responses = client
* .listCertificateAuthoritiesPaginator(request);
* for (software.amazon.awssdk.services.acmpca.model.ListCertificateAuthoritiesResponse response : responses) {
* // do something;
* }
* }
*
*
* 3) Use iterator directly
*
*
* {@code
* software.amazon.awssdk.services.acmpca.paginators.ListCertificateAuthoritiesIterable responses = client.listCertificateAuthoritiesPaginator(request);
* responses.iterator().forEachRemaining(....);
* }
*
*
* Please notice that the configuration of MaxResults won't limit the number of results you get with the
* paginator. It only limits the number of results in each page.
*
*
* Note: If you prefer to have control on service calls, use the
* {@link #listCertificateAuthorities(software.amazon.awssdk.services.acmpca.model.ListCertificateAuthoritiesRequest)}
* operation.
*
*
* @param listCertificateAuthoritiesRequest
* @return A custom iterable that can be used to iterate through all the response pages.
* @throws InvalidNextTokenException
* The token specified in the NextToken
argument is not valid. Use the token returned from your
* previous call to ListCertificateAuthorities.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.ListCertificateAuthorities
* @see AWS API Documentation
*/
@Override
public ListCertificateAuthoritiesIterable listCertificateAuthoritiesPaginator(
ListCertificateAuthoritiesRequest listCertificateAuthoritiesRequest) throws InvalidNextTokenException,
AwsServiceException, SdkClientException, AcmPcaException {
return new ListCertificateAuthoritiesIterable(this, applyPaginatorUserAgent(listCertificateAuthoritiesRequest));
}
/**
*
* List all permissions on a private CA, if any, granted to the Certificate Manager (ACM) service principal
* (acm.amazonaws.com).
*
*
* These permissions allow ACM to issue and renew ACM certificates that reside in the same Amazon Web Services
* account as the CA.
*
*
* Permissions can be granted with the CreatePermission
* action and revoked with the DeletePermission
* action.
*
*
* About Permissions
*
*
* -
*
* If the private CA and the certificates it issues reside in the same account, you can use
* CreatePermission
to grant permissions for ACM to carry out automatic certificate renewals.
*
*
* -
*
* For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve,
* and list certificates.
*
*
* -
*
* If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to
* enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable
* cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM
* Private CA.
*
*
*
*
* @param listPermissionsRequest
* @return Result of the ListPermissions operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidNextTokenException
* The token specified in the NextToken
argument is not valid. Use the token returned from your
* previous call to ListCertificateAuthorities.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.ListPermissions
* @see AWS API
* Documentation
*/
@Override
public ListPermissionsResponse listPermissions(ListPermissionsRequest listPermissionsRequest)
throws ResourceNotFoundException, InvalidArnException, InvalidNextTokenException, InvalidStateException,
RequestFailedException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ListPermissionsResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listPermissionsRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListPermissions");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListPermissions").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(listPermissionsRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new ListPermissionsRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* List all permissions on a private CA, if any, granted to the Certificate Manager (ACM) service principal
* (acm.amazonaws.com).
*
*
* These permissions allow ACM to issue and renew ACM certificates that reside in the same Amazon Web Services
* account as the CA.
*
*
* Permissions can be granted with the CreatePermission
* action and revoked with the DeletePermission
* action.
*
*
* About Permissions
*
*
* -
*
* If the private CA and the certificates it issues reside in the same account, you can use
* CreatePermission
to grant permissions for ACM to carry out automatic certificate renewals.
*
*
* -
*
* For automatic certificate renewal to succeed, the ACM service principal needs permissions to create, retrieve,
* and list certificates.
*
*
* -
*
* If the private CA and the ACM certificates reside in different accounts, then permissions cannot be used to
* enable automatic renewals. Instead, the ACM certificate owner must set up a resource-based policy to enable
* cross-account issuance and renewals. For more information, see Using a Resource Based Policy with ACM
* Private CA.
*
*
*
*
*
* This is a variant of
* {@link #listPermissions(software.amazon.awssdk.services.acmpca.model.ListPermissionsRequest)} operation. The
* return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle
* making service calls for you.
