Creating profiles using the AWS CLI (all platforms)
This section describes the procedures and options for creating and managing signing profiles using the AWS CLI. A signing profile is a template that defines the following settings for associated signing jobs:
-
The signing platform that designates the file type to be signed. The following platforms are available in the AWS CLI.
API name Display name AWSIoTDeviceManagement-SHA256-ECDSA
AWS IoT Device Management SHA256-ECDSA
AmazonFreeRTOS-Default
Amazon FreeRTOS SHA256-ECDSA
AmazonFreeRTOS-TI-CC3220SF
Amazon FreeRTOS SHA1-RSA CC3220SF-Format
AWSLambda-SHA384-ECDSA
AWS Lambda
Notation-OCI-SHA384-ECDSA
Notation for container registries
For more information about the configurations and parameters that are contained in signing platforms, see SigningPlatform in the AWS Signer API Reference.
-
The signature format.
-
The signature algorithms.
-
The validity period of signatures. By default, signature validity is set to 135 months (11 years and 3 months), which is the maximum validity supported. The signature validity period is only applicable for
AWSLambda-SHA384-ECDSA
andNotation-OCI-SHA384-ECDSA
signing platforms.
After you create the signing profile, you can delegate control of it using AWS Identity and Access Management (IAM). For more information about managing user permissions in AWS Signer, see Accessing Signer resources with security policies.
Signing profiles can be created, inspected, listed, and canceled as shown in the following examples.
-
This command creates and saves an AWS Signer signing profile.
Signatures generated using this platform will expire after the time specified by
--signature-validity-period
. This value may be specified usingDAYS
,MONTHS
, orYEARS
. If no validity period is specified, the default value is 135 months.In this example, the specified signing platform is
AWSLambda-SHA384-ECDSA
.$
aws signer put-signing-profile \ --profile-name
my_lambda_signing_profile
\ --platform-id AWSLambda-SHA384-ECDSA \ --signature-validity-period value=10
, type='MONTHS
' -
This command retrieves a signing profile for inspection.
$
aws signer get-signing-profile
--profile-namemy_lambda_signing_profile
-
This command lists the signing profiles that you own or control.
$
aws signer list-signing-profiles
-
This command deletes a signing profile.
$
aws signer cancel-signing-profile
\ --profile-namemy_lambda_signing_profile
\ --profile-versionprofile_version
\ --reason "e2e notation testing
" \ --effective-time1111111111