View a markdown version of this page

Actions, resources, and condition keys for Amazon Signer - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Signer

Amazon Signer (service prefix: signer) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Signer

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation SDK client IAM action Condition key Possible value(s) Access level

AddProfilePermission

signer

signer:AddProfilePermission

Permissions management, Write

CancelSigningProfile

signer

signer:CancelSigningProfile

Write

DescribeSigningJob

signer

signer:DescribeSigningJob

Read

GetRevocationStatus

signer

signer:GetRevocationStatus

Read

GetSigningPlatform

signer

signer:GetSigningPlatform

Read

GetSigningProfile

signer

signer:GetSigningProfile

Read

ListProfilePermissions

signer

signer:ListProfilePermissions

Read

ListSigningJobs

signer

signer:ListSigningJobs

List

ListSigningPlatforms

signer

signer:ListSigningPlatforms

List

ListSigningProfiles

signer

signer:ListSigningProfiles

List

ListTagsForResource

signer

signer:ListTagsForResource

Read

PutSigningProfile

signer

signer:PutSigningProfile

Write

signer:TagResource

Tagging, Write

RemoveProfilePermission

signer

signer:RemoveProfilePermission

Permissions management, Write

RevokeSignature

signer

signer:RevokeSignature

Write

RevokeSigningProfile

signer

signer:RevokeSigningProfile

Write

SignPayload

signer

signer:SignPayload

Write

StartSigningJob

signer

signer:StartSigningJob

Write

TagResource

signer

signer:TagResource

Tagging, Write

UntagResource

signer

signer:UntagResource

Tagging, Write

GetRevocationStatus

signer-data

signer:GetRevocationStatus

Read

Actions defined by Amazon Signer

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AddProfilePermission

Grants permission to add cross-account permissions to a Signing Profile

signing-profile*

aws:ResourceTag/${TagKey}

Permissions management, Write

CancelSigningProfile

Grants permission to change the state of a Signing Profile to CANCELED

signing-profile*

aws:ResourceTag/${TagKey}

signer:ProfileVersion

Write

DescribeSigningJob

Grants permission to return information about a specific Signing Job

signing-job*

Read

GetRevocationStatus

Grants permission to query revocation info of signing resources

signing-job*

Read

signing-profile*

aws:ResourceTag/${TagKey}

GetSigningPlatform

Grants permission to return information about a specific Signing Platform

Read

GetSigningProfile

Grants permission to return information about a specific Signing Profile

signing-profile*

aws:ResourceTag/${TagKey}

signer:ProfileVersion

Read

ListProfilePermissions

Grants permission to list the cross-account permissions associated with a Signing Profile

signing-profile*

aws:ResourceTag/${TagKey}

Read

ListSigningJobs

Grants permission to list all Signing Jobs in your account

List

ListSigningPlatforms

Grants permission to list all available Signing Platforms

List

ListSigningProfiles

Grants permission to list all Signing Profiles in your account

List

ListTagsForResource

Grants permission to list the tags associated with a Signing Profile

signing-profile*

aws:ResourceTag/${TagKey}

Read

PutSigningProfile

Grants permission to create a new Signing Profile

aws:RequestTag/${TagKey}

aws:TagKeys

Write

RemoveProfilePermission

Grants permission to remove cross-account permissions from a Signing Profile

signing-profile*

aws:ResourceTag/${TagKey}

Permissions management, Write

RevokeSignature

Grants permission to change the state of a Signing Job to REVOKED

signing-job*

signer:ProfileVersion

Write

RevokeSigningProfile

Grants permission to change the state of a Signing Profile to REVOKED

signing-profile*

aws:ResourceTag/${TagKey}

signer:ProfileVersion

Write

SignPayload

Grants permission to initiate a Signing Job on the provided payload

signing-profile*

aws:ResourceTag/${TagKey}

signer:ProfileVersion

Write

StartSigningJob

Grants permission to initiate a Signing Job on the provided code

signing-profile*

aws:ResourceTag/${TagKey}

signer:ProfileVersion

Write

TagResource

Grants permission to add one or more tags to a Signing Profile

signing-profile*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagResource

Grants permission to remove one or more tags from a Signing Profile

signing-profile*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

Resource types defined by Amazon Signer

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

signing-job

arn:${Partition}:signer:${Region}:${Account}:/signing-jobs/${JobId}

signing-profile

arn:${Partition}:signer:${Region}:${Account}:/signing-profiles/${ProfileName}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Signer

Amazon Signer defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by allowed set of values for each of the tags

String

aws:ResourceTag/${TagKey}

Filters access by tag-value associated with the resource

String

aws:TagKeys

Filters access by presence of mandatory tags in the request

ArrayOfString

signer:ProfileVersion

Filters access by version of the Signing Profile

String