*
*
* When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no
* guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response
* pages by making service calls until there are no pages left or your iteration stops. If there are errors in your
* request, you will see the failures only after you start iterating through the iterable.
*
*
*
* The following are few ways to iterate through the response pages:
*
* 1) Using a Stream
*
*
* {@code
* software.amazon.awssdk.services.acmpca.paginators.ListPermissionsIterable responses = client.listPermissionsPaginator(request);
* responses.stream().forEach(....);
* }
*
*
* 2) Using For loop
*
*
* {
* @code
* software.amazon.awssdk.services.acmpca.paginators.ListPermissionsIterable responses = client
* .listPermissionsPaginator(request);
* for (software.amazon.awssdk.services.acmpca.model.ListPermissionsResponse response : responses) {
* // do something;
* }
* }
*
*
* 3) Use iterator directly
*
*
* {@code
* software.amazon.awssdk.services.acmpca.paginators.ListPermissionsIterable responses = client.listPermissionsPaginator(request);
* responses.iterator().forEachRemaining(....);
* }
*
*
* Please notice that the configuration of MaxResults won't limit the number of results you get with the
* paginator. It only limits the number of results in each page.
*
*
* Note: If you prefer to have control on service calls, use the
* {@link #listPermissions(software.amazon.awssdk.services.acmpca.model.ListPermissionsRequest)} operation.
*
*
* @param listPermissionsRequest
* @return A custom iterable that can be used to iterate through all the response pages.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidNextTokenException
* The token specified in the NextToken
argument is not valid. Use the token returned from your
* previous call to ListCertificateAuthorities.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.ListPermissions
* @see AWS API
* Documentation
*/
@Override
public ListPermissionsIterable listPermissionsPaginator(ListPermissionsRequest listPermissionsRequest)
throws ResourceNotFoundException, InvalidArnException, InvalidNextTokenException, InvalidStateException,
RequestFailedException, AwsServiceException, SdkClientException, AcmPcaException {
return new ListPermissionsIterable(this, applyPaginatorUserAgent(listPermissionsRequest));
}
/**
*
* Lists the tags, if any, that are associated with your private CA or one that has been shared with you. Tags are
* labels that you can use to identify and organize your CAs. Each tag consists of a key and an optional value. Call
* the
* TagCertificateAuthority action to add one or more tags to your CA. Call the UntagCertificateAuthority action to remove tags.
*
*
* @param listTagsRequest
* @return Result of the ListTags operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.ListTags
* @see AWS API
* Documentation
*/
@Override
public ListTagsResponse listTags(ListTagsRequest listTagsRequest) throws ResourceNotFoundException, InvalidArnException,
InvalidStateException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
ListTagsResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, listTagsRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "ListTags");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("ListTags").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(listTagsRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new ListTagsRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Lists the tags, if any, that are associated with your private CA or one that has been shared with you. Tags are
* labels that you can use to identify and organize your CAs. Each tag consists of a key and an optional value. Call
* the
* TagCertificateAuthority action to add one or more tags to your CA. Call the UntagCertificateAuthority action to remove tags.
*
*
*
* This is a variant of {@link #listTags(software.amazon.awssdk.services.acmpca.model.ListTagsRequest)} operation.
* The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally
* handle making service calls for you.
*
*
* When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no
* guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response
* pages by making service calls until there are no pages left or your iteration stops. If there are errors in your
* request, you will see the failures only after you start iterating through the iterable.
*
*
*
* The following are few ways to iterate through the response pages:
*
* 1) Using a Stream
*
*
* {@code
* software.amazon.awssdk.services.acmpca.paginators.ListTagsIterable responses = client.listTagsPaginator(request);
* responses.stream().forEach(....);
* }
*
*
* 2) Using For loop
*
*
* {
* @code
* software.amazon.awssdk.services.acmpca.paginators.ListTagsIterable responses = client.listTagsPaginator(request);
* for (software.amazon.awssdk.services.acmpca.model.ListTagsResponse response : responses) {
* // do something;
* }
* }
*
*
* 3) Use iterator directly
*
*
* {@code
* software.amazon.awssdk.services.acmpca.paginators.ListTagsIterable responses = client.listTagsPaginator(request);
* responses.iterator().forEachRemaining(....);
* }
*
*
* Please notice that the configuration of MaxResults won't limit the number of results you get with the
* paginator. It only limits the number of results in each page.
