If you’re using the AWS ACM console to create a certificate, and at the final stage you get this annoying and useless com.amazon.coral.service.InternalFailure
, I’ve got the solution for you.
You’re probably working in an AWS Organization with a Service Control Policy (SCP) or a restricted IAM user where you’ve been given the acm:*
permissions thinking this is enough. Sadly not, the solution is you additionally need to add:
kms:CreateGrant
to your IAM or SCP policy in order to successfully create the certificate request. Given certificates need to be accessed by Key Management Service (kms) it makes sense that a new certificate needs the permission to create a grant for it.
That’s it, hope this saved you from fruitless googling!