Configuring IAM policies for Lambda code signing configurations - AWS Lambda

Configuring IAM policies for Lambda code signing configurations

To grant permission for a user to access the code signing API operations, attach one or more policy statements to the user policy. For more information about user policies, see Identity-based IAM policies for Lambda.

The following example policy statement grants permission to create, update, and retrieve code signing configurations.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:CreateCodeSigningConfig", "lambda:UpdateCodeSigningConfig", "lambda:GetCodeSigningConfig" ], "Resource": "*" } ] }

Administrators can use the CodeSigningConfigArn condition key to specify the code signing configurations that developers must use to create or update your functions.

The following example policy statement grants permission to create a function. The policy statement includes a lambda:CodeSigningConfigArn condition to specify the allowed code signing configuration. Lambda blocks any CreateFunction API request if its CodeSigningConfigArn parameter is missing or does not match the value in the condition.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReferencingCodeSigningConfig", "Effect": "Allow", "Action": [ "lambda:CreateFunction", ], "Resource": "*", "Condition": { "StringEquals": { "lambda:CodeSigningConfigArn": “arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0d4518bd353a0a7c6” } } } ] }