Hello,
we have a created a signing profile in AWS Signer a while ago. The profile is associated to a private key/certificate in the AWS Certificate Manager Service. What we do is the following: We upload arbitrary files to an S3 bucket which will trigger a lambda function using an S3 rule. The python lambda function will call the "StartSigningJob" operation using boto3:
# Sign the uploaded file
signing_job_result = self.__signer_client.start_signing_job(
source={
"s3": {"bucketName": bucket_name, "key": object_key, "version": version}
},
destination={
"s3": {"bucketName": f"{bucket_name}/{SIGNATURES_FOLDER_NAME}"}
},
profileName=self.signing_profile,
)
The lambda role contains the following permissions (in accordance with https://docs.aws.amazon.com/signer/latest/developerguide/gs-iam.html):
# S3 Permissions
- Effect: Allow
Action:
- "s3:Get*"
- "s3:HeadObject"
- "s3:List*"
- "s3:PutObject"
- "s3:PutObjectTagging"
Resource: "arn:aws:s3:::${self:custom.filesBucketName}*"
- Effect: Allow
Action:
- "signer:StartSigningJob"
Resource: "*"
This was working until last Thursday (18th of Mai 2023). However, since today (22nd of Mai 2023) we get the following error message:
An error occurred (AccessDeniedException) when calling the StartSigningJob operation: S3 bucket filemanager-prod-cces-bucket/signatures not accessible. Please check your permissions
Do you have any advice what could be the problem?
Ok thanks for your answer. I think I found out what the problem was. The format string f"{bucket_name}/{SIGNATURES_FOLDER_NAME}" was resolved to "filemanager-prod-cces-bucket/signatures" in the following snippet:
However, if I just change to the name of the bucket like this (without the SIGNATURES_FOLDER_NAME):
its working fine.
I have double checked that we did not make any change to this code after 18th of Mai and I also double checked that it worked before. To me it seems as if the behavior of the --destination flag of the start_signing_job function has changed. Can you maybe confirm that a change has happend recently to this function?