Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(lambda): Add ability to sign code using a code signing profile #12216

Closed
dontirun opened this issue Dec 23, 2020 · 6 comments · Fixed by #12656, aws-iot-builder-tools/iot-reference-architectures#1801, aws-samples/keycloak-on-aws#44, aws-samples/keycloak-on-aws#46 or aws-samples/amazon-emr-with-juicefs#80
Closed

(lambda): Add ability to sign code using a code signing profile #12216

dontirun opened this issue Dec 23, 2020 · 6 comments · Fixed by #12656, aws-iot-builder-tools/iot-reference-architectures#1801, aws-samples/keycloak-on-aws#44, aws-samples/keycloak-on-aws#46 or aws-samples/amazon-emr-with-juicefs#80
Assignees
@nija-at
Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@dontirun
Copy link
Contributor

Lambda supports now code signing . I suggest the CDK should add the ability to take a signer profile and sign unbundled/bundled assets after they are uploaded to S3. (This will require versioning to be enabled on the Bootstrap bucket)

I can currently do this with CloudFormation deployments utilizing the SAM CLI but not with the CDK

Use Case

I would like to verify the Lambda functions that I deploy as part of a Pipeline have been created by a trusted entity and unmodified.

This is a 🚀 Feature Request
@dontirun dontirun added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 23, 2020
@github-actions github-actions bot added the @aws-cdk/aws-lambda Related to AWS Lambda label Dec 23, 2020
@nija-at
Copy link
Contributor

nija-at commented Jan 7, 2021

This feature is not yet available in CloudFormation.

@nija-at nija-at added effort/small Small work item – less than a day of effort needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Jan 7, 2021
@dontirun
Copy link
Contributor Author

dontirun commented Jan 7, 2021

Although the CloudFormation documentation says it's unsupported, the SAM documentation for the CodeSigningConfigArn says that it is supported and passes it directly to that property for CloudFormation

@dontirun
Copy link
Contributor Author

dontirun commented Jan 7, 2021

Additionally the ability to use signed code is independent from the CodeSigning config on the lambda function. The code needs to be signed via AWS Signer using a valid profile. If the Lambda then has the proper configuration the signing profile then the function will properly deploy.

This ask is to implement both parts (with lambda bundling/assets)

This is the code used in the SAM CLI to upload the code to and S3 bucket, start the signing job, and then returned the S3 location to the signed artifact.

@nija-at
Copy link
Contributor

nija-at commented Jan 8, 2021

Thanks for letting me know that this is available in CloudFormation.

@nija-at nija-at removed the needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. label Jan 8, 2021
@hedrall hedrall mentioned this issue Jan 22, 2021
Merged
@dontirun
Copy link
Contributor Author

I really appreciate the work that has gone into PR #12656 , but I do not believe the PR will fully address this issue. If the code signing profile is set to Enforce, and I specify local code the deployment will fail due to code not being signed. The PR will resolve all the CloudFormation related aspects of this request, but there is an additional component to sign the code after it is uploaded to S3 (which I believe the CDK can handle)

@mergify mergify bot closed this as completed in #12656 Feb 25, 2021
mergify bot pushed a commit that referenced this issue Feb 25, 2021
feat(lambda): code signing config (#12656)
778ea27 
closes #12216 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

This was referenced Mar 6, 2021
Closed
Closed
Merged
Merged
Merged
Closed
Closed
Closed
Closed
Merged
Closed
Merged
This was referenced Mar 8, 2021
Merged
Closed
Closed
Closed
Merged
Merged
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
Merged
Closed
Closed
Closed
@dontirun dontirun mentioned this issue Mar 16, 2021
Closed
2 tasks
@pahud pahud mentioned this issue Sep 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nija-at nija-at

Labels
@aws-cdk/aws-lambda Related to AWS Lambda effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(lambda): code signing config hedrall/aws-cdk
Bump awsCdkVersion from 1.90.1 to 1.92.0 in /master-cdk aws-iot-builder-tools/iot-reference-architectures
Bump @aws-cdk/core from 1.91.0 to 1.92.0 in /source aws-samples/keycloak-on-aws
Bump aws-cdk from 1.91.0 to 1.92.0 in /source aws-samples/keycloak-on-aws
Bump aws-cdk from 1.91.0 to 1.92.0 in /source aws-samples/amazon-emr-with-juicefs
Bump @aws-cdk/aws-ec2 from 1.91.0 to 1.92.0 in /source aws-samples/amazon-emr-with-juicefs
Bump awsCdkVersion from 1.90.1 to 1.92.0 aws-samples/aws-cdk-constructs-for-java
Bump @aws-cdk/aws-s3 from 1.91.0 to 1.92.0 in /source aws-samples/amazon-emr-with-juicefs
Bump aws-cdk from 1.91.0 to 1.92.0 peavers-archive/cdk-api-gateway-example
Bump @aws-cdk/assert from 1.91.0 to 1.92.0 in /source aws-samples/keycloak-on-aws
2 participants
@dontirun @nija-at