Enable Cross-account PCA Sharing - Amazon WorkSpaces

Enable Cross-account PCA Sharing

Private CA (PCA) cross-account sharing offers the ability to grant permissions for other accounts to use a centralized CA. The CA can generate and issue certificates by using AWS Resource Access Manager (RAM) to manage the permissions. This removes the need for a Private CA in every account. Private CA cross-account sharing can be used with AppStream 2.0 certificate-based Authentication (CBA) within the same AWS Region.

To use a shared Private CA resource with WorkSpaces Pools CBA, complete the following steps:

  1. Configure the Private CA for CBA in a centralized AWS account. For more information, see Certificate-based authentication and WorkSpaces Personal.

  2. Share the Private CA with the resource AWS accounts where WorkSpaces Pools resources utilize CBA. To do this, follow the steps in How to use AWS RAM to share your ACM Private CA cross-account. You do not need to complete step 3 to create a certificate. You can either share the Private CA with individual AWS accounts, or share through AWS Organizations. If you share with individual accounts, you need to accept the shared Private CA in your resource account by using the AWS Resource Access Manager console or APIs.

    When configuring the share, confirm that the AWS Resource Access Manager resource share for the Private CA in the resource account is using the AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority managed permission template. This template aligns with the PCA template used by the WorkSpaces Pools service role when issuing CBA certificates.

  3. After the share is successful, view the shared Private CA by using the Private CA console in the resource account.

  4. Use the API or CLI to associate the Private CA ARN with CBA in your WorkSpaces Pools directory. At this time, the WorkSpaces Pools console does not support selection of shared Private CA ARNs. For more information, see the Amazon WorkSpaces Service API Reference.