ebot-7 fork
This is a fork of the serverless-aws-signer to work with version 3 of the framework and support cross-account signing procedure. Please find the original repo here: https://github.com/jradikk/serverless-aws-signer
Serverless plugin for Lambda functions signing using AWS Signer service
Installation
npm install serverless-aws-signer-ebot7
Configuration
# add to your serverless.yml
plugins:
- serverless-aws-signer-ebot7
custom:
signer:
retain: false # Whether to retain signing Profile and S3 buckets during the project termination (`sls remove` command), if they were created by the plugin
source:
s3:
bucketName: source-bucket-for-signer # [REQUIRED] Source bucket for AWS Signer where zip archive with lambda code will be uploaded
key: lambda-object-name # Filename of the lambda zip archive at S3 (copied by the plugin). Is ignored in case of individually packaged functions
destination:
s3:
bucketName: source-bucket-for-signer # Destination bucket for AWS Signer where signed zip archive with lambda will appear after signing. Can be the same as source bucket
prefix: signed- # Prefix to be added to the name of the signed archive
profileName: signing-profile # AWS Signing Profle name. Currently needs to be created separately
signingPolicy: Enforce # Whether to disallow code updated signed improperly or just fire a warning
description: signing-description # Description of the signing profile displayed in AWS
profileOwner: "AWS-ACCOUNT-ID" # Account-ID of the Signing profile for cross-account signing
package:
indvidually: true # Plugin works with both individually and commonly packaged functions
functions:
signee:
handler: index.lambda_handler
signer: # Any global parameter can be overridden by lambda individual configuration. package.individually.true needs to be enabled for the plugin to parse function configs
profileName: signing-profile
signingPolicy: Enforce
Default Configuration
All parameters except for source S3 bucket and Signing profile can be ommitted. In this case they are taken from default values:
-
signer.source.s3.key- defaults tofunction_name+unix_timestamp -
signer.destination.s3.bucketName- defaults to the source bucketName value -
signer.destination.s3.prefix- defaults tosigned- -
signingPolicy- defaults toEnforce -
retain- defaults totrue -
description- defaults toNot set -
profileOwner- Must be set to the origin account
Default behavior
If an S3 bucket or a Signing profile are specified in configuration but couldn't be found in target AWS account, plugin will attempt to create them using AWS SDK (Not CloudFormation template).
When project gets terminated, plugin attempts to delete signingProfiles and S3buckets specified in corresponding configuration, unless retain option is set to true. Default value is true
In case one needs to change a signing provider of a lambda function, he'll need to recreate the lambda function, otherwise, AWS will reject the zip code with Lambda code, since it will be signed by a different signing Provider than the one specified in serverless configuration. It happens because signing is done before the CloudFormation template gets deployed