{"id":9507,"library":"aws-cdk-aws-acmpca","title":"AWS CDK ACMPCA v1 Constructs","description":"The `aws-cdk-aws-acmpca` library provides AWS Cloud Development Kit (CDK) constructs for provisioning and managing AWS Certificate Manager Private Certificate Authority (ACMPCA) resources. This specific package is part of the AWS CDK v1 ecosystem, currently at version `1.204.0`. AWS CDK typically follows a rapid release cadence, aligning with new AWS service features and bug fixes, though major development is now focused on CDK v2.","status":"active","version":"1.204.0","language":"en","source_language":"en","source_url":"https://github.com/aws/aws-cdk.git","tags":["aws","cdk","acmpca","infrastructure-as-code","cloud-security","pki"],"install":[{"cmd":"pip install aws-cdk.core aws-cdk.aws-acmpca","lang":"bash","label":"Install for CDK v1 projects"},{"cmd":"npm install -g aws-cdk","lang":"bash","label":"Install AWS CDK CLI (recommended)"}],"dependencies":[{"reason":"Required for CDK v1 core constructs like App and Stack.","package":"aws-cdk.core","optional":false}],"imports":[{"note":"This package is for AWS CDK v1. For v2, use 'from aws_cdk import aws_acmpca as acmpca' after installing 'aws-cdk-lib'.","wrong":"from aws_cdk_lib import aws_acmpca","symbol":"aws_acmpca","correct":"from aws_cdk import aws_acmpca"},{"symbol":"CertificateAuthority","correct":"from aws_cdk.aws_acmpca import CertificateAuthority"},{"note":"The L1 construct, useful for direct CloudFormation property access.","symbol":"CfnCertificateAuthority","correct":"from aws_cdk.aws_acmpca import CfnCertificateAuthority"}],"quickstart":{"code":"import os\nfrom aws_cdk import core as cdk\nfrom aws_cdk import aws_acmpca as acmpca\n\nclass MyAcmpcaStack(cdk.Stack):\n    def __init__(self, scope: cdk.Construct, id: str, **kwargs) -> None:\n        super().__init__(scope, id, **kwargs)\n\n        # Example: Create a Root Certificate Authority\n        # Note: A CA created this way needs to be activated manually\n        # by issuing a self-signed certificate and importing it.\n        # This construct only provisions the ACMPCA resource.\n        acmpca.CertificateAuthority(self, \"MyRootCA\",\n            certificate_authority_name=\"MyRootCA\",\n            type=acmpca.CertificateAuthorityType.ROOT,\n            key_algorithm=acmpca.KeyAlgorithm.RSA_2048,\n            signing_algorithm=acmpca.SigningAlgorithm.SHA256_WITH_RSA,\n            subject=acmpca.CfnCertificateAuthority.SubjectProperty(\n                country=\"US\",\n                state=\"WA\",\n                locality=\"Seattle\",\n                organization=\"MyOrg\",\n                organizational_unit=\"IT\",\n                common_name=\"MyRootCA\",\n            ),\n            # For production, consider enabling S3 bucket for CRLs/audit reports:\n            # revocation_configuration=acmpca.CfnCertificateAuthority.RevocationConfigurationProperty(\n            #    crl_configuration=acmpca.CfnCertificateAuthority.CrlConfigurationProperty(\n            #        enabled=True,\n            #        custom_cname=\"crl.myorg.com\",\n            #        expiration_in_days=7,\n            #        s3_bucket_name=\"my-crl-bucket\"\n            #    )\n            # )\n        )\n\napp = cdk.App()\nMyAcmpcaStack(app, \"MyAcmpcaStack\",\n    env=cdk.Environment(\n        account=os.environ.get(\"CDK_DEFAULT_ACCOUNT\", \"123456789012\"), # Replace with your AWS account ID\n        region=os.environ.get(\"CDK_DEFAULT_REGION\", \"us-east-1\") # ACMPCA not available in all regions\n    )\n)\napp.synth()\n","lang":"python","description":"This quickstart demonstrates how to define a basic Root Certificate Authority (CA) using the `aws-cdk-aws-acmpca` v1 constructs. It sets up the necessary properties for a CA. To deploy this, ensure you have the AWS CDK CLI installed globally (`npm install -g aws-cdk`) and your AWS credentials configured, then run `cdk deploy`."