API permissions for Signer

Administrators who set up access control and write permissions policies that they attach to an IAM identity (identity-based policies) can use the following table as a reference. The first column in the table lists each AWS Signer API operation. You specify actions in a policy's Action element. You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see Available Keys in the IAM User Guide.

Note

To specify an action, use the signer prefix followed by the API operation name (for example, signer:StartSigningJob).

AWS Signer API Operations and Permissions
API Operation	Required Permissions (API Actions)
AddProfilePermission	signer:AddProfilePermission
CancelSigningProfile	signer:CancelSigningProfile
DescribeSigningJob	signer:DescribeSigningJob
GetRevocationStatus	signer:GetRevocationStatus
GetSigningPlatform	signer:GetSigningPlatform
GetSigningProfile	signer:GetSigningProfile
ListProfilePermissions	signer:ListProfilePermissions
ListSigningJobs	signer:ListSigningJobs
ListSigningPlatforms	signer:ListSigningPlatforms
ListSigningProfiles	signer:ListSigningProfiles
ListTagsForResource	signer:ListTagsForResource
PutSigningProfile	signer:PutSigningProfile
RemoveProfilePermission	signer:RemoveProfilePermission
RevokeSignature	signer:RevokeSignature
RevokeSigningProfile	signer:RevokeSigningProfile
SignPayload	signer:SignPayload
StartSigningJob	signer:StartSigningJob
TagResource	signer:TagResource
UntagResource	signer:UntagResource

For the actions StartSigningJob, GetSigningProfile, CancelSigningProfile,RevokeSigningProfile, and SignPayload, use the signer:ProfileVersion condition key to limit what version of a signing profile a principal has access to.

AWS Signer API Condition Keys
Condition Key	Description	APIs
signer:ProfileVersion	Limit access to a specific version of a Signing Profile	StartSigningJob GetSigningProfile CancelSigningProfile RevokeSigningProfile SignPayload