|
| 1 | +--- |
| 2 | +title: "AWS Private CA" |
| 3 | +--- |
| 4 | + |
| 5 | +To allow Golioth to use your AWS Private Certificate Authority service as a PKI |
| 6 | +provider for your project, you need to go through a few steps in the AWS Console |
| 7 | +before you can configure a connection from Golioth. |
| 8 | + |
| 9 | +For information about how you can establish a CA in AWS Private CA and issue |
| 10 | +end-entity certificates, please refer to [the official AWS |
| 11 | +documentation](https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html). |
| 12 | + |
| 13 | +## Configuring AWS |
| 14 | + |
| 15 | +To allow Golioth to securely connect directly to your AWS Private CA service, |
| 16 | +you'll need to create an IAM user with the required permissions. |
| 17 | + |
| 18 | +### 1. Create an IAM user |
| 19 | + |
| 20 | +Golioth connects to your AWS Private CA service as an IAM user. Although it's |
| 21 | +possible for Golioth to authenticate as an existing user, we strongly recommend |
| 22 | +establishing a dedicated user with a narrow set of permissions. |
| 23 | + |
| 24 | +As an admin or an IAM user with the required permissions, navigate to the [IAM |
| 25 | +User Management Dashboard](https://console.aws.amazon.com/iamv2/home#/users) in |
| 26 | +the AWS Console, and click **Create User**. |
| 27 | + |
| 28 | + |
| 29 | + |
| 30 | +Pick a recognizable user name, and click **Next** to go to the permissions |
| 31 | +screen. |
| 32 | + |
| 33 | +### 2. Set Permissions |
| 34 | + |
| 35 | +The Golioth user requires read access to the Private CA service to be able to |
| 36 | +authenticate device certificates. This can be enabled by attaching the |
| 37 | +**AWSPrivateCAReadOnly** policy to the user. |
| 38 | + |
| 39 | +To enable certificate rotation for your devices, you additionally need write |
| 40 | +permission for the AWS Private CA service. This can be enabled by attaching the |
| 41 | +**AWSPrivateCAUser** policy to the user. |
| 42 | + |
| 43 | +:::note |
| 44 | +Other, more permissive policies, such as **AWSPrivateCAFullAccess** and |
| 45 | +**AWSPrivateCAPrivilegedUser** also grant the required permissions to verify and |
| 46 | +issue device certificates, but these policies additionally grant the user the |
| 47 | +ability to manage the CA certificates themselves, which is not necessary, and |
| 48 | +thus not recommended. |
| 49 | +::: |
| 50 | + |
| 51 | + |
| 52 | + |
| 53 | +Policies can either be attached to the user directly when you create it, or by |
| 54 | +assigning the user to a user group with the required permissions. |
| 55 | + |
| 56 | +:::note |
| 57 | +In AWS, the standard IAM policies grant sets of permissions that are commonly |
| 58 | +used together. If you wish to create your own policy for the Golioth integration, |
| 59 | +it'll need to be granted the following permissions: |
| 60 | + |
| 61 | +- Verify device certificates (required): |
| 62 | + - `acm-pca:ListCertificateAuthorities` |
| 63 | + - `acm-pca:GetCertificateAuthorityCertificate` |
| 64 | +- Performing certificate rotation (optional): |
| 65 | + - `acm-pca:IssueCertificate` |
| 66 | + - `acm-pca:GetCertificate` |
| 67 | +::: |
| 68 | + |
| 69 | +### 3. Create an access key |
| 70 | + |
| 71 | +Once the user is created with the required permissions, you'll need to create an |
| 72 | +access key that Golioth can use to authenticate as that user. |
| 73 | + |
| 74 | +Follow [the AWS |
| 75 | +documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-keys-admin-managed.html) |
| 76 | +for instructions on how to create an access key for an IAM user. Note that the |
| 77 | +secret access key is only available during the creation process, and must be |
| 78 | +saved before leaving the page. |
| 79 | + |
| 80 | +## Connecting to AWS from the Golioth Console |
| 81 | + |
| 82 | +Once you have an AWS IAM user with the required permissions, you can configure |
| 83 | +Golioth's connection to the AWS Private CA from the Golioth Console. Navigate to |
| 84 | +the PKI Providers section in the sidebar, and click **Add Provider**. In the |
| 85 | +modal window, select _AWS Private Certificate Authority_, and the correct region |
| 86 | +for your AWS instance. Add the Access Key ID and Secret Access Key that you |
| 87 | +created in the AWS Console, and click **Connect**. The provider will be added to |
| 88 | +the list of known providers, and a provider status check will run. |
| 89 | + |
| 90 | +If everything is configured correctly, the provider status should change to |
| 91 | +"Connected", and list the number of available certificate authorities. |
| 92 | + |
| 93 | + |
| 94 | + |
| 95 | +## Issuing Device Certificates |
| 96 | + |
| 97 | +Device certificates are [End Entity |
| 98 | +Certificates](https://docs.aws.amazon.com/privateca/latest/userguide/PcaIssueCert.html) |
| 99 | +in AWS. |
| 100 | + |
| 101 | +As outlined in the [Certificate ID section](./README.md#certificate-ids), |
| 102 | +the device certificate subject needs to include the following attributes: |
| 103 | + |
| 104 | +- `Organization`: the device's project ID |
| 105 | +- `CommonName`: a unique device certificate ID |
| 106 | + |
| 107 | +Other subject attributes are ignored. |
| 108 | + |
| 109 | +When performing certificate rotation, Golioth will submit certificate signing |
| 110 | +requests to the AWS Private CA with the |
| 111 | +[`EndEntityClientAuthCertificate_APIPassthrough/V1` |
| 112 | +template](https://docs.aws.amazon.com/privateca/latest/userguide/template-definitions.html#EndEntityClientAuthCertificate_APIPassthrough). |
| 113 | +The request will be submitted with an API passthrough value containing the |
| 114 | +subject attributes above. |
0 commit comments