1. Packages
  2. AWS
  3. API Docs
  4. lambda
  5. CodeSigningConfig
AWS v7.4.0 published on Wednesday, Aug 13, 2025 by Pulumi

aws.lambda.CodeSigningConfig

Explore with Pulumi AI

aws logo
AWS v7.4.0 published on Wednesday, Aug 13, 2025 by Pulumi

    Manages an AWS Lambda Code Signing Config. Use this resource to define allowed signing profiles and code-signing validation policies for Lambda functions to ensure code integrity and authenticity.

    For information about Lambda code signing configurations and how to use them, see configuring code signing for Lambda functions.

    Example Usage

    Basic Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    // Create signing profiles for different environments
    const prod = new aws.signer.SigningProfile("prod", {
        platformId: "AWSLambda-SHA384-ECDSA",
        namePrefix: "prod_lambda_",
        tags: {
            Environment: "production",
        },
    });
    const dev = new aws.signer.SigningProfile("dev", {
        platformId: "AWSLambda-SHA384-ECDSA",
        namePrefix: "dev_lambda_",
        tags: {
            Environment: "development",
        },
    });
    // Code signing configuration with enforcement
    const example = new aws.lambda.CodeSigningConfig("example", {
        description: "Code signing configuration for Lambda functions",
        allowedPublishers: {
            signingProfileVersionArns: [
                prod.versionArn,
                dev.versionArn,
            ],
        },
        policies: {
            untrustedArtifactOnDeployment: "Enforce",
        },
        tags: {
            Environment: "production",
            Purpose: "code-signing",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    # Create signing profiles for different environments
    prod = aws.signer.SigningProfile("prod",
        platform_id="AWSLambda-SHA384-ECDSA",
        name_prefix="prod_lambda_",
        tags={
            "Environment": "production",
        })
    dev = aws.signer.SigningProfile("dev",
        platform_id="AWSLambda-SHA384-ECDSA",
        name_prefix="dev_lambda_",
        tags={
            "Environment": "development",
        })
    # Code signing configuration with enforcement
    example = aws.lambda_.CodeSigningConfig("example",
        description="Code signing configuration for Lambda functions",
        allowed_publishers={
            "signing_profile_version_arns": [
                prod.version_arn,
                dev.version_arn,
            ],
        },
        policies={
            "untrusted_artifact_on_deployment": "Enforce",
        },
        tags={
            "Environment": "production",
            "Purpose": "code-signing",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
    	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/signer"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		// Create signing profiles for different environments
    		prod, err := signer.NewSigningProfile(ctx, "prod", &signer.SigningProfileArgs{
    			PlatformId: pulumi.String("AWSLambda-SHA384-ECDSA"),
    			NamePrefix: pulumi.String("prod_lambda_"),
    			Tags: pulumi.StringMap{
    				"Environment": pulumi.String("production"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		dev, err := signer.NewSigningProfile(ctx, "dev", &signer.SigningProfileArgs{
    			PlatformId: pulumi.String("AWSLambda-SHA384-ECDSA"),
    			NamePrefix: pulumi.String("dev_lambda_"),
    			Tags: pulumi.StringMap{
    				"Environment": pulumi.String("development"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		// Code signing configuration with enforcement
    		_, err = lambda.NewCodeSigningConfig(ctx, "example", &lambda.CodeSigningConfigArgs{
    			Description: pulumi.String("Code signing configuration for Lambda functions"),
    			AllowedPublishers: &lambda.CodeSigningConfigAllowedPublishersArgs{
    				SigningProfileVersionArns: pulumi.StringArray{
    					prod.VersionArn,
    					dev.VersionArn,
    				},
    			},
    			Policies: &lambda.CodeSigningConfigPoliciesArgs{
    				UntrustedArtifactOnDeployment: pulumi.String("Enforce"),
    			},
    			Tags: pulumi.StringMap{
    				"Environment": pulumi.String("production"),
    				"Purpose":     pulumi.String("code-signing"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        // Create signing profiles for different environments
        var prod = new Aws.Signer.SigningProfile("prod", new()
        {
            PlatformId = "AWSLambda-SHA384-ECDSA",
            NamePrefix = "prod_lambda_",
            Tags = 
            {
                { "Environment", "production" },
            },
        });
    
        var dev = new Aws.Signer.SigningProfile("dev", new()
        {
            PlatformId = "AWSLambda-SHA384-ECDSA",
            NamePrefix = "dev_lambda_",
            Tags = 
            {
                { "Environment", "development" },
            },
        });
    
