Using cross-account signing with signing profiles - AWS Signer

Using cross-account signing with signing profiles


Cross-account signing is only available for AWS Lambda and container registries signing platforms, which are referred to as platformId in the AWS CLI and API.

Cross-account signing enables accounts other than the signing profile's owning account to sign code artifacts, and optionally revoke signatures generated by the shared signing profile. For example, an organization's security administrator can create a signing profile, and then grant a group of developers the permission to sign code artifacts using the shared signing profile. The developers could also revoke the signatures generated by the signing profile. This enables accounts other than the owning account to use signing profiles in an organization.

The following procedure illustrates how a security administrator can enable cross-account signing using the AWS CLI. To begin, you'll create a signing profile. Then, you'll grant developer accounts access to the profile for code signing.

To set up cross-account signing using the CLI

The following example uses the AWS Lambda platform, but if you want to use container registry platform, you could instead use “Notation-OCI-SHA384-ECDSA” platform as the value for the platform-id. The example commands in this procedure are pre-populated with values for things like profile names, IDs, and descriptions. Change those as appropriate for your application.

  1. The following command creates a signing profile for the AWS Lambda platform type, with a profile name of profile_for_application_ABC.

    aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name profile_for_application_ABC

    Signer will respond with a signing profile version Amazon Resource Name (ARN) such as:

  2. Now that you've created a signing profile, you can now grant the developers' accounts access to use the profile for signing. You do that by using the add-profile-permission command. The following example grants permission only for the signer:StartSigningJob action that's used with the AWS Lambda workflow. If it were a container image signing platform, you'd set the --action value to signer:SignPayload. You might want to grant permissions for other actions, such as signer:GetSigningProfile or signer:RevokeSignature, by making additional calls to add-profile-permission.

    The following command grants permission to another account. Replace 555555555555 with the principal wish to grant cross-account access. The principal can be an IAM role or another AWS account ID.

    aws signer add-profile-permission \ --profile-name profile_for_application_ABC \ --action signer:StartSigningJob \ --principal 555555555555 \ --statement-id OptionalStatementId

The signatures generated when using cross-account signing are embedded with the signing profile ARN of the owner account. The owner account is the account that created the signing profile. For verifying signed Lambda .zip archives, you must configure your Lambda code signing configuration to use the signing profile version ARN of the owner account. For verifying signed container images, you must configure the Notation trust policy to use the signing profile ARN of the owner account.