AWS Signer — Cross Account pt. 1

Cross Account Signed Packages — Diagram

I will show you how to sign your AWS Lambda package in your Amazon S3 Bucket in Account A and send them to an Amazon S3 Bucket in Account B.

Sign your Lambda packages and send them to your desired account

In a previous post, I wrote about AWS Signer and how to sign your AWS Lambda packages — it’d be best if you read and implement the steps there before starting this one:

In this post, I will show you how to sign your AWS Lambda package in your Amazon S3 Bucket in Account A and send them to an Amazon S3 Bucket in Account B.

This will be helpful if you want to easily sign your AWS Lambda packages between environment accounts (Dev to Cert, Cert to Prod, etc.)


Prerequisites

  1. IAM User in Account A must have permissions to AWS Signer, Amazon IAM Roles, and Amazon S3. Also IAM User in Account B must have permissions to Amazon IAM Roles, and Amazon S3.
    2. Install AWS CLI v2 on your machine. https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
    3. Create a profile on your machine with AWS CLI v2 using your credentials from Account A (Credentials for Account B are not necessary). https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config
    4. Create Amazon S3 Buckets in Account A and Account B, both must have versioning enabled. https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html


AWS Signer Profile: Account A

At the beginning of this post, you’ll see a link to a previous post that shows you how to create an AWS Signer profile. Implement it in AWS in the account you’ve designated as Account A.


AWS IAM Role: Account B

Now that you have created an AWS Signer profile, now you will create an AWS IAM Role with a policy attached. This role will allow you to send the Signed packages from Account A to Account B.

Access your Account B, then Go to AWS IAM:

Account B — AWS IAM search result

Account B — AWS IAM search result

Access the left-hand menu, click on Roles, and click the Create role button:

Account B — AWS IAM Role menu

Account B — AWS IAM Role menu

Now you must select the trusted entity, in this case, we’re going to choose S3.

Account B — IAM Role Trusted entity

Account B — IAM Role Trusted entity

The important part of this section is the permissions, click the Create policy button:

Account B — IAM Role Add permissions menu

Account B — IAM Role Add permissions menu

It will open another tab in your browser, once inside that new tab it will prompt to create an AWS IAM policy.

To make it easy click the JSON and you will see the following:

Account B — IAM Policy JSON permissions

Account B — IAM Policy JSON permissions

Delete the default content and you will copy-paste the following JSON:

You must replace the values enclosed in<> with the values mentioned in its description.

                {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::<Account B - Bucket Name>",
                "arn:aws:s3:::<Account B- Bucket Name>/*"
            ]
        },
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "signer:StartSigningJob"
            ],
            "Resource": [
                "arn:aws:signer:<region>:<Account A Number>:/signing-profiles/<Account A - Signer Profile Name>"
            ]
        }    
    ]
}
            

Click Next, add a name and description to the AWS IAM Policy, then click Create Policy.

Account B — Review AWS IAM Policy

Account B — Review AWS IAM Policy

Perfect, now we go back to the tab where we were creating the AWS IAM Role.

You must click on the short refresh button.

Account B — IAM Role Add permissions refresh button

Account B — IAM Role Add permissions refresh button

You must now see the recently created AWS IAM Policy, search for it and select it, and click Next.

Enter the desired AWS IAM Role name and description, then click the Create role button.

Account B — AWS IAM Role review

Account B — AWS IAM Role review

You must have the AWS IAM Role ARN at hand for the next steps (I eliminated many of the info in the picture for security purposes):

Account B — AWS IAM Role ARN

Account B — AWS IAM Role ARN


Bucket Policy — Account B:

One step closer, now you must configure a bucket policy to the Amazon S3 Bucket in Account B to allow Account A to access it and deposit the signed packages.

Go to Amazon S3 (Account B):

Account B — Amazon S3 search result

Account B — Amazon S3 search result

Access your Amazon S3 Bucket instance and click the Permissions tab.

