Configuring IAM policies for Lambda code signing configurations - Amazon Lambda
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring IAM policies for Lambda code signing configurations

To grant permission for a user to access the code signing API operations, attach one or more policy statements to the user policy. For more information about user policies, see Working with identity-based IAM policies in Lambda.

The following example policy statement grants permission to create, update, and retrieve code signing configurations.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
          "lambda:CreateCodeSigningConfig",
          "lambda:UpdateCodeSigningConfig",
          "lambda:GetCodeSigningConfig"
        ],
      "Resource": "*" 
    }
  ]
}

Administrators can use the CodeSigningConfigArn condition key to specify the code signing configurations that developers must use to create or update your functions.

The following example policy statement grants permission to create a function. The policy statement includes a lambda:CodeSigningConfigArn condition to specify the allowed code signing configuration. Lambda blocks any CreateFunction API request if its CodeSigningConfigArn parameter is missing or does not match the value in the condition. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowReferencingCodeSigningConfig",
      "Effect": "Allow",
      "Action": [
          "lambda:CreateFunction",
        ],
      "Resource": "*",
      "Condition": {
          "StringEquals": {
              "lambda:CodeSigningConfigArn":  
                  “arn:aws-cn:lambda:us-west-2:123456789012:code-signing-config:csc-0d4518bd353a0a7c6”
          }
      }
    }
  ]
}