Description
Problem Statement
In updating our lambdas to take use lambda code-signing I've run into the issue that the Sentry lambda layer is not signed and therefore cannot be used in a code-signed lambda.
Please release a code-signed lambda and with it the version_arn of the signing profile so that we can use the lambda layer in code-signed lambdas.
Solution Brainstorm
See here for reference: https://aws.amazon.com/blogs/security/best-practices-and-advanced-patterns-for-lambda-code-signing/
In particular if you scroll down to the section about using lambda layers in code-signed lambdas it is possible so long as the layer is signed and the code signing config includes the signing profile version arn of the publisher in the allowed publishers:
aws lambda create-code-signing-config \
--description "Allow layers from publisher" \
--allowed-publishers SigningProfileVersionArns="<publisher-signing-profile-version-arn>,<consumer-signing-profile-version-arn>" \
--code-signing-policies "UntrustedArtifactOnDeployment"="Enforce"
In terraform we would have something like this:
resource "aws_signer_signing_profile" "signing" {
platform_id = "AWSLambda-SHA384-ECDSA"
}
resource "aws_lambda_code_signing_config" "signing" {
allowed_publishers {
signing_profile_version_arns = [
aws_signer_signing_profile.signing.version_arn,
<version_arn for the signing profile of the Sentry Lambda layer>
]
}
policies {
untrusted_artifact_on_deployment = "Enforce"
}
depends_on = [aws_signer_signing_profile.signing]
}
On this page where you share the arn of the lambda layer, it could also include the version_arn of the signing profile: https://docs.sentry.io/platforms/javascript/guides/aws-lambda/layer/
Metadata
Metadata
Assignees
Type
Projects
Status