        // Code signing configuration with enforcement
        var example = new Aws.Lambda.CodeSigningConfig("example", new()
        {
            Description = "Code signing configuration for Lambda functions",
            AllowedPublishers = new Aws.Lambda.Inputs.CodeSigningConfigAllowedPublishersArgs
            {
                SigningProfileVersionArns = new[]
                {
                    prod.VersionArn,
                    dev.VersionArn,
                },
            },
            Policies = new Aws.Lambda.Inputs.CodeSigningConfigPoliciesArgs
            {
                UntrustedArtifactOnDeployment = "Enforce",
            },
            Tags = 
            {
                { "Environment", "production" },
                { "Purpose", "code-signing" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.signer.SigningProfile;
    import com.pulumi.aws.signer.SigningProfileArgs;
    import com.pulumi.aws.lambda.CodeSigningConfig;
    import com.pulumi.aws.lambda.CodeSigningConfigArgs;
    import com.pulumi.aws.lambda.inputs.CodeSigningConfigAllowedPublishersArgs;
    import com.pulumi.aws.lambda.inputs.CodeSigningConfigPoliciesArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            // Create signing profiles for different environments
            var prod = new SigningProfile("prod", SigningProfileArgs.builder()
                .platformId("AWSLambda-SHA384-ECDSA")
                .namePrefix("prod_lambda_")
                .tags(Map.of("Environment", "production"))
                .build());
    
            var dev = new SigningProfile("dev", SigningProfileArgs.builder()
                .platformId("AWSLambda-SHA384-ECDSA")
                .namePrefix("dev_lambda_")
                .tags(Map.of("Environment", "development"))
                .build());
    
            // Code signing configuration with enforcement
            var example = new CodeSigningConfig("example", CodeSigningConfigArgs.builder()
                .description("Code signing configuration for Lambda functions")
                .allowedPublishers(CodeSigningConfigAllowedPublishersArgs.builder()
                    .signingProfileVersionArns(                
                        prod.versionArn(),
                        dev.versionArn())
                    .build())
                .policies(CodeSigningConfigPoliciesArgs.builder()
                    .untrustedArtifactOnDeployment("Enforce")
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Environment", "production"),
                    Map.entry("Purpose", "code-signing")
                ))
                .build());
    
        }
    }
    
    resources:
      # Create signing profiles for different environments
      prod:
        type: aws:signer:SigningProfile
        properties:
          platformId: AWSLambda-SHA384-ECDSA
          namePrefix: prod_lambda_
          tags:
            Environment: production
      dev:
        type: aws:signer:SigningProfile
        properties:
          platformId: AWSLambda-SHA384-ECDSA
          namePrefix: dev_lambda_
          tags:
            Environment: development
      # Code signing configuration with enforcement
      example:
        type: aws:lambda:CodeSigningConfig
        properties:
          description: Code signing configuration for Lambda functions
          allowedPublishers:
            signingProfileVersionArns:
              - ${prod.versionArn}
              - ${dev.versionArn}
          policies:
            untrustedArtifactOnDeployment: Enforce
          tags:
            Environment: production
            Purpose: code-signing
    

    Warning Only Configuration

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.lambda.CodeSigningConfig("example", {
        description: "Development code signing configuration",
        allowedPublishers: {
            signingProfileVersionArns: [dev.versionArn],
        },
        policies: {
            untrustedArtifactOnDeployment: "Warn",
        },
        tags: {
            Environment: "development",
            Purpose: "code-signing",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.lambda_.CodeSigningConfig("example",
        description="Development code signing configuration",
        allowed_publishers={
            "signing_profile_version_arns": [dev["versionArn"]],
        },
        policies={
            "untrusted_artifact_on_deployment": "Warn",
        },
        tags={
            "Environment": "development",
            "Purpose": "code-signing",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := lambda.NewCodeSigningConfig(ctx, "example", &lambda.CodeSigningConfigArgs{
    			Description: pulumi.String("Development code signing configuration"),
    			AllowedPublishers: &lambda.CodeSigningConfigAllowedPublishersArgs{
    				SigningProfileVersionArns: pulumi.StringArray{
    					dev.VersionArn,
    				},
    			},
    			Policies: &lambda.CodeSigningConfigPoliciesArgs{
    				UntrustedArtifactOnDeployment: pulumi.String("Warn"),
    			},
    			Tags: pulumi.StringMap{
    				"Environment": pulumi.String("development"),
    				"Purpose":     pulumi.String("code-signing"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Lambda.CodeSigningConfig("example", new()
        {
            Description = "Development code signing configuration",
            AllowedPublishers = new Aws.Lambda.Inputs.CodeSigningConfigAllowedPublishersArgs
            {
                SigningProfileVersionArns = new[]
                {
                    dev.VersionArn,
                },
            },
            Policies = new Aws.Lambda.Inputs.CodeSigningConfigPoliciesArgs
            {
                UntrustedArtifactOnDeployment = "Warn",
            },
            Tags = 
            {
                { "Environment", "development" },
                { "Purpose", "code-signing" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.lambda.CodeSigningConfig;
    import com.pulumi.aws.lambda.CodeSigningConfigArgs;
    import com.pulumi.aws.lambda.inputs.CodeSigningConfigAllowedPublishersArgs;
    import com.pulumi.aws.lambda.inputs.CodeSigningConfigPoliciesArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new CodeSigningConfig("example", CodeSigningConfigArgs.builder()
                .description("Development code signing configuration")
                .allowedPublishers(CodeSigningConfigAllowedPublishersArgs.builder()
                    .signingProfileVersionArns(dev.versionArn())
                    .build())
                .policies(CodeSigningConfigPoliciesArgs.builder()
