# Identity and Access Management for AWS Signer
An AWS account owner or an authorized administrator can attach permissions policies to IAM identities (users, groups, and roles) that were created in the account. When managing permissions, an account owner or administrator decides who gets the permissions and what specific actions are allowed.
A *permissions policy* describes who has access to what. Administrators can use IAM to create policies that apply permissions to IAM users, groups, and roles. The following types of *identity-based policies* can grant permission for AWS Signer resources:
+ **Customer managed policies** – Policies that an administrator creates and manages in an AWS account and which can be attached to multiple users, groups, and roles.
+ **Inline policies** – Policies that an administrator creates and manages for a single IAM entity and which can be embedded directly into a single user, group, or role.
For more information, see:
+ [Customer managed policies for Signer](authen-custmanagedpolicies.md)
+ [Inline policies for Signer](authen-inlinepolicies.md)
+ [Use Signer actions in IAM](authen-apipermissions.md)
+ [Managed policies and inline policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html) in the IAM documentation.
# Customer managed policies for Signer
Customer managed policies are standalone identity-based policies that an administrator creates and can attach to multiple users, groups, or roles in your AWS account. Administrators can manage and create policies using the [AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html), the [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-cli.html), or the [IAM API](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-api.html).
**To manage policies in the AWS Management Console**
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
# Inline policies for Signer
Inline policies are standalone identity-based policies that an administrator creates and embeds directly into a single principal (user, group, or role). Administrators can create and manage policies using the [AWS Management Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html), the [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-cli.html), or the [IAM API](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-api.html).
**To manage policies in the AWS Management Console**
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
**Topics**
+ [Limit Access for Signing to All Signing Profiles Within an Account](#all_profiles)
+ [Limit Access for Signing to a Specific Signing Profile](#particular_profile)
+ [Limit Access for Signing to a Specific Signing Profile Version](#particular_version)
+ [Allow Full Access](#policy-full-access)
## Limit Access for Signing to All Signing Profiles Within an Account
The following policies allow a principal to discover every `SigningProfile` within an account and to use any of them to submit, describe, and list signing jobs.
**Policy for Lambda**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"signer:GetSigningProfile",
"signer:ListSigningProfiles",
"signer:StartSigningJob",
"signer:DescribeSigningJob",
"signer:ListSigningJobs"
],
"Resource":"*"
}
]
}
```
------
**Policy for containers**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"signer:GetSigningProfile",
"signer:ListSigningProfiles",
"signer:SignPayload",
"signer:GetRevocationStatus",
"signer:DescribeSigningJob",
"signer:ListSigningJobs"
],
"Resource":"*"
}
]
}
```
------
## Limit Access for Signing to a Specific Signing Profile
The following policies allow a principal to call `GetSigningProfile` and `StartSigningJob` only on profile `MySigningProfile`.
**Policy for Lambda**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"signer:GetSigningProfile",
"signer:StartSigningJob"
],
"Resource": "arn:aws:signer:us-east-1:444455556666:/signing-profiles/MySigningProfile"
},
{
"Effect": "Allow",
"Action": [
"signer:ListSigningJobs",
"signer:ListSigningProfiles",
"signer:DescribeSigningJob"
],
"Resource": "*"
}
]
}
```
------
**Policy for containers**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"signer:GetSigningProfile",
"signer:SignPayload"
],
"Resource": "arn:aws:signer:us-east-1:444455556666:/signing-profiles/MySigningProfile"
},
{
"Effect": "Allow",
"Action": [
"signer:ListSigningJobs",
"signer:ListSigningProfiles",
"signer:DescribeSigningJob"
],
"Resource": "*"
}
]
}
```
------
## Limit Access for Signing to a Specific Signing Profile Version
The following policy allows a principal to call `GetSigningProfile` and `StartSigningJob` only on version `abcde12345` of profile `MySigningProfile`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"signer:GetSigningProfile",
"signer:SignPayload"
],
"Resource": "arn:aws:signer:us-east-1:444455556666:/signing-profiles/MySigningProfile",
"Condition": {
"StringEquals": {
"signer:ProfileVersion": "version"
}
}
},
{
"Effect": "Allow",
"Action": [
"signer:ListSigningJobs",
"signer:ListSigningProfiles",
"signer:DescribeSigningJob"
],
"Resource": "*"
}
]
}
```
------
## Allow Full Access
The following policy allows a principal to perform any AWS Signer action.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"signer:*",
"Resource":"*"
}
]
}
```
------
# Use Signer actions in IAM
Administrators who set up access control and write permissions policies that they attach to an IAM identity (identity-based policies) can use the following table as a reference. The first column in the table lists each AWS Signer API operation. You specify actions in a policy's `Action` element. You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see [IAM JSON policy element reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys) in the *IAM User Guide*.
