Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. AWS
  3. API Docs
  4. acm
  5. getCertificate
AWS v6.77.0 published on Wednesday, Apr 9, 2025 by Pulumi
pulumi/pulumi-aws

aws.acm.getCertificate

Explore with Pulumi AI

AWS v6.77.0 published on Wednesday, Apr 9, 2025 by Pulumi
pulumi/pulumi-aws

Use this data source to get the ARN of a certificate in AWS Certificate Manager (ACM). You can reference the certificate by domain or tags without having to hard code the ARNs as input.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Find a certificate that is issued
const issued = aws.acm.getCertificate({
    domain: "tf.example.com",
    statuses: ["ISSUED"],
});
// Find a certificate issued by (not imported into) ACM
const amazonIssued = aws.acm.getCertificate({
    domain: "tf.example.com",
    types: ["AMAZON_ISSUED"],
    mostRecent: true,
});
// Find a RSA 4096 bit certificate
const rsa4096 = aws.acm.getCertificate({
    domain: "tf.example.com",
    keyTypes: ["RSA_4096"],
});
Copy
import pulumi
import pulumi_aws as aws

# Find a certificate that is issued
issued = aws.acm.get_certificate(domain="tf.example.com",
    statuses=["ISSUED"])
# Find a certificate issued by (not imported into) ACM
amazon_issued = aws.acm.get_certificate(domain="tf.example.com",
    types=["AMAZON_ISSUED"],
    most_recent=True)
# Find a RSA 4096 bit certificate
rsa4096 = aws.acm.get_certificate(domain="tf.example.com",
    key_types=["RSA_4096"])
Copy
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/acm"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// Find a certificate that is issued
		_, err := acm.LookupCertificate(ctx, &acm.LookupCertificateArgs{
			Domain: pulumi.StringRef("tf.example.com"),
			Statuses: []string{
				"ISSUED",
			},
		}, nil)
		if err != nil {
			return err
		}
		// Find a certificate issued by (not imported into) ACM
		_, err = acm.LookupCertificate(ctx, &acm.LookupCertificateArgs{
			Domain: pulumi.StringRef("tf.example.com"),
			Types: []string{
				"AMAZON_ISSUED",
			},
			MostRecent: pulumi.BoolRef(true),
		}, nil)
		if err != nil {
			return err
		}
		// Find a RSA 4096 bit certificate
		_, err = acm.LookupCertificate(ctx, &acm.LookupCertificateArgs{
			Domain: pulumi.StringRef("tf.example.com"),
			KeyTypes: []string{
				"RSA_4096",
			},
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    // Find a certificate that is issued
    var issued = Aws.Acm.GetCertificate.Invoke(new()
    {
        Domain = "tf.example.com",
        Statuses = new[]
        {
            "ISSUED",
        },
    });

    // Find a certificate issued by (not imported into) ACM
    var amazonIssued = Aws.Acm.GetCertificate.Invoke(new()
    {
        Domain = "tf.example.com",
        Types = new[]
        {
            "AMAZON_ISSUED",
        },
        MostRecent = true,
    });

    // Find a RSA 4096 bit certificate
    var rsa4096 = Aws.Acm.GetCertificate.Invoke(new()
    {
        Domain = "tf.example.com",
        KeyTypes = new[]
        {
            "RSA_4096",
        },
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.acm.AcmFunctions;
import com.pulumi.aws.acm.inputs.GetCertificateArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        // Find a certificate that is issued
        final var issued = AcmFunctions.getCertificate(GetCertificateArgs.builder()
            .domain("tf.example.com")
            .statuses("ISSUED")
            .build());

        // Find a certificate issued by (not imported into) ACM
        final var amazonIssued = AcmFunctions.getCertificate(GetCertificateArgs.builder()
            .domain("tf.example.com")
            .types("AMAZON_ISSUED")
            .mostRecent(true)
            .build());

        // Find a RSA 4096 bit certificate
        final var rsa4096 = AcmFunctions.getCertificate(GetCertificateArgs.builder()
            .domain("tf.example.com")
            .keyTypes("RSA_4096")
            .build());

    }
}
Copy
variables:
  # Find a certificate that is issued
  issued:
    fn::invoke:
      function: aws:acm:getCertificate
      arguments:
        domain: tf.example.com
        statuses:
          - ISSUED
  # Find a certificate issued by (not imported into) ACM
  amazonIssued:
    fn::invoke:
      function: aws:acm:getCertificate
      arguments:
        domain: tf.example.com
        types:
          - AMAZON_ISSUED
        mostRecent: true
  # Find a RSA 4096 bit certificate
  rsa4096:
    fn::invoke:
      function: aws:acm:getCertificate
      arguments:
        domain: tf.example.com
        keyTypes:
          - RSA_4096
Copy