Account B — Amazon S3 permissions tab

Account B — Amazon S3 permissions tab

Scroll down to the Bucket policy section and click the Edit button:

Account B — Amazon S3 Bucket policy

Account B — Amazon S3 Bucket policy

Again, you must delete the default content and you will copy-paste the following JSON:

You must replace the values enclosed in<> with the values mentioned in its description:

                {
    "Version": "2012-10-17",
    "Id": "Policy1643415248620",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account A - Account number >:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:GetObjectVersion",
                "s3:ListBucketVersions",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<Account B - S3 bucket name>",
                "arn:aws:s3:::<Account B - S3 bucket name>/*"
            ]
        }
    ]
}
            

Then click the Save changes button.


Amazon S3 Object ID from Package — Account A

You require to obtain the version of the package object in the Amazon S3 Bucket from Account A.

Go to Amazon S3 (Account A):

Account A— Amazon S3 search result

Account A— Amazon S3 search result

Access your Amazon S3 Bucket instance and click the Objects tab.

Account A— Amazon S3 Objects tab

Account A— Amazon S3 Objects tab

Access the package you are going to later sign, then click the Versions tab and save the Version ID value.

Account A — Amazon S3 Object version tab

Account A — Amazon S3 Object version tab


Attach Role to AWS Signer — Account A

For this section we will be using the CLI, attaching an AWS IAM Role to AWS Signer profile can only be done programmatically for the time being.

Open your CLI, and you will execute the following command:

                aws signer list-profile-permissions — profile-name <Account A — AWS Signer profile name> — profile <AWS CLI profile name>
            

The command will list all your AWS Signer profile permissions assigned, for the time being, it will show up empty.

Now execute the following command to assign the AWS IAM Role created in Account B to the AWS Signer profile in Account A (I know it’s long, but once you replace the values with the description entailed then it should be a bit shorter):

                aws signer add-profile-permission --profile-name <Account A - Signer Profile Name> --action signer:StartSigningJob --principal <Account B - AWS IAM Role ARN>  --statement-id <Statement ID (Any text)> --profile <AWS CLI profile name>
            

Execute the following command once more and you should see the permission assigned.

                aws signer list-profile-permissions — profile-name <Account A — AWS Signer profile name> — profile <AWS CLI profile name>
            

If you see the permission assigned, then great.

Now with the following command, you will sign the package from Amazon S3 Bucket in Account A to the Amazon S3 Bucket in Account B.

                aws signer start-signing-job --source 's3={bucketName=<Account A - Amazon S3 Bucket name>,key=<Account A - Amazon S3 Object name>,version=<Account A - Amazon S3 Object Version ID>}' --destination 's3={bucketName=<Account B - Amazon S3 Bucket name>,prefix=<Account B - Amazon S3 Bucket prefix or path>}' --profile-name <Account A - AWS Signer profile name> --profile <AWS CLI profile name>
            

The following response should be displayed:

                {
   “jobId”: “83fa1fe2–4c7c-4621–8a7a-33cb40175229”,
   “jobOwner”: “<Account A - Account number>”
}
            

We will use the jobId to find the signed package in Account B.

More information about the AWS Signer CLI: https://docs.aws.amazon.com/cli/latest/reference/signer/


Get Signed package — Account B (S3 round 2)

Go to Amazon S3 (Account B):

Account B— Amazon S3 search result pt.2

Account B— Amazon S3 search result pt.2

Access your Amazon S3 Bucket instance and click the Objects tab.

Account B— Amazon S3 Objects tab

Account B— Amazon S3 Objects tab

You should see the Signed package

Account B — Amazon S3 signed package

Account B — Amazon S3 signed package


Conclusion

Those are the steps to sign your AWS Lambda packages cross-account. This kind of implementation could also be of great benefit including it in a CI/CD project/Pipeline for each you work with AWS Lambda functions you are going to deploy in different accounts.

Later I will continue with pt.2 which shows you how AWS Lambda functions in Account B and can reference the AWS Signer profile in Account A to confirm if the signature in the package is valid.

Any questions or comments, please let me know.

Hope you have a nice day, Thank you and Gracias!!!


Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies and get more readers

Join other developers and claim your FAUN account now!

Avatar

Jean Velez Torres

Cloud Solutions Architect, Evertec, Inc.

@jeanvelez2
Hello Everyone! I'm Jean Velez, Cloud Solutions architect from Puerto Rico who wants to start out blogging. Always loved to teach others (not the best teacher, but still enjoy it). Works with AWS and Azure, and also a python enthusiast.
Stats
35

Influence

2k

Total Hits

8

Posts