Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support code signing of assets #305

Closed
2 tasks done
dontirun opened this issue Feb 25, 2021 · 8 comments
Closed
2 tasks done

support code signing of assets #305

dontirun opened this issue Feb 25, 2021 · 8 comments
Labels
status/stale The RFC did not get any significant enough progress or tracking and has become stale.

Comments

@dontirun
Copy link

Related to aws/aws-cdk#12656 , aws/aws-cdk#12216

Created a Lambda SignedCode.fromAsset option that takes local code uploads it to S3 and signs it using a specified AWS signer profile

Use Case

With PR aws/aws-cdk#12656 Lambda now supports a code signing configuration. However if the signing config is set to Enforce and local code (inline or from asset path) is provided the deployment will fail as the code has not been signed

      const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', {
        platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA,
      });

      const codeSigningConfig = new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', {
        signingProfiles: [signingProfile],
        untrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE,
      });

      new lambda.Function(stack, 'MyLambda', {
        code: new lambda.Code.fromAsset(...),
        handler: 'index.handler',
        runtime: lambda.Runtime.NODEJS_10_X,
        codeSigningConfig,
      });

this feature would enable usage of local code and signing of the the code given permissions to the signing profile

Proposed Solution

Having an option like

     new lambda.Function(stack, 'MyLambda', {
        code: new lambda.SignedCode.fromAsset(...),
        handler: 'index.handler',
        runtime: lambda.Runtime.NODEJS_10_X,
        codeSigningConfig,
      });

would solve this issue

Other

  1. This is how the SAM CLI does it
  2. The bootstrap bucket would need to have versioning enabled
  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

@hedrall
Copy link

hedrall commented Feb 28, 2021

I read the code around aws-lmabda.code, and I thought the following part is a good way to extend it.

https://github.com/aws/aws-cdk/blob/1fcdb6daf931147b8f33facb8ab9c9f80e5c9eee/packages/%40aws-cdk/core/lib/asset-staging.ts#L161-L169

In the case of aws-lambda-nodejs, the following values can be passed to the constructor of aws-lambda.Function to build the code with esbuild.

code: Code.fromAsset(path.dirname(options.depsLockFilePath), {
  assetHashType: cdk.AssetHashType.OUTPUT,
  Bundling: new Bundling(options),
})

Building process is executed locally by default, but if esbuild command not available in the environment, executed in compatible docker container.

As for signatures, is it possible to rely on the local environment?
Also, which tool should I rely on, AWS CLI, AWS SDK, etc.?

(Once we have a policy for implementation, I would like to start implementing it.)

@jogold
Copy link

jogold commented Feb 28, 2021

Looks like something for cdk-assets?

@dontirun
Copy link
Author

I read the code around aws-lmabda.code, and I thought the following part is a good way to extend it.

https://github.com/aws/aws-cdk/blob/1fcdb6daf931147b8f33facb8ab9c9f80e5c9eee/packages/%40aws-cdk/core/lib/asset-staging.ts#L161-L169

In the case of aws-lambda-nodejs, the following values can be passed to the constructor of aws-lambda.Function to build the code with esbuild.

code: Code.fromAsset(path.dirname(options.depsLockFilePath), {
  assetHashType: cdk.AssetHashType.OUTPUT,
  Bundling: new Bundling(options),
})

Building process is executed locally by default, but if esbuild command not available in the environment, executed in compatible docker container.

As for signatures, is it possible to rely on the local environment?
Also, which tool should I rely on, AWS CLI, AWS SDK, etc.?

(Once we have a policy for implementation, I would like to start implementing it.)

I don't think we need to touch the local bundling. The signing need to occur after the object has been uploaded to the S3 bucket (I believe the upload is done here. ) I believe an optimal approach is to follow what the SAM CLI does with their python code

  1. Add an optional parameter with the profile name(without the version)
  2. Start the signing job
  3. Use the built in waiter for the signing job to complete.

In addition, the CDK bootstrap bucket would need to be changed to have versioning enabled ( since Signer requires a versioned object in S3 to start a signing job)

@hedrall
Copy link

hedrall commented Mar 1, 2021

Thank you. I misunderstood it as something to be signed locally.

I understand that we should start signing job after s3.upload.
https://github.com/aws/aws-cdk/blob/05a998065b3333854715c456b20b7cc5d5daac67/packages/cdk-assets/lib/private/handlers/files.ts#L51-L56

To specify asset that need to be singed, should we path profile name of signer here?,,

https://github.com/aws/aws-cdk/blob/05a998065b3333854715c456b20b7cc5d5daac67/packages/%40aws-cdk/aws-s3-assets/lib/asset.ts#L147-L151

If we set up the signing profile name when synth and start signing job in the middle of publishAsset when deploying, we may need to change cloud-assembly.scheme, but in that case, we'll need to upgrade a major version of schema.

Is there any good way to do this?

@hedrall
Copy link

hedrall commented Mar 10, 2021

@nija-at
Copy link
Contributor

nija-at commented Mar 16, 2021

We currently don't have the ability in the CDK to run an asynchronous job (i.e., the signing job) and use the result as an asset.

This requires additional design into the AWS CDK lifecycle. I'm moving this to the CDK RFC repo to manage the design work.

Unfortunately, we don't have the bandwidth to work on this in the near future.
However, if anyone is interested in writing the design, we'll be happy to review and provide feedback.

@nija-at nija-at transferred this issue from aws/aws-cdk Mar 16, 2021
@nija-at nija-at changed the title (Lambda): Add SignedCode.fromAsset option support code signing of assets Mar 16, 2021
@nija-at nija-at removed their assignment Mar 16, 2021
@nija-at nija-at added the status/proposed Newly proposed RFC label Mar 16, 2021
@derekmurawsky
Copy link

Just curious if there have been any thoughts on this since the original posts. We're actively using CDK now and would like to have our code signed for compliance purposes. Are there any clever approaches we can leverage here, or do we need to build our own process from scratch?

@awsmjs
Copy link
Contributor

awsmjs commented Dec 15, 2023

Closing as we unfortunately do not have the bandwidth to work on this in the near future. We suggest to pursue experimentation in a separate package or a fork if needed. If a successful implementation emerges, reopen the proposal with details on the functionality and how it can be implemented in the core library.

@awsmjs awsmjs closed this as completed Dec 15, 2023
@mrgrain mrgrain added status/stale The RFC did not get any significant enough progress or tracking and has become stale. and removed status/proposed Newly proposed RFC labels Dec 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status/stale The RFC did not get any significant enough progress or tracking and has become stale.
Projects
None yet
Development

No branches or pull requests

7 participants