The AWS Certificate Manager plugin supports the following types of credentials: 

 

Once set, run the following code in the AWS CLI to test the permissions.

# Test list permission
aws acm list-certificates --region us-east-1
 
# Test describe permission
aws acm describe-certificate --certificate-arn "arn:aws:acm:..." --region us-east-1
 
# Test get certificate permission
aws acm get-certificate --certificate-arn "arn:aws:acm:..." --region us-east-1

Creating permanent IAM user credentials

The IAM user or role must have the following ACM Permissions

acm:ListCertificates

Required to discover all certificates in the specified region. Without this permission, the plugin cannot enumerate certificates, and the scan will fail immediately.

acm:DescribeCertificate

Required to retrieve detailed metadata for each certificate, including domain names, validity periods, in-use status, and certificate authority. Without this permission, the plugin can list certificates but cannot retrieve their details.

acm:GetCertificate

Required to retrieve the actual PEM-encoded certificate body. Without this permission, the plugin can list and describe certificates, but cannot extract the certificate data itself.

To create permanent IAM user credentials

  1. Log in to the AWS IAM Console at https://console.aws.amazon.com/iam/
  2. Navigate to Users  Add user
  3. Enter a username - for example: "acm-discovery-plugin".
  4. Select Programmatic access as the access type
  5. Click Next: Permissions
  6. Attach the required permissions policy. For example: 
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "acm:ListCertificates",
    "acm:DescribeCertificate",
    "acm:GetCertificate"
    ],
    "Resource": "*"
    }
    ]
    }
  7. Complete the wizard and click Create user
  8. Save the Access Key ID and Secret Access Key displayed on the final screen. 

    Note: You won't be able to retrieve the secret key again.

  9. Use these credentials in the plugin configuration and leave sessionToken empty.

Creating temporary credentials

For Temporary Credentials (STS), you may need the following permissions.

sts:GetSessionToken

Required only when using temporary credentials to generate or validate session tokens.

To create temporary credentials

  1. Ensure you have an IAM role configured with the required permissions.
  2. Use AWS CLI or SDK to assume the role: 
    aws sts assume-role \
    --role-arn arn:aws:iam::123456789012:role/ACMReadRole \
    --role-session-name acm-plugin-session
  3.  Extract the following fields from the response: 
    • AccessKeyId 
    • SecretAccessKey
    • SessionToken 
  4. Use all three values in the plugin configuration. 

    Note: Temporary credentials typically expire within 1-12 hours and must be refreshed.