Saturday, January 21, 2017

Getting an AWS IAM Certificate ARN

I was recently working on a cloudformation template that needed an ELB with an HTTPS listener. My company already has a wildcard cert uploaded to IAM for use in staging environments, so I wanted to use that cert rather than create a new one.

The classic load balancer and the newer Application Load Balancer look a little different for creating HTTPS listeners, but both require you to include the certificate ARN in your template.

I spent some time poking around in the console, looking for how to find the ARN of a certificate you've uploaded with no success. As far as I can tell, there's no where besides editing an ELB listener to see the certificates that you've uploaded.

Finally I turned to the AWS CLI and found "get-server-certificate" which returns the ARN of a certificate uploaded to IAM.

If you already have the AWS CLI setup with your secret keys, it's pretty straightforward

aws iam get-server-certificate --server-certificate-name wildcard-****
And it will kick back the relevant data

As it turns out, the ARN of a certificate is just the combination of your account number and the name you gave it.

And lastly, because I insist on believing that lots of people use Powershell for AWS management when maybe none of you do, here's the same command in good ol' PS.
(Get-IAMServerCertificate -servercertificatename wildcard-***********).ServerCertificateMetadata

Interestingly, the powershell tools have a few different objects built in so you won't get the metadata by default.