Using getCertificate

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getCertificate(args: GetCertificateArgs, opts?: InvokeOptions): Promise<GetCertificateResult>
function getCertificateOutput(args: GetCertificateOutputArgs, opts?: InvokeOptions): Output<GetCertificateResult>
Copy
def get_certificate(domain: Optional[str] = None,
                    key_types: Optional[Sequence[str]] = None,
                    most_recent: Optional[bool] = None,
                    statuses: Optional[Sequence[str]] = None,
                    tags: Optional[Mapping[str, str]] = None,
                    types: Optional[Sequence[str]] = None,
                    opts: Optional[InvokeOptions] = None) -> GetCertificateResult
def get_certificate_output(domain: Optional[pulumi.Input[str]] = None,
                    key_types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                    most_recent: Optional[pulumi.Input[bool]] = None,
                    statuses: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                    tags: Optional[pulumi.Input[Mapping[str, pulumi.Input[str]]]] = None,
                    types: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                    opts: Optional[InvokeOptions] = None) -> Output[GetCertificateResult]
Copy
func LookupCertificate(ctx *Context, args *LookupCertificateArgs, opts ...InvokeOption) (*LookupCertificateResult, error)
func LookupCertificateOutput(ctx *Context, args *LookupCertificateOutputArgs, opts ...InvokeOption) LookupCertificateResultOutput
Copy

> Note: This function is named LookupCertificate in the Go SDK.

public static class GetCertificate 
{
    public static Task<GetCertificateResult> InvokeAsync(GetCertificateArgs args, InvokeOptions? opts = null)
    public static Output<GetCertificateResult> Invoke(GetCertificateInvokeArgs args, InvokeOptions? opts = null)
}
Copy
public static CompletableFuture<GetCertificateResult> getCertificate(GetCertificateArgs args, InvokeOptions options)
public static Output<GetCertificateResult> getCertificate(GetCertificateArgs args, InvokeOptions options)
Copy
fn::invoke:
  function: aws:acm/getCertificate:getCertificate
  arguments:
    # arguments dictionary
Copy

The following arguments are supported:

Domain string
Domain of the certificate to look up. If set and no certificate is found with this name, an error will be returned.
KeyTypes List<string>
List of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. See the ACM API Reference for supported key algorithms.
MostRecent bool
If set to true, it sorts the certificates matched by previous criteria by the NotBefore field, returning only the most recent one. If set to false, it returns an error if more than one certificate is found. Defaults to false.
Statuses List<string>
List of statuses on which to filter the returned list. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. If no value is specified, only certificates in the ISSUED state are returned.
Tags Dictionary<string, string>
A mapping of tags, each pair of which must exactly match a pair on the desired certificates.
Types List<string>
List of types on which to filter the returned list. Valid values are AMAZON_ISSUED, PRIVATE, and IMPORTED.
Domain string
Domain of the certificate to look up. If set and no certificate is found with this name, an error will be returned.
KeyTypes []string
List of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. See the ACM API Reference for supported key algorithms.
MostRecent bool
If set to true, it sorts the certificates matched by previous criteria by the NotBefore field, returning only the most recent one. If set to false, it returns an error if more than one certificate is found. Defaults to false.
Statuses []string
List of statuses on which to filter the returned list. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. If no value is specified, only certificates in the ISSUED state are returned.
Tags map[string]string
A mapping of tags, each pair of which must exactly match a pair on the desired certificates.
Types []string
List of types on which to filter the returned list. Valid values are AMAZON_ISSUED, PRIVATE, and IMPORTED.
domain String
Domain of the certificate to look up. If set and no certificate is found with this name, an error will be returned.
keyTypes List<String>
List of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. See the ACM API Reference for supported key algorithms.
mostRecent Boolean
If set to true, it sorts the certificates matched by previous criteria by the NotBefore field, returning only the most recent one. If set to false, it returns an error if more than one certificate is found. Defaults to false.
statuses List<String>
List of statuses on which to filter the returned list. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. If no value is specified, only certificates in the ISSUED state are returned.
tags Map<String,String>
A mapping of tags, each pair of which must exactly match a pair on the desired certificates.
types List<String>
List of types on which to filter the returned list. Valid values are AMAZON_ISSUED, PRIVATE, and IMPORTED.
domain string
Domain of the certificate to look up. If set and no certificate is found with this name, an error will be returned.
keyTypes string[]
List of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. See the ACM API Reference for supported key algorithms.
mostRecent boolean
If set to true, it sorts the certificates matched by previous criteria by the NotBefore field, returning only the most recent one. If set to false, it returns an error if more than one certificate is found. Defaults to false.
statuses string[]
List of statuses on which to filter the returned list. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. If no value is specified, only certificates in the ISSUED state are returned.
tags {[key: string]: string}
A mapping of tags, each pair of which must exactly match a pair on the desired certificates.
types string[]
List of types on which to filter the returned list. Valid values are AMAZON_ISSUED, PRIVATE, and IMPORTED.
domain str
Domain of the certificate to look up. If set and no certificate is found with this name, an error will be returned.
key_types Sequence[str]
List of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. See the ACM API Reference for supported key algorithms.
most_recent bool
If set to true, it sorts the certificates matched by previous criteria by the NotBefore field, returning only the most recent one. If set to false, it returns an error if more than one certificate is found. Defaults to false.
statuses Sequence[str]
List of statuses on which to filter the returned list. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. If no value is specified, only certificates in the ISSUED state are returned.
tags Mapping[str, str]
A mapping of tags, each pair of which must exactly match a pair on the desired certificates.
types Sequence[str]
List of types on which to filter the returned list. Valid values are AMAZON_ISSUED, PRIVATE, and IMPORTED.
domain String
Domain of the certificate to look up. If set and no certificate is found with this name, an error will be returned.
keyTypes List<String>
List of key algorithms to filter certificates. By default, ACM does not return all certificate types when searching. See the ACM API Reference for supported key algorithms.
mostRecent Boolean
If set to true, it sorts the certificates matched by previous criteria by the NotBefore field, returning only the most recent one. If set to false, it returns an error if more than one certificate is found. Defaults to false.
statuses List<String>
List of statuses on which to filter the returned list. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED. If no value is specified, only certificates in the ISSUED state are returned.
tags Map<String>
A mapping of tags, each pair of which must exactly match a pair on the desired certificates.
types List<String>
List of types on which to filter the returned list. Valid values are AMAZON_ISSUED, PRIVATE, and IMPORTED.

getCertificate Result

The following output properties are available:

Arn string
ARN of the found certificate, suitable for referencing in other resources that support ACM certificates.
Certificate string
ACM-issued certificate.
CertificateChain string
Certificates forming the requested ACM-issued certificate's chain of trust. The chain consists of the certificate of the issuing CA and the intermediate certificates of any other subordinate CAs.
Domain string
Id string
The provider-assigned unique ID for this managed resource.
Status string
Status of the found certificate.
Tags Dictionary<string, string>
Mapping of tags for the resource.
KeyTypes List<string>
MostRecent bool
Statuses List<string>
Types List<string>
Arn string
ARN of the found certificate, suitable for referencing in other resources that support ACM certificates.
Certificate string
ACM-issued certificate.
CertificateChain string
Certificates forming the requested ACM-issued certificate's chain of trust. The chain consists of the certificate of the issuing CA and the intermediate certificates of any other subordinate CAs.
Domain string
Id string
The provider-assigned unique ID for this managed resource.
Status string
Status of the found certificate.
Tags map[string]string
Mapping of tags for the resource.
KeyTypes []string
MostRecent bool
Statuses []string
Types []string
arn String
ARN of the found certificate, suitable for referencing in other resources that support ACM certificates.
certificate String
ACM-issued certificate.
certificateChain String
Certificates forming the requested ACM-issued certificate's chain of trust. The chain consists of the certificate of the issuing CA and the intermediate certificates of any other subordinate CAs.
domain String
id String
The provider-assigned unique ID for this managed resource.
status String
Status of the found certificate.
tags Map<String,String>
Mapping of tags for the resource.
keyTypes List<String>
mostRecent Boolean
statuses List<String>
types List<String>
arn string
ARN of the found certificate, suitable for referencing in other resources that support ACM certificates.
certificate string
ACM-issued certificate.
certificateChain string
Certificates forming the requested ACM-issued certificate's chain of trust. The chain consists of the certificate of the issuing CA and the intermediate certificates of any other subordinate CAs.
domain string
id string
The provider-assigned unique ID for this managed resource.
status string
Status of the found certificate.
tags {[key: string]: string}
Mapping of tags for the resource.
keyTypes string[]
mostRecent boolean
statuses string[]
types string[]
arn str
ARN of the found certificate, suitable for referencing in other resources that support ACM certificates.
certificate str
ACM-issued certificate.
certificate_chain str
Certificates forming the requested ACM-issued certificate's chain of trust. The chain consists of the certificate of the issuing CA and the intermediate certificates of any other subordinate CAs.
domain str
id str
The provider-assigned unique ID for this managed resource.
status str
Status of the found certificate.
tags Mapping[str, str]
Mapping of tags for the resource.
key_types Sequence[str]
most_recent bool
statuses Sequence[str]
types Sequence[str]
arn String
ARN of the found certificate, suitable for referencing in other resources that support ACM certificates.
certificate String
ACM-issued certificate.
certificateChain String
Certificates forming the requested ACM-issued certificate's chain of trust. The chain consists of the certificate of the issuing CA and the intermediate certificates of any other subordinate CAs.
domain String
id String
The provider-assigned unique ID for this managed resource.
status String
Status of the found certificate.
tags Map<String>
Mapping of tags for the resource.
keyTypes List<String>
mostRecent Boolean
statuses List<String>
types List<String>

Package Details

Repository
AWS Classic pulumi/pulumi-aws
License
Apache-2.0
Notes
This Pulumi package is based on the aws Terraform Provider.
AWS v6.77.0 published on Wednesday, Apr 9, 2025 by Pulumi
pulumi/pulumi-aws