Code Signing for AWS IoT
Developer Guide

Define an IAM Policy

To allow user access to code signing commands, you can attach a policy to an IAM group that grants permission to sign code. For example, you can manually create the following policy or edit it to create a more restrictive policy. For more information, see Overview of IAM Policies.

To manually create an IAM policy:

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the left navigation pane, choose Policies.

  3. Choose Create Policy.

  4. Choose the JSON tab.

  5. Select the existing text and press Delete.

  6. Copy and paste the following. This policy allows the user to which it is attached to access all operations available in the code signing API. You can edit the policy to make it more restrictive. When you're done, choose Review Policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "signer:*" ], "Resource": [ "*" ] } ] }

    In order to use the StartSigningJob API operation, you must specify an Amazon S3 bucket to which to save the signing job. In order to do so, attach the following policy to the designated user.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "signer:StartSigningJob", "s3:GetObjectVersion", "s3:PutObject" ], "Resource": [ "*" ] } ] }
  7. Enter a policy name and description. Then choose Create Policy.

  8. After you create the policy, choose Users in the navigation pane of the IAM console.

    1. Choose the name of a user.

    2. Make sure that the Permissions tab is active. Choose Add permissions.

    3. Choose Attach existing policies directly.

    4. Select the check box for the policy that you created in the preceding step. Choose Next: Review.

    5. If everything looks correct, choose Add permissions.