# Get started with AWS Signer
<a name="getting-started"></a>

Before you can begin signing code and binaries with AWS Signer, you need to set up an AWS account, create administrative and root users, apply security policies using AWS Identity and Access Management (IAM), and create a signing profile that contains the configuration for your signing tasks. 

**Topics**
+ [Set up to use Signer](iam-setup.md)
+ [Create a Signer signing profile](signing-profiles.md)
+ [Set up cross-account signing for Signer](signing-profile-cross-account.md)

# Set up to use Signer
<a name="iam-setup"></a>

Access to AWS Signer requires credentials that AWS can use to authenticate your requests. The credentials must have permissions to access AWS resources. The following sections provide details on how you can use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) to help secure your resources by controlling who can access them. 

## Sign up for an AWS account
<a name="sign-up-for-aws"></a>

If you do not have an AWS account, complete the following steps to create one.

**To sign up for an AWS account**

1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup).

1. Follow the online instructions.

   Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad.

   When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks).

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**.

## Create a user with administrative access
<a name="create-an-admin"></a>

After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks.

**Secure your AWS account root user**

1.  Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.

   For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*.

1. Turn on multi-factor authentication (MFA) for your root user.

   For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*.

**Create a user with administrative access**

1. Enable IAM Identity Center.

   For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*.

1. In IAM Identity Center, grant administrative access to a user.

   For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*.

**Sign in as the user with administrative access**
+ To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user.

  For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

**Assign access to additional users**

1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions.

   For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*.

1. Assign users to a group, and then assign single sign-on access to the group.

   For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*.

# Create a Signer signing profile
<a name="signing-profiles"></a>

Before you can perform signing jobs, you must create a *signing profile*. A signing profile is unique AWS Signer resource that you can use to perform signing jobs. Signing profiles enable you to sign and verify code artifacts, such as container images and AWS Lambda deployment bundles. Each signing profile designates the signing platform to sign for, a platform ID, and other platform-specific information.

You can create, list, and cancel signing profiles using the Signer console, AWS CLI, or API. Signer manages the code signing certificate and keys associated for only [AWS Lambda](lambda-workflow.md) and [Container images](container-workflow.md) workflows. For [Internet of Things (IoT)](iot-workflow.md) workflows, you can import your own code signing certificate into AWS Certificate Manager.

------
#### [ Console ]

This section describes the procedures and options for creating a signing profile from the AWS console.

**To create a signing profile**

1. Log into the AWS Signer [console](https://console.aws.amazon.com/signer).

1. Choose **Create signing profile**. 

1. On the **Create signing profile** page, provide a unique **Profile name** for your signing profile. Valid characters include uppercase A-Z, lowercase a-z, numbers 0-9, and underscore (\$1).

1. For **Signing platform**, choose one of the listed platforms.  
****    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/signer/latest/developerguide/signing-profiles.html)

1. Specify the **Signature validity period** in months, days, or years. The default value is 135 months (11 years and 6 months).

1. In the **Tags - optional** section, you can create a **Tag key** and a **Tag value**, then save it with the **Add tag** button. When you assign tags to your signing profile, you can use tag-based resource policies to manage access to the profile.

   You can assign up to 50 tags to a profile.

1. Choose **Create profile**.

------
#### [ CLI ]

This section describes the procedures and options for creating and managing signing profiles using the AWS CLI. A signing profile is a template that defines the following settings for associated signing jobs:
+ The *signing platform* that designates the file type to be signed. The following platforms are available in the AWS CLI.  
****    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/signer/latest/developerguide/signing-profiles.html)

  For more information about the configurations and parameters that are contained in signing platforms, see [SigningPlatform](https://docs.aws.amazon.com/signer/latest/api/API_SigningPlatform.html) in the *AWS Signer API Reference*.
+ The signature format.
+ The signature algorithms.
+ The validity period of signatures. By default, signature validity is set to 135 months (11 years and 3 months), which is the maximum validity supported. The signature validity period is only applicable for `AWSLambda-SHA384-ECDSA` and `Notation-OCI-SHA384-ECDSA` signing platforms.

After you create the signing profile, you can delegate control of it using [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html). For more information about managing user permissions in AWS Signer, see [Identity and Access Management for AWS Signer](authen-overview.md).

Signing profiles can be created, inspected, listed, and canceled as shown in the following examples.
+ [https://docs.aws.amazon.com/cli/latest/reference/signer/put-signing-profile.html](https://docs.aws.amazon.com/cli/latest/reference/signer/put-signing-profile.html)

  This command creates and saves an AWS Signer signing profile. 

  Signatures generated using this platform will expire after the time specified by `--signature-validity-period`. This value may be specified using `DAYS`, `MONTHS`, or `YEARS`. If no validity period is specified, the default value is 135 months.