*
*
* Note: If you prefer to have control on service calls, use the
* {@link #listTags(software.amazon.awssdk.services.acmpca.model.ListTagsRequest)} operation.
*
*
* @param listTagsRequest
* @return A custom iterable that can be used to iterate through all the response pages.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.ListTags
* @see AWS API
* Documentation
*/
@Override
public ListTagsIterable listTagsPaginator(ListTagsRequest listTagsRequest) throws ResourceNotFoundException,
InvalidArnException, InvalidStateException, AwsServiceException, SdkClientException, AcmPcaException {
return new ListTagsIterable(this, applyPaginatorUserAgent(listTagsRequest));
}
/**
*
* Attaches a resource-based policy to a private CA.
*
*
* A policy can also be applied by sharing a private CA through Amazon Web Services Resource Access Manager (RAM).
* For more information, see Attach a
* Policy for Cross-Account Access.
*
*
* The policy can be displayed with GetPolicy and removed with
* DeletePolicy.
*
*
* About Policies
*
*
* -
*
* A policy grants access on a private CA to an Amazon Web Services customer account, to Amazon Web Services
* Organizations, or to an Amazon Web Services Organizations unit. Policies are under the control of a CA
* administrator. For more information, see Using a Resource Based Policy with ACM
* Private CA.
*
*
* -
*
* A policy permits a user of Certificate Manager (ACM) to issue ACM certificates signed by a CA in another account.
*
*
* -
*
* For ACM to manage automatic renewal of these certificates, the ACM user must configure a Service Linked Role
* (SLR). The SLR allows the ACM service to assume the identity of the user, subject to confirmation against the ACM
* Private CA policy. For more information, see Using a Service Linked Role with ACM.
*
*
* -
*
* Updates made in Amazon Web Services Resource Manager (RAM) are reflected in policies. For more information, see
* Attach a Policy for Cross-Account
* Access.
*
*
*
*
* @param putPolicyRequest
* @return Result of the PutPolicy operation returned by the service.
* @throws ConcurrentModificationException
* A previous update to your private CA is still ongoing.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws InvalidPolicyException
* The resource policy is invalid or is missing a required statement. For general information about IAM
* policy and statement structure, see Overview of JSON Policies.
* @throws LockoutPreventedException
* The current action was prevented because it would lock the caller out from performing subsequent actions.
* Verify that the specified parameters would not result in the caller being denied access to the resource.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.PutPolicy
* @see AWS API
* Documentation
*/
@Override
public PutPolicyResponse putPolicy(PutPolicyRequest putPolicyRequest) throws ConcurrentModificationException,
InvalidArnException, InvalidStateException, InvalidPolicyException, LockoutPreventedException,
RequestFailedException, ResourceNotFoundException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
PutPolicyResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, putPolicyRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "PutPolicy");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("PutPolicy").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(putPolicyRequest)
.withMetricCollector(apiCallMetricCollector).withMarshaller(new PutPolicyRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Restores a certificate authority (CA) that is in the DELETED
state. You can restore a CA during the
* period that you defined in the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthority action. Currently, you can specify 7 to 30 days. If you did not specify a
* PermanentDeletionTimeInDays value, by default you can restore the CA at any time in a 30 day period. You
* can check the time remaining in the restoration period of a private CA in the DELETED
state by
* calling the DescribeCertificateAuthority or ListCertificateAuthorities actions. The status of a restored CA is set to its pre-deletion status when the
* RestoreCertificateAuthority action returns. To change its status to ACTIVE
, call the UpdateCertificateAuthority action. If the private CA was in the PENDING_CERTIFICATE
state at
* deletion, you must use the ImportCertificateAuthorityCertificate action to import a certificate authority into the private CA before it
* can be activated. You cannot restore a CA after the restoration period has ended.
