New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code Signing via CloudFormation? #2424
Comments
Hi @jplock , Code signing is supported with both Please let us know if this works for you. Thanks |
Right so that’s happening and I see the signed packages in S3 and the template is updated to point to them. But then if I upload the template directly into CloudFormation I get that “not configured to accept” message. Do I have to grant access to cloudformation.amazonaws.com to be able to read the signing profile somehow? |
The error seems to be coming from the Lambda service based on the actual exception visible in the CloudFormation event when it starts rolling back the stack. |
I talked with the Lambda team and they said this might be caused if you have signed code using a signing profile that is not included in the code signing config in your template. Can you confirm that you are using same signing profile in your template and when packaging your code? They also sent this main documentation page for code signer; https://docs.aws.amazon.com/lambda/latest/dg/configuration-codesigning.html |
Oh interesting. So in this case, I created the code signing config outside of the template and just referenced the ARN in the Is that supported or should each CloudFormation stack create it's own code signing configuration (which reference the same underlying signing profile)? Thanks for looking into this. |
Yes this should work fine. One thing I can suggest to look at is the property that you assigned in I will create and test it by creating 2 stacks,
And if you can provide us the example template that you used which re-produces the issue, I can test that one as well. |
That was it! Is there a way to get the signing profile version ARN via CloudFormation? My template looks like this:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-signer-signingprofile.html doesn't mention any other return values. |
Glad that it worked, I pinged Lambda team that they will mention this in their documentation. And for your last question, you can use Here is the template;
Please let me know if you need more information by reopening this ticket. |
Thank you for the help! |
Adding the Return values section as it was not available. I don't know the other available values, please complete this section. Found this one thanks to @mndeveci on aws/aws-sam-cli#2424
Hmm, is there a reason why forgetting to use Took me awhile to figure out my mistake. |
Describe your idea/feature/enhancement
Related to #2407, is it possible to deploy a code signed Lambda function using CloudFormation or do you have to use
sam deploy
? We have CodePipeline's configured that runsam package
from CodeBuild, but then use CodePipeline's CloudFormation integration to provisioned the packaged YAML file template (so we don't runsam deploy
in our pipeline). CloudFormation returns an error message:Reading https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/authoring-codesigning.html and https://aws.amazon.com/blogs/aws/new-code-signing-a-trust-and-integrity-control-for-aws-lambda/, it's not clear whether this is supported or not.
Thanks.
The text was updated successfully, but these errors were encountered: