0

Using AWS CLI for ACM's 'import-certificate' to re-import a renewed cert, chain and private key for a LetsEncrypt certificate that gets dropped off in an S3 bucket. It seems the usual file parameter syntax notation. I am using [aws-cli/1.18.69 Python/3.8.10 Linux/5.14.0-1056-oem botocore/1.16.19]

Here is what is not working:

aws acm import-certificate --certificate fileb://s3://foo-bucket-001/bar.com/cert.pem --certificate-chain fileb://s3://foo-bucket-001/bar.com/chain.pem --private-key fileb://s3://foo-bucket-001/bar.com/privkey.pem --certificate-arn arn:aws:acm:us-east-1:000000000000:certificate/d3bbe6f3-c479-4bbe-ad16-cc97745501a5

Error Message: Error parsing parameter '--certificate': Unable to load paramfile fileb://s3://foo-bucket-001/townsquareignite.com/cert.pem: [Errno 2] No such file or directory: 's3://foo-bucket-001/townsquareignite.com/cert.pem' I've tried s3://, file://, and fileb://,using the ARN for the S3 objects. Having no joy.

Using fileb://path/to-local/cert.pem does work, so obviously it's just the command binary file syntax to the files in S3 bucket arenot correct. But I cannot find any documentation now previous answer.

Any AWS CLI ACM via S3 guidance here?

Tom Harrison
  • 3
  • 2

1 Answers1

0

I believe you cannot use this cli command with s3. If you type aws acm import-certificate help there is nothing about s3 at all. A private certificate usually is very sensitive information and I think AWS doesn't encourage uploading it to s3. Or maybe it was an original idea when they developed this CLI sub-command.

Unfortunately, you'll have to import it once from your local machine and then refer to its ARN in your automation/infrastructure code.

morkot
  • 86
  • 3
  • Also looking on boto3 docs https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/acm.html#ACM.Client.import_certificate it doesn't look like they support s3 urls – morkot Feb 01 '23 at 17:20
  • Thank you, @morkot I saw this in the documentation _If you are making an HTTP or HTTPS Query request, include these arguments as BLOBs._ and thought it was perhaps either an omission or contained in a seemingly unrelated section of AWS CLI documentation. To clarify, I am using this to automate the process of importing third party certs to ACM for use as Alternate Domain Name for CloudFront distro's as part of CloudFormation stacks. I will simply adjust the script(s) to pull the file "local" before the import-certificate sub-command. – Tom Harrison Feb 01 '23 at 18:12
  • I asked AWS Support if it is possible to add this to the API sub-commands. Many thanks for your help and clarity. – Tom Harrison Feb 03 '23 at 18:10