},"warnings":[{"fix":"For v2, install `aws-cdk-lib` and update imports. For v1, continue using separate `aws-cdk.*` packages and `aws_cdk.core`.","message":"This package (`aws-cdk-aws-acmpca`) is specific to AWS CDK v1. AWS CDK v2 has consolidated all constructs into a single package, `aws-cdk-lib`. If migrating to CDK v2, you will need to uninstall this package and `aws-cdk.core`, then install `aws-cdk-lib`, and update your imports (e.g., `from aws_cdk import aws_acmpca as acmpca`).","severity":"breaking","affected_versions":"All v1.x.x versions when attempting to use v2 patterns."},{"fix":"Follow AWS ACMPCA documentation for CA activation post-deployment, which often involves generating a CSR, signing it, and importing the certificate.","message":"An ACMPCA Certificate Authority created via CDK is not automatically 'active'. After deployment, you typically need to manually issue a self-signed certificate for a Root CA or a certificate from its parent for a Subordinate CA, and then import it into the ACMPCA console to transition the CA to the 'ACTIVE' state.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Before deleting, ensure all certificates issued by the CA are revoked and deleted. You may also need to manually disable deletion protection in the AWS console or update the CDK construct to set `permanent_deletion_time_in_days` (for L1) or similar property to allow deletion after a grace period.","message":"ACMPCA CAs have deletion protection enabled by default. You cannot delete a CA that has issued active certificates or if deletion protection is explicitly set. Trying to `cdk destroy` a CA without first removing issued certificates or disabling protection will fail.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure the IAM role performing the CDK deployment has comprehensive permissions for ACMPCA, KMS, and S3 resources used by the CA, or narrow down to specific required actions.","message":"ACMPCA requires proper IAM permissions for the deploying user/role, especially for interacting with KMS keys (for CA key material) and S3 buckets (for CRLs and audit reports). Common errors involve permissions to `kms:CreateKey`, `s3:PutObject`, `acm-pca:*` actions.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Consult the AWS documentation for ACMPCA region availability and deploy your stack in a supported region (e.g., `us-east-1`, `us-west-2`, `eu-west-1`).","message":"ACMPCA is not available in all AWS regions. Attempting to deploy an ACMPCA resource in an unsupported region will result in deployment failures.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-17T00:00:00.000Z","next_check":"2026-07-16T00:00:00.000Z","problems":[{"fix":"If staying with CDK v1, change import to `from aws_cdk import aws_acmpca`. If migrating to v2, uninstall `aws-cdk-aws-acmpca`, install `aws-cdk-lib`, and use the v2 import `from aws_cdk import aws_acmpca as acmpca`.","cause":"Attempting to import a CDK v2 module (`aws_cdk_lib`) while using a CDK v1 package (`aws-cdk-aws-acmpca`).","error":"ModuleNotFoundError: No module named 'aws_cdk_lib.aws_acmpca'"},{"fix":"Verify the KMS key ARN is correct and ensure the IAM role used by CDK has `kms:CreateKey`, `kms:DescribeKey`, and `kms:ScheduleKeyDeletion` permissions for the key or relevant resource policy.","cause":"The IAM role deploying the CA lacks permissions to create or access the specified KMS key, or the key ARN is incorrect/missing.","error":"The specified KMS key 'arn:aws:kms:...' does not exist or you do not have permission to access it."},{"fix":"Ensure all mandatory properties like `key_algorithm`, `signing_algorithm`, `subject`, and `type` are provided with valid values, as shown in the quickstart example.","cause":"One or more required properties for the `CertificateAuthority` construct were omitted or incorrectly specified.","error":"Acmpca.CertificateAuthority requires properties 'key_algorithm', 'signing_algorithm', and 'subject'."}]}