Configuring IAM policies for Lambda code signing configurations
To grant permission for a user to access the code signing API operations, attach one or more policy statements to the user policy. For more information about user policies, see Identity-based IAM policies for Lambda.
The following example policy statement grants permission to create, update, and retrieve code signing configurations.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:CreateCodeSigningConfig", "lambda:UpdateCodeSigningConfig", "lambda:GetCodeSigningConfig" ], "Resource": "*" } ] }
Administrators can use the CodeSigningConfigArn
condition key to specify the code signing
configurations that developers must use to create or update your functions.
The following example policy statement grants permission to create a function. The policy statement includes a
lambda:CodeSigningConfigArn
condition to specify the allowed code signing configuration. Lambda
blocks any CreateFunction
API request if its CodeSigningConfigArn
parameter is missing
or does not match the value in the condition.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReferencingCodeSigningConfig", "Effect": "Allow", "Action": [ "lambda:CreateFunction", ], "Resource": "*", "Condition": { "StringEquals": { "lambda:CodeSigningConfigArn": “arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0d4518bd353a0a7c6” } } } ] }