Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

support code signing of assets

See original GitHub issue

Created a Lambda SignedCode.fromAsset option that takes local code uploads it to S3 and signs it using a specified AWS signer profile

Use Case

With PR https://github.com/aws/aws-cdk/pull/12656 Lambda now supports a code signing configuration. However if the signing config is set to Enforce and local code (inline or from asset path) is provided the deployment will fail as the code has not been signed

      const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', {
        platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA,
      });

      const codeSigningConfig = new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', {
        signingProfiles: [signingProfile],
        untrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE,
      });

      new lambda.Function(stack, 'MyLambda', {
        code: new lambda.Code.fromAsset(...),
        handler: 'index.handler',
        runtime: lambda.Runtime.NODEJS_10_X,
        codeSigningConfig,
      });

this feature would enable usage of local code and signing of the the code given permissions to the signing profile

Proposed Solution

Having an option like

     new lambda.Function(stack, 'MyLambda', {
        code: new lambda.SignedCode.fromAsset(...),
        handler: 'index.handler',
        runtime: lambda.Runtime.NODEJS_10_X,
        codeSigningConfig,
      });

would solve this issue

Other

This is how the SAM CLI does it
The bootstrap bucket would need to have versioning enabled

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Comments:6 (1 by maintainers)

Top GitHub Comments

2reactions

dontiruncommented, Feb 28, 2021

I read the code around aws-lmabda.code, and I thought the following part is a good way to extend it.

https://github.com/aws/aws-cdk/blob/1fcdb6daf931147b8f33facb8ab9c9f80e5c9eee/packages/%40aws-cdk/core/lib/asset-staging.ts#L161-L169

In the case of aws-lambda-nodejs, the following values can be passed to the constructor of aws-lambda.Function to build the code with esbuild.
code: Code.fromAsset(path.dirname(options.depsLockFilePath), {
  assetHashType: cdk.AssetHashType.OUTPUT,
  Bundling: new Bundling(options),
})
Building process is executed locally by default, but if esbuild command not available in the environment, executed in compatible docker container.

As for signatures, is it possible to rely on the local environment? Also, which tool should I rely on, AWS CLI, AWS SDK, etc.?

(Once we have a policy for implementation, I would like to start implementing it.)

I don’t think we need to touch the local bundling. The signing need to occur after the object has been uploaded to the S3 bucket (I believe the upload is done here. ) I believe an optimal approach is to follow what the SAM CLI does with their python code

Add an optional parameter with the profile name(without the version)
Start the signing job
Use the built in waiter for the signing job to complete.

In addition, the CDK bootstrap bucket would need to be changed to have versioning enabled ( since Signer requires a versioned object in S3 to start a signing job)

0reactions

nija-atcommented, Mar 16, 2021

We currently don’t have the ability in the CDK to run an asynchronous job (i.e., the signing job) and use the result as an asset.

This requires additional design into the AWS CDK lifecycle. I’m moving this to the CDK RFC repo to manage the design work.

Unfortunately, we don’t have the bandwidth to work on this in the near future. However, if anyone is interested in writing the design, we’ll be happy to review and provide feedback.