Inline policies for Signer - AWS Signer

Inline policies for Signer

Inline policies are standalone identity-based policies that an administrator creates and embeds directly into a single principal (user, group, or role). Administrators can create and manage policies using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API.

To manage policies in the AWS Management Console

To provide access, add permissions to your users, groups, or roles:

Limit Access for Signing to All Signing Profiles Within an Account

The following policies allow a principal to discover every SigningProfile within an account and to use any of them to submit, describe, and list signing jobs.

Policy for Lambda

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "signer:GetSigningProfile", "signer:ListSigningProfiles", "signer:StartSigningJob", "signer:DescribeSigningJob", "signer:ListSigningJobs" ], "Resource":"*" } ] }

Policy for containers

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "signer:GetSigningProfile", "signer:ListSigningProfiles", "signer:SignPayload", "signer:GetRevocationStatus", "signer:DescribeSigningJob", "signer:ListSigningJobs" ], "Resource":"*" } ] }

Limit Access for Signing to a Specific Signing Profile

The following policies allow a principal to call GetSigningProfile and StartSigningJob only on profile MySigningProfile.

Policy for Lambda

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "signer:GetSigningProfile", "signer:StartSigningJob" ], "Resource":"arn:aws:signer:Region:444455556666:/signing-profiles/MySigningProfile" }, { "Effect":"Allow", "Action":[ "signer:ListSigningJobs", "signer:ListSigningProfiles", "signer:DescribeSigningJob" ], "Resource":"*" } ] }

Policy for containers

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "signer:GetSigningProfile", "signer:SignPayload" ], "Resource":"arn:aws:signer:Region:444455556666:/signing-profiles/MySigningProfile" }, { "Effect":"Allow", "Action":[ "signer:ListSigningJobs", "signer:ListSigningProfiles", "signer:DescribeSigningJob" ], "Resource":"*" } ] }

Limit Access for Signing to a Specific Signing Profile Version

The following policy allows a principal to call GetSigningProfile and StartSigningJob only on version abcde12345 of profile MySigningProfile.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "signer:GetSigningProfile", "signer:SignPayload" ], "Resource":"arn:aws:signer:Region:444455556666:/signing-profiles/MySigningProfile", "Condition":{ "StringEquals":{ "signer:ProfileVersion":"version" } } }, { "Effect":"Allow", "Action":[ "signer:ListSigningJobs", "signer:ListSigningProfiles", "signer:DescribeSigningJob" ], "Resource":"*" } ] }

Allow Full Access

The following policy allows a principal to perform any AWS Signer action.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"signer:*", "Resource":"*" } ] }