Set up cross-account signing for Signer
Note
Cross-account signing is only available for AWS Lambda and container registries signing platforms, which are referred to as platformId in the AWS CLI and API.
Cross-account signing enables accounts other than the signing profile's owning account to sign code artifacts, and optionally revoke signatures generated by the shared signing profile. For example, an organization's security administrator can create a signing profile, and then grant a group of developers the permission to sign code artifacts using the shared signing profile. The developers could also revoke the signatures generated by the signing profile. This enables accounts other than the owning account to use signing profiles in an organization.
The following procedure illustrates how a security administrator can enable cross-account signing using the AWS CLI. To begin, you'll create a signing profile. Then, you'll grant developer accounts access to the profile for code signing.
To set up cross-account signing using the CLI
The following example uses the AWS Lambda platform, but if you want to use container registry platform, you could instead use “Notation-OCI-SHA384-ECDSA”
platform as the value for the platform-id
. The example commands in this procedure are pre-populated with values for things like profile names, IDs, and descriptions. Change those as appropriate for your application.
The following command creates a signing profile for the AWS Lambda platform type, with a profile name of
profile_for_application_ABC
.aws signer put-signing-profile --platform-id
"AWSLambda-SHA384-ECDSA"
--profile-nameprofile_for_application_ABC
Signer will respond with a signing profile version Amazon Resource Name (ARN) such as:
arn:aws:signer:region:
111122223333
:/signing-profiles/profile_for_application_ABC
/resource-identifierE1WG1ZNPRXT0D4
-
Now that you've created a signing profile, you can now grant the developers' accounts access to use the profile for signing. You do that by using the
add-profile-permission
command. The following example grants permission only for thesigner:StartSigningJob
action that's used with the AWS Lambda workflow. If it were a container image signing platform, you'd set the--action
value tosigner:SignPayload
. You might want to grant permissions for other actions, such assigner:GetSigningProfile
orsigner:RevokeSignature
, by making additional calls toadd-profile-permission
.The following command grants permission to another account. Replace
555555555555
with the principal wish to grant cross-account access. The principal can be an IAM role or another AWS account ID.aws signer add-profile-permission \ --profile-name
profile_for_application_ABC
\ --action signer:StartSigningJob \ --principal555555555555
\ --statement-idOptionalStatementId
Note
The signatures generated when using cross-account signing are embedded with the signing profile ARN of the owner account. The owner account is the account that created the signing profile. For verifying signed Lambda .zip archives, you must configure your Lambda code signing configuration to use the signing profile version ARN of the owner account. For verifying signed container images, you must configure the Notation trust policy to use the signing profile ARN of the owner account.