*
*
* @param restoreCertificateAuthorityRequest
* @return Result of the RestoreCertificateAuthority operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.RestoreCertificateAuthority
* @see AWS API Documentation
*/
@Override
public RestoreCertificateAuthorityResponse restoreCertificateAuthority(
RestoreCertificateAuthorityRequest restoreCertificateAuthorityRequest) throws ResourceNotFoundException,
InvalidStateException, InvalidArnException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, RestoreCertificateAuthorityResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, restoreCertificateAuthorityRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "RestoreCertificateAuthority");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("RestoreCertificateAuthority").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(restoreCertificateAuthorityRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new RestoreCertificateAuthorityRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Revokes a certificate that was issued inside ACM Private CA. If you enable a certificate revocation list (CRL)
* when you create or update your private CA, information about the revoked certificates will be included in the
* CRL. ACM Private CA writes the CRL to an S3 bucket that you specify. A CRL is typically updated approximately 30
* minutes after a certificate is revoked. If for any reason the CRL update fails, ACM Private CA attempts makes
* further attempts every 15 minutes. With Amazon CloudWatch, you can create alarms for the metrics
* CRLGenerated
and MisconfiguredCRLBucket
. For more information, see Supported CloudWatch Metrics.
*
*
*
* Both PCA and the IAM principal must have permission to write to the S3 bucket that you specify. If the IAM
* principal making the call does not have permission to write to the bucket, then an exception is thrown. For more
* information, see Access policies for
* CRLs in Amazon S3.
*
*
*
* ACM Private CA also writes revocation information to the audit report. For more information, see CreateCertificateAuthorityAuditReport.
*
*
*
* You cannot revoke a root CA self-signed certificate.
*
*
*
* @param revokeCertificateRequest
* @return Result of the RevokeCertificate operation returned by the service.
* @throws ConcurrentModificationException
* A previous update to your private CA is still ongoing.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidRequestException
* The request action cannot be performed or is prohibited.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws LimitExceededException
* An ACM Private CA quota has been exceeded. See the exception message returned to determine the quota that
* was exceeded.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws RequestAlreadyProcessedException
* Your request has already been completed.
* @throws RequestInProgressException
* Your request is already in progress.
* @throws RequestFailedException
* The request has failed for an unspecified reason.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.RevokeCertificate
* @see AWS API
* Documentation
*/
@Override
public RevokeCertificateResponse revokeCertificate(RevokeCertificateRequest revokeCertificateRequest)
throws ConcurrentModificationException, InvalidArnException, InvalidRequestException, InvalidStateException,
LimitExceededException, ResourceNotFoundException, RequestAlreadyProcessedException, RequestInProgressException,
RequestFailedException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(operationMetadata,
RevokeCertificateResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, revokeCertificateRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "RevokeCertificate");
return clientHandler.execute(new ClientExecutionParams()
.withOperationName("RevokeCertificate").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(revokeCertificateRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new RevokeCertificateRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Adds one or more tags to your private CA. Tags are labels that you can use to identify and organize your Amazon
* Web Services resources. Each tag consists of a key and an optional value. You specify the private CA on input by
* its Amazon Resource Name (ARN). You specify the tag by using a key-value pair. You can apply a tag to just one
* private CA if you want to identify a specific characteristic of that CA, or you can apply the same tag to
* multiple private CAs if you want to filter for a common relationship among those CAs. To remove one or more tags,
* use the
* UntagCertificateAuthority action. Call the ListTags action to see what
* tags are associated with your CA.
*
*
* @param tagCertificateAuthorityRequest
* @return Result of the TagCertificateAuthority operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws InvalidTagException
* The tag associated with the CA is not valid. The invalid argument is contained in the message field.
