I am working in a govcloud account for client work and CANNOT use us-east-1 as it does not exist in govcloud.
In the API Gateway console -> Custom Domain Names page the following text appears:
"To use an ACM certificate with API Gateway, you must request or import the certificate in the US East (N. Virginia) region."
How would I go about importing or creating a cert in ACM in us-east-1 as govcloud does not interact with that region?
How can I configure / script a custom domain name with api gateway in govcloud?
Actually that message only applies to 'Edge Optimized' APIs which are not available in govcloud anyway. You can use a govcloud ACM cert with a Regional endpoint type.
Related
I made an application in an AWS region different than us-east-1. I already applied for and received an SSL certificate for a custom domain, and it is stored as ACM Certificate in a region differenet than us-east-1.
To my surprise, when I tried to use this certificate on CloudFront, I was met with this:
"Associate a certificate from AWS Certificate Manager. The certificate must be in the US East (N. Virginia) Region (us-east-1)."
A quick search informed me that:
"You can't export an ACM certificate from one AWS Region to another or from one AWS account to another. This is because the default AWS Key Management Service (AWS KMS) key used to encrypt the private key of the certificate is unique for each AWS Region and AWS account.
Resolution: You can create multiple ACM certificates with the same domain name across different AWS Regions and accounts. "
How do I solve this, can I just request a new ACM certificate for a new region (ie. us-east-1)? Will this impact my certificate that is already in use for the original region?
Yes, you need to provision the same certificate (for a given domain) in US-EAST-1 region and use it for your global CloudFront distribution. Your regional certificate (outside the global region) will not be impacted. Usually, regional certificates are attached to your ALB and Cloudfront distribution utilizes a certificate from North Virginia region (global region).
I'm trying to import the certificate of domain from AWS certificate manager (ACM) on one account to another ... How can I do that ?
You can't export an ACM certificate from one AWS Region to another or from one AWS account to another. This is because the default AWS Key Management Service (AWS KMS) key used to encrypt the private key of the certificate is unique for each AWS Region and AWS account. For more information, see ACM private key security.
You can create multiple ACM certificates with the same domain name across different AWS Regions and accounts. You can then use these certificates with services that run on AWS Certificate Manager.
useful link: https://aws.amazon.com/premiumsupport/knowledge-center/acm-export-certificate/
I am using Amazon AWS as a back-end for my application development. I am mainly using the 2 resources of AWS -
S3 bucket storage
AppSync (With DynamoDB as Data Source)
I want to use or 'apply' SSL certificates for security on above 2 resources. I know I can create certificate from AWS Certificate Manager.
The problem is the documention mentions that certificates can only be applied to the below 6 resources:
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
Load Balancer
CloudFront
Elastic Beanstalk
API Gateway
Cloud Formation
Nitro Enclaves
I have already mentioned that I am using S3 and AppSync. These 2 resources are not in the above list. How do I apply certificates on the 2 resources - S3 and AppSync ?
Do I need to do some kind of workaround ?
You can create an AppSync api with the graphql (something like: https://abc.appsync.us-east-1.amazonaws.com/graphql) and mention that api endpoint as the origin in cloudfront distribution.
Please check this blog from AWS which explains better for AWS AppSync :
https://aws.amazon.com/blogs/mobile/use-a-custom-domain-with-aws-appsync-amazon-cloudfront-and-amazon-route-53/
If I have 3 AWS Accounts(A, B, and C), can I create a Route53 HostedZone(example.com) in account A, and route traffic to API gateways in accounts B and C(equally or based on health check) from the hostedZone in account A?
I've tried the following:
Create child hosted zone in account B and C(b.example.com)
Create ACM Certificate and API Gateway Custom Domain in account B and C(apigw.b.example.com)
Add Alias RecordSet type A to account A HostedZone pointing to API gateway's domain name and hosted zone ID.
Doing this results in example.com routing to the execute-api endpoint of API gateway, which is what I want, but access is restricted because example.com isn't included in the certificate's protected domains. I'm guessing this is because the ACM certificate is local to the child account and its hosted zone(b.example.com).
Changes made to get it working:
Get rid of child hosted zones in the API Gateway accounts
Create same domain name for every API Gateway(this works because they're regional).
Do cross account validation of ACM certificates.
So in short, yes you can do this and split everything by account. It just requires some cross account wiring for the CNAME records that validate the ACM certificates and the Alias A records that connect the API gateways to the cross account hosted zone.
I have an AWS application running in the Singapore region (it includes EC2, RDS and S3 services).
However the AWS Cognito service is available only in US East (N. Virginia) and EU (Ireland). So I configured Cognito at US East.
Now, can I use the Cognito "Identity Pool Id" of the US East region with the AWS web server in Singapore region?
Yes, that should be fine. The credentials provider will just get credentials to access the web server in Singapore.
Update from AWS: Cognito is now available in Singapore region