  In this example, the specified signing platform is `AWSLambda-SHA384-ECDSA`.

  ```
  $ aws signer put-signing-profile \
       --profile-name my_lambda_signing_profile \
       --platform-id AWSLambda-SHA384-ECDSA \
       --signature-validity-period value=10, type='MONTHS'
  ```
+ [https://docs.aws.amazon.com/cli/latest/reference/signer/get-signing-platform.html](https://docs.aws.amazon.com/cli/latest/reference/signer/get-signing-platform.html)

  This command retrieves a signing profile for inspection.

  ```
  $ aws signer get-signing-profile --profile-name my_lambda_signing_profile     
  ```
+ [https://docs.aws.amazon.com/cli/latest/reference/signer/list-signing-profiles.html](https://docs.aws.amazon.com/cli/latest/reference/signer/list-signing-profiles.html)

  This command lists the signing profiles that you own or control.

  ```
  $ aws signer list-signing-profiles
  ```
+ [https://docs.aws.amazon.com/cli/latest/reference/signer/cancel-signing-profile.html](https://docs.aws.amazon.com/cli/latest/reference/signer/cancel-signing-profile.html)

  This command deletes a signing profile.

  ```
  $ aws signer cancel-signing-profile \
       --profile-name my_lambda_signing_profile \
       --profile-version profile_version \
       --reason "e2e notation testing" \
       --effective-time 1111111111
  ```

------
#### [ API ]

Signing profiles can be created, inspected, listed, and deleted using the following Signer API actions.
+ [https://docs.aws.amazon.com/signer/latest/api/API_PutSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_PutSigningProfile.html)
+ [https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html)
+ [https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html)
+ [https://docs.aws.amazon.com/signer/latest/api/API_ListSigningProfiles.html](https://docs.aws.amazon.com/signer/latest/api/API_ListSigningProfiles.html)

------

# Set up cross-account signing for Signer
<a name="signing-profile-cross-account"></a>

**Note**  
Cross-account signing is only available for AWS Lambda and container registries signing platforms, which are referred to as [platformId](https://docs.aws.amazon.com/signer/latest/api/API_PutSigningProfile.html#signer-PutSigningProfile-request-platformId) in the AWS CLI and API.

Cross-account signing enables accounts other than the signing profile's owning account to sign code artifacts, and optionally revoke signatures generated by the shared signing profile. For example, an organization's security administrator can create a signing profile, and then grant a group of developers the permission to sign code artifacts using the shared signing profile. The developers could also revoke the signatures generated by the signing profile. This enables accounts other than the owning account to use signing profiles in an organization.

The following procedure illustrates how a security administrator can enable cross-account signing using the AWS CLI. To begin, you'll create a signing profile. Then, you'll grant developer accounts access to the profile for code signing.

**To set up cross-account signing using the CLI**

The following example uses the AWS Lambda platform, but if you want to use container registry platform, you could instead use `“Notation-OCI-SHA384-ECDSA”` platform as the value for the `platform-id`. The example commands in this procedure are pre-populated with values for things like profile names, IDs, and descriptions. Change those as appropriate for your application.

1. The following command creates a signing profile for the AWS Lambda platform type, with a profile name of `profile_for_application_ABC`.

   ```
   aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name profile_for_application_ABC
   ```

   Signer will respond with a signing profile version Amazon Resource Name (ARN) such as:

   ```
   arn:aws:signer:region:111122223333:/signing-profiles/profile_for_application_ABC/resource-identifierE1WG1ZNPRXT0D4
   ```

1. Now that you've created a signing profile, you can now grant the developers' accounts access to use the profile for signing. You do that by using the `add-profile-permission` command. The following example grants permission only for the `signer:StartSigningJob` action that's used with the AWS Lambda workflow. If it were a container image signing platform, you'd set the `--action` value to `signer:SignPayload`. You might want to grant permissions for other actions, such as `signer:GetSigningProfile` or `signer:RevokeSignature`, by making additional calls to `add-profile-permission`.

   The following command grants permission to another account. Replace *555555555555* with the principal wish to grant cross-account access. The principal can be an IAM role or another AWS account ID.

   ```
   aws signer add-profile-permission \
    --profile-name profile_for_application_ABC \
    --action signer:StartSigningJob \
    --principal 555555555555 \
    --statement-id OptionalStatementId
   ```

**Note**  
The signatures generated when using cross-account signing are embedded with the signing profile ARN of the owner account. The owner account is the account that created the signing profile. For verifying signed Lambda .zip archives, you must configure your Lambda code signing configuration to use the signing profile version ARN of the owner account. For verifying signed container images, you must configure the Notation trust policy to use the signing profile ARN of the owner account.