* @throws TooManyTagsException
* You can associate up to 50 tags with a private CA. Exception information is contained in the exception
* message field.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.TagCertificateAuthority
* @see AWS API Documentation
*/
@Override
public TagCertificateAuthorityResponse tagCertificateAuthority(TagCertificateAuthorityRequest tagCertificateAuthorityRequest)
throws ResourceNotFoundException, InvalidArnException, InvalidStateException, InvalidTagException,
TooManyTagsException, AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, TagCertificateAuthorityResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, tagCertificateAuthorityRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "TagCertificateAuthority");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("TagCertificateAuthority").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(tagCertificateAuthorityRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new TagCertificateAuthorityRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Remove one or more tags from your private CA. A tag consists of a key-value pair. If you do not specify the value
* portion of the tag when calling this action, the tag will be removed regardless of value. If you specify a value,
* the tag is removed only if it is associated with the specified value. To add tags to a private CA, use the
* TagCertificateAuthority. Call the ListTags action to see what
* tags are associated with your CA.
*
*
* @param untagCertificateAuthorityRequest
* @return Result of the UntagCertificateAuthority operation returned by the service.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws InvalidTagException
* The tag associated with the CA is not valid. The invalid argument is contained in the message field.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.UntagCertificateAuthority
* @see AWS API Documentation
*/
@Override
public UntagCertificateAuthorityResponse untagCertificateAuthority(
UntagCertificateAuthorityRequest untagCertificateAuthorityRequest) throws ResourceNotFoundException,
InvalidArnException, InvalidStateException, InvalidTagException, AwsServiceException, SdkClientException,
AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, UntagCertificateAuthorityResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, untagCertificateAuthorityRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UntagCertificateAuthority");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("UntagCertificateAuthority").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(untagCertificateAuthorityRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UntagCertificateAuthorityRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
/**
*
* Updates the status or configuration of a private certificate authority (CA). Your private CA must be in the
* ACTIVE
or DISABLED
state before you can update it. You can disable a private CA that is
* in the ACTIVE
state or make a CA that is in the DISABLED
state active again.
*
*
*
* Both PCA and the IAM principal must have permission to write to the S3 bucket that you specify. If the IAM
* principal making the call does not have permission to write to the bucket, then an exception is thrown. For more
* information, see Access policies for
* CRLs in Amazon S3.
*
*
*
* @param updateCertificateAuthorityRequest
* @return Result of the UpdateCertificateAuthority operation returned by the service.
* @throws ConcurrentModificationException
* A previous update to your private CA is still ongoing.
* @throws ResourceNotFoundException
* A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.
* @throws InvalidArgsException
* One or more of the specified arguments was not valid.
* @throws InvalidArnException
* The requested Amazon Resource Name (ARN) does not refer to an existing resource.
* @throws InvalidStateException
* The state of the private CA does not allow this action to occur.
* @throws InvalidPolicyException
* The resource policy is invalid or is missing a required statement. For general information about IAM
* policy and statement structure, see Overview of JSON Policies.
* @throws SdkException
* Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for
* catch all scenarios.
* @throws SdkClientException
* If any client side error occurs such as an IO related failure, failure to get credentials, etc.
* @throws AcmPcaException
* Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
* @sample AcmPcaClient.UpdateCertificateAuthority
* @see AWS API Documentation
*/
@Override
public UpdateCertificateAuthorityResponse updateCertificateAuthority(
UpdateCertificateAuthorityRequest updateCertificateAuthorityRequest) throws ConcurrentModificationException,
ResourceNotFoundException, InvalidArgsException, InvalidArnException, InvalidStateException, InvalidPolicyException,
AwsServiceException, SdkClientException, AcmPcaException {
JsonOperationMetadata operationMetadata = JsonOperationMetadata.builder().hasStreamingSuccessResponse(false)
.isPayloadJson(true).build();
HttpResponseHandler responseHandler = protocolFactory.createResponseHandler(
operationMetadata, UpdateCertificateAuthorityResponse::builder);
HttpResponseHandler errorResponseHandler = createErrorResponseHandler(protocolFactory,
operationMetadata);
List metricPublishers = resolveMetricPublishers(clientConfiguration, updateCertificateAuthorityRequest
.overrideConfiguration().orElse(null));
MetricCollector apiCallMetricCollector = metricPublishers.isEmpty() ? NoOpMetricCollector.create() : MetricCollector
.create("ApiCall");
try {
apiCallMetricCollector.reportMetric(CoreMetric.SERVICE_ID, "ACM PCA");
apiCallMetricCollector.reportMetric(CoreMetric.OPERATION_NAME, "UpdateCertificateAuthority");
return clientHandler
.execute(new ClientExecutionParams()
.withOperationName("UpdateCertificateAuthority").withResponseHandler(responseHandler)
.withErrorResponseHandler(errorResponseHandler).withInput(updateCertificateAuthorityRequest)
.withMetricCollector(apiCallMetricCollector)
.withMarshaller(new UpdateCertificateAuthorityRequestMarshaller(protocolFactory)));
} finally {
metricPublishers.forEach(p -> p.publish(apiCallMetricCollector.collect()));
}
}
private static List resolveMetricPublishers(SdkClientConfiguration clientConfiguration,
RequestOverrideConfiguration requestOverrideConfiguration) {
List publishers = null;
if (requestOverrideConfiguration != null) {
publishers = requestOverrideConfiguration.metricPublishers();
}
if (publishers == null || publishers.isEmpty()) {
publishers = clientConfiguration.option(SdkClientOption.METRIC_PUBLISHERS);
}
if (publishers == null) {
publishers = Collections.emptyList();
}
return publishers;
}
private HttpResponseHandler createErrorResponseHandler(BaseAwsJsonProtocolFactory protocolFactory,
JsonOperationMetadata operationMetadata) {
return protocolFactory.createErrorResponseHandler(operationMetadata);
}
private > T init(T builder) {
return builder
.clientConfiguration(clientConfiguration)
.defaultServiceExceptionSupplier(AcmPcaException::builder)
.protocol(AwsJsonProtocol.AWS_JSON)
.protocolVersion("1.1")
.registerModeledException(
ExceptionMetadata.builder().errorCode("ConcurrentModificationException")
.exceptionBuilderSupplier(ConcurrentModificationException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("MalformedCSRException")
.exceptionBuilderSupplier(MalformedCsrException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidRequestException")
.exceptionBuilderSupplier(InvalidRequestException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidArgsException")
.exceptionBuilderSupplier(InvalidArgsException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidArnException")
.exceptionBuilderSupplier(InvalidArnException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("RequestInProgressException")
.exceptionBuilderSupplier(RequestInProgressException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("LockoutPreventedException")
.exceptionBuilderSupplier(LockoutPreventedException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidStateException")
.exceptionBuilderSupplier(InvalidStateException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("PermissionAlreadyExistsException")
.exceptionBuilderSupplier(PermissionAlreadyExistsException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("RequestAlreadyProcessedException")
.exceptionBuilderSupplier(RequestAlreadyProcessedException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidNextTokenException")
.exceptionBuilderSupplier(InvalidNextTokenException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("LimitExceededException")
.exceptionBuilderSupplier(LimitExceededException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidTagException")
.exceptionBuilderSupplier(InvalidTagException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("CertificateMismatchException")
.exceptionBuilderSupplier(CertificateMismatchException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("TooManyTagsException")
.exceptionBuilderSupplier(TooManyTagsException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("InvalidPolicyException")
.exceptionBuilderSupplier(InvalidPolicyException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("ResourceNotFoundException")
.exceptionBuilderSupplier(ResourceNotFoundException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("MalformedCertificateException")
.exceptionBuilderSupplier(MalformedCertificateException::builder).httpStatusCode(400).build())
.registerModeledException(
ExceptionMetadata.builder().errorCode("RequestFailedException")
.exceptionBuilderSupplier(RequestFailedException::builder).httpStatusCode(400).build());
}
@Override
public void close() {
clientHandler.close();
}
private T applyPaginatorUserAgent(T request) {
Consumer userAgentApplier = b -> b.addApiName(ApiName.builder()
.version(VersionInfo.SDK_VERSION).name("PAGINATED").build());
AwsRequestOverrideConfiguration overrideConfiguration = request.overrideConfiguration()
.map(c -> c.toBuilder().applyMutation(userAgentApplier).build())
.orElse((AwsRequestOverrideConfiguration.builder().applyMutation(userAgentApplier).build()));
return (T) request.toBuilder().overrideConfiguration(overrideConfiguration).build();
}
@Override
public AcmPcaWaiter waiter() {
return AcmPcaWaiter.builder().client(this).build();
}
}