Menu
In order to update the SSL certificate on AWS, CA is required for the CSR.
When I try to configure and create the CA, I get this massage:
ValidationException The ACM Private CA Service Principal 'acm-pca.amazonaws.com' requires 's3:GetBucketLocation' permissions for your S3 bucket 'MyBucket'. Check your S3 bucket permissions and try again
To move forward with this, permission settings on Amazon S3 > MyBucket > Permissions > Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::MyBucket/*"
}
]
}
According to the documentation, found here: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETlocation.html
LocationConstraint is required.
How to solve the "s3:GetBucketLocation" issue and create the CA?
612
asked Sep 11 '25 16:09
I once had the same issue and had to read through AWS docs.
Configure a CRL: Configure a certificate revocation list (CRL) if you want ACM PCA to maintain one for the certificates revoked by your private CA.
If you want to create a CRL, do the following:
If you choose Yes, ACM PCA creates the necessary bucket policy for you. If you choose No, make sure the following policy is attached to your bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "acm-pca.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::your-bucket-name/*",
"arn:aws:s3:::your-bucket-name"
]
}
]
}
AWS doc
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