**Note**
To specify an action, use the `signer` prefix followed by the API operation name (for example, `signer:StartSigningJob`).
**AWS Signer API Operations and Permissions**
| API Operation | Required Permissions (API Actions) |
| --- | --- |
| [https://docs.aws.amazon.com/signer/latest/api/API_AddProfilePermission.html](https://docs.aws.amazon.com/signer/latest/api/API_AddProfilePermission.html) | `signer:AddProfilePermission` |
| [https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html) | `signer:CancelSigningProfile` |
| [https://docs.aws.amazon.com/signer/latest/api/API_DescribeSigningJob.html](https://docs.aws.amazon.com/signer/latest/api/API_DescribeSigningJob.html) | `signer:DescribeSigningJob` |
| [https://docs.aws.amazon.com/signer/latest/api/API_GetRevocationStatus.html](https://docs.aws.amazon.com/signer/latest/api/API_GetRevocationStatus.html) | `signer:GetRevocationStatus` |
| [https://docs.aws.amazon.com/signer/latest/api/API_GetSigningPlatform.html](https://docs.aws.amazon.com/signer/latest/api/API_GetSigningPlatform.html) | `signer:GetSigningPlatform` |
| [https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html) | `signer:GetSigningProfile` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListProfilePermissions.html](https://docs.aws.amazon.com/signer/latest/api/API_ListProfilePermissions.html) | `signer:ListProfilePermissions` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListSigningJobs.html](https://docs.aws.amazon.com/signer/latest/api/API_ListSigningJobs.html) | `signer:ListSigningJobs` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListSigningPlatforms.html](https://docs.aws.amazon.com/signer/latest/api/API_ListSigningPlatforms.html) | `signer:ListSigningPlatforms` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListSigningProfiles.html](https://docs.aws.amazon.com/signer/latest/api/API_ListSigningProfiles.html) | `signer:ListSigningProfiles` |
| [https://docs.aws.amazon.com/signer/latest/api/API_ListTagsForResource.html](https://docs.aws.amazon.com/signer/latest/api/API_ListTagsForResource.html) | `signer:ListTagsForResource` |
| [https://docs.aws.amazon.com/signer/latest/api/API_PutSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_PutSigningProfile.html) | `signer:PutSigningProfile` |
| [https://docs.aws.amazon.com/signer/latest/api/API_RemoveProfilePermission.html](https://docs.aws.amazon.com/signer/latest/api/API_RemoveProfilePermission.html) | `signer:RemoveProfilePermission` |
| [https://docs.aws.amazon.com/signer/latest/api/API_RevokeSignature.html](https://docs.aws.amazon.com/signer/latest/api/API_RevokeSignature.html) | `signer:RevokeSignature` |
| [https://docs.aws.amazon.com/signer/latest/api/API_RevokeSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_RevokeSigningProfile.html) | `signer:RevokeSigningProfile` |
| [https://docs.aws.amazon.com/signer/latest/api/API_SignPayload.html](https://docs.aws.amazon.com/signer/latest/api/API_SignPayload.html) | `signer:SignPayload` |
| [https://docs.aws.amazon.com/signer/latest/api/API_StartSigningJob.html](https://docs.aws.amazon.com/signer/latest/api/API_StartSigningJob.html) | `signer:StartSigningJob` |
| [https://docs.aws.amazon.com/signer/latest/api/API_TagResource.html](https://docs.aws.amazon.com/signer/latest/api/API_TagResource.html) | `signer:TagResource` |
| [https://docs.aws.amazon.com/signer/latest/api/API_UntagResource.html](https://docs.aws.amazon.com/signer/latest/api/API_UntagResource.html) | `signer:UntagResource` |
For the actions `StartSigningJob`, `GetSigningProfile`, `CancelSigningProfile`,`RevokeSigningProfile`, and `SignPayload`, use the `signer:ProfileVersion` condition key to limit what version of a signing profile a principal has access to.
**AWS Signer API Condition Keys**
| Condition Key | Description | APIs |
| --- | --- | --- |
| `signer:ProfileVersion` | Limit access to a specific version of a Signing Profile | [https://docs.aws.amazon.com/signer/latest/api/API_StartSigningJob.html](https://docs.aws.amazon.com/signer/latest/api/API_StartSigningJob.html) [https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_GetSigningProfile.html) [https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_CancelSigningProfile.html) [https://docs.aws.amazon.com/signer/latest/api/API_RevokeSigningProfile.html](https://docs.aws.amazon.com/signer/latest/api/API_RevokeSigningProfile.html) [https://docs.aws.amazon.com/signer/latest/api/API_SignPayload.html](https://docs.aws.amazon.com/signer/latest/api/API_SignPayload.html) |