Use Signer actions in IAM

Administrators who set up access control and write permissions policies that they attach to an IAM identity (identity-based policies) can use the following table as a reference. The first column in the table lists each AWS Signer API operation. You specify actions in a policy's Action element. You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see IAM JSON policy element reference in the IAM User Guide.

Note

To specify an action, use the signer prefix followed by the API operation name (for example, signer:StartSigningJob).

AWS Signer API Operations and Permissions

API Operation	Required Permissions (API Actions)
AddProfilePermission	signer:AddProfilePermission
CancelSigningProfile	signer:CancelSigningProfile
DescribeSigningJob	signer:DescribeSigningJob
GetRevocationStatus	signer:GetRevocationStatus
GetSigningPlatform	signer:GetSigningPlatform
GetSigningProfile	signer:GetSigningProfile
ListProfilePermissions	signer:ListProfilePermissions
ListSigningJobs	signer:ListSigningJobs
ListSigningPlatforms	signer:ListSigningPlatforms
ListSigningProfiles	signer:ListSigningProfiles
ListTagsForResource	signer:ListTagsForResource
PutSigningProfile	signer:PutSigningProfile
RemoveProfilePermission	signer:RemoveProfilePermission
RevokeSignature	signer:RevokeSignature
RevokeSigningProfile	signer:RevokeSigningProfile
SignPayload	signer:SignPayload
StartSigningJob	signer:StartSigningJob
TagResource	signer:TagResource
UntagResource	signer:UntagResource

For the actions StartSigningJob, GetSigningProfile, CancelSigningProfile,RevokeSigningProfile, and SignPayload, use the signer:ProfileVersion condition key to limit what version of a signing profile a principal has access to.

AWS Signer API Condition Keys

Condition Key	Description	APIs
signer:ProfileVersion	Limit access to a specific version of a Signing Profile	StartSigningJob GetSigningProfile CancelSigningProfile RevokeSigningProfile SignPayload