Using the AWS Signer Console - AWS Signer

Using the AWS Signer Console

You can create signing profiles for Lambda applications using the AWS Signer Console instead of the CLI or SDK.

Note

You cannot create signing profiles for other signing platforms using the console.

To create a signing profile (console)

  1. Log into the AWS Signer console.

  2. Choose Create Signing Profile.

  3. Enter a unique name for your signing profile. Valid characters include uppercase A-Z, lowercase a-z, numbers 0-9, and underscore (_).

  4. Specify the Signature Validity Period in months, days, or years. The default value is 135 months (11 years and 6 months).

  5. Next, assign a Tag key and a Tag value. When you assign tags to your signing profile, you can manage access using tag-based resource policies.

    You can assign up to 50 tags to a profile.

  6. Choose Create Profile.

The console displays a message that you have successfully created a signing profile and displays the following information:

  • Profile name - Your profile name

  • Profile version - The version of the created profile

  • Platform - The signing platform, in this case, AWS Lambda.

  • Status - Active

  • Profile ARN - The ARN associated with the profile

  • Versioned profile ARN - The profile ARN plus the profile version

  • Signature validity period - The length of time that AWS Signer signs code with this profile

You can also choose Cancel profile to cancel the profile, or choose Revoke Profile.

If you choose Cancel profile, AWS Signer displays a confirmation prompt. Once you cancel the profile, you cannot use it again.

A canceled profile remains in the CANCELED state for two years, and is then automatically deleted.

If you choose Revoke Profile, select a date and the reason for the revocation. You cannot undo this action.

In the Tags section, you can manage the tags assigned to the profile.

You can begin signing code by choosing Start Signing Job.

Using the AWS Signer Console for Signing Jobs

Before you begin signing Lambda code, you must be sure you include permissions in your IAM policy for Amazon S3. See Define an IAM Policy" for an example.

  1. Log into the AWS Signer console.

  2. Choose Start signing jobs.

  3. From the list of profiles, choose a signing profile to perform code signing for your Lambda application.

  4. Do either of the following:

    • For Code asset source location, enter the URL for the Amazon S3 bucket that contains your code.

    • Choose Browse, and locate the S3 bucket that contains your code.

    Note

    Be sure your file has the *.zip format. The AWS Signer console does not accept other file formats.

  5. Do one of the following:

    • In the Signature Destination path with Prefix, enter the URL for the S3 bucket where you store your signed code.

    • Choose Browse and locate the S3 bucket that storese your signed code.

  6. Choose Start.

    AWS Signer updates the Manage signing jobs page with your new profile, and displays the following information:

    • Job ID - The generated ID number

    • Profile name - The name of the profile

    • Signing status - The signing status of the job

    • Revocation status - The status of the revocation if any

  7. If you receive a Failed under Signing status, return to the list of the signing jobs, and choose Failed to see the details of the signing job.

The Signing job details page lists the following information:

  • Job ID - The identifier of the signing job

  • Signing profile used - The signing profile used for the job

  • Version of signing profiles used - The version of the signing profile used for the job

  • Requested by - Identity of the requestor of the job

  • Signing platform - The signing platform used for the job (Lambda only)

  • Signing status - The status of the job as either Successful or Failed

  • Status reason - Explanation for the failure if the signing job failed

  • Started at - The time and date that the signing job started

  • Completed at - The time and date that the job ended

The Code assets details displays additional information:

  • Code asset source bucket - The S3 source bucket of the code file used

  • Code asset source key - The name of the code file used for signing code

  • Code asset source version - The version of the code file

Managing Signing Profiles with AWS Signer Console

You can manage your signing profiles from the Manage signing profilespage by choosing the profile name from the Profile name column.

After selecting a profile name, the AWS Signer console displays the signing profile details. You can perform the following actions:

  • Start signing job - Start a new signing job using this profile

  • Cancel profile - Permanently delete the profile

  • Revoke profile - Revoke the signing profile and add a reason for the revocation

  • Manage tags - Add or remove tags from the signing profile