By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Signing S3 objects using signing profile not working anymore

1

Hello,

we have a created a signing profile in AWS Signer a while ago. The profile is associated to a private key/certificate in the AWS Certificate Manager Service. What we do is the following: We upload arbitrary files to an S3 bucket which will trigger a lambda function using an S3 rule. The python lambda function will call the "StartSigningJob" operation using boto3:

# Sign the uploaded file
            signing_job_result = self.__signer_client.start_signing_job(
                source={
                    "s3": {"bucketName": bucket_name, "key": object_key, "version": version}
                },
                destination={
                    "s3": {"bucketName": f"{bucket_name}/{SIGNATURES_FOLDER_NAME}"}
                },
                profileName=self.signing_profile,
            )

The lambda role contains the following permissions (in accordance with https://docs.aws.amazon.com/signer/latest/developerguide/gs-iam.html):

# S3 Permissions
            - Effect: Allow
              Action:
                - "s3:Get*"
                - "s3:HeadObject"
                - "s3:List*"
                - "s3:PutObject"
                - "s3:PutObjectTagging"
              Resource: "arn:aws:s3:::${self:custom.filesBucketName}*"
              - Effect: Allow
              Action:
                - "signer:StartSigningJob"
              Resource: "*"

This was working until last Thursday (18th of Mai 2023). However, since today (22nd of Mai 2023) we get the following error message:

An error occurred (AccessDeniedException) when calling the StartSigningJob operation: S3 bucket filemanager-prod-cces-bucket/signatures not accessible. Please check your permissions

Do you have any advice what could be the problem?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
rePost-User-6769416
asked a year ago280 views
1 Answer
0

You must verify the following:

  • S3 Bucket Policies
  • Lambda Execution Role (If someone made changes)
  • Signer Profile Expiration.
AWS
vtjean
answered a year ago
  • rePost-User-6769416
    a year ago

    Ok thanks for your answer. I think I found out what the problem was. The format string f"{bucket_name}/{SIGNATURES_FOLDER_NAME}" was resolved to "filemanager-prod-cces-bucket/signatures" in the following snippet:

    signing_job_result = self.__signer_client.start_signing_job(
                source={
                    "s3": {"bucketName": bucket_name, "key": object_key, "version": version}
                },
                destination={
                    "s3": {"bucketName": f"{bucket_name}/{SIGNATURES_FOLDER_NAME}"}
                },
                profileName=self.signing_profile,
            )

    However, if I just change to the name of the bucket like this (without the SIGNATURES_FOLDER_NAME):

    signing_job_result = self.__signer_client.start_signing_job(
                source={
                    "s3": {"bucketName": bucket_name, "key": object_key, "version": version}
                },
                destination={
                    "s3": {"bucketName": f"{bucket_name}"}
                },
                profileName=self.signing_profile,
            )

    its working fine.

    I have double checked that we did not make any change to this code after 18th of Mai and I also double checked that it worked before. To me it seems as if the behavior of the --destination flag of the start_signing_job function has changed. Can you maybe confirm that a change has happend recently to this function?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content