AWS CDK Signer Construct Library

1.204.0 · active · verified Fri Apr 17

The `aws-cdk-aws-signer` library provides AWS Cloud Development Kit (CDK) constructs for defining AWS Signer resources. It simplifies the creation and management of signing profiles, allowing you to sign code and artifacts with robust cryptographic integrity. This entry reflects version 1.204.0, part of the CDK v1 series, which typically follows a rapid release cadence with new features and bug fixes.

Common errors

```
ModuleNotFoundError: No module named 'aws_cdk.aws_signer'
```
cause The `aws-cdk-aws-signer` package is not installed, or you are attempting to use CDK v1 imports in a CDK v2 project (where `aws_signer` is part of `aws_cdk_lib.aws_signer`).

fix Ensure the package is installed: `pip install aws-cdk-aws-signer`. If using CDK v2, change the import to `from aws_cdk_lib import aws_signer` and install `aws-cdk-lib` instead.
```
jsii.errors.JSIIError: SigningProfile: platform is required
```
cause The `platform` property was not provided when instantiating a `SigningProfile` construct, which is a mandatory parameter.

fix Add the `platform` argument with a valid `signer.Platform` enum value, e.g., `platform=signer.Platform.AWS_LAMBDA_SHA384_ECDSA`.
```
Failed to create change set for the stack SignerStack: The security token included in the request is invalid.
```
cause The AWS credentials configured for CDK deployment lack sufficient permissions to create AWS Signer resources or associated IAM roles.

fix Ensure the IAM user or role used for CDK deployment has permissions for `signer:*` actions, especially `signer:PutSigningProfile`, `signer:GetSigningProfile`, and `iam:*` for role creation. Review CloudFormation event logs for specific permission failures.

Warnings

breaking This library (`aws-cdk-aws-signer`) is part of AWS CDK v1. It is not compatible with AWS CDK v2 (`aws-cdk-lib`) out-of-the-box. Attempting to use v1 constructs directly in a v2 application will lead to `ModuleNotFoundError` or `jsii` compatibility issues.
Fix: For CDK v2, use the `aws_cdk.aws_signer` module directly from `aws-cdk-lib`. If you must use v1, ensure your project exclusively uses v1 dependencies and syntax. Migration guides exist for moving from CDK v1 to v2.
gotcha AWS Signer is not available in all AWS Regions. Attempting to deploy Signer resources in an unsupported region will result in deployment failures (e.g., 'ResourceNotFoundException' or 'InvalidRegionException').
Fix: Consult the AWS Signer documentation for a list of supported regions and ensure your CDK stack is deployed to one of them. You can specify the region when initializing your CDK stack (e.g., `cdk.Stack(app, 'MyStack', env=cdk.Environment(region='us-east-1'))`).
gotcha The `platform` property is mandatory for `signer.SigningProfile` and determines the type of code/artifact that can be signed. Using an incorrect platform or omitting it will lead to deployment errors or functional issues.
Fix: Always explicitly specify a valid `signer.Platform` when creating a `SigningProfile`, e.g., `platform=signer.Platform.AWS_LAMBDA_SHA384_ECDSA`. Refer to the AWS Signer documentation for available platform IDs.
gotcha The `signature_validity` property defines how long a signature created by the profile remains valid. If this duration is too short, signed artifacts might expire prematurely; if too long, it might pose a security risk. The default validity is often not suitable for all use cases.
Fix: Always consider and explicitly set `signature_validity` using `cdk.Duration` to match your organizational security policies and operational requirements for signed artifacts.

Install

pip install aws-cdk-aws-signer Install `aws-cdk-aws-signer`

Imports

aws_signer
```
from aws_cdk import aws_signer
```
Platform
```
from aws_cdk.aws_signer import Platform
```

SigningProfile

from aws_cdk.aws_signer import SigningProfile

Quickstart

This quickstart demonstrates how to define a basic AWS Signer Signing Profile using the `aws-cdk-aws-signer` construct library. It creates a profile suitable for AWS Lambda code signing with a 30-day validity period and exports its ARN.

import aws_cdk as cdk
from aws_cdk import aws_signer as signer

app = cdk.App()
stack = cdk.Stack(app, "MySignerStack")

# Create an AWS Signer Signing Profile
signing_profile = signer.SigningProfile(
    stack, "MySigningProfile",
    platform=signer.Platform.AWS_LAMBDA_SHA384_ECDSA,
    signature_validity=cdk.Duration.days(30)
)

cdk.CfnOutput(stack, "SigningProfileArn", value=signing_profile.signing_profile_arn)

app.synth()

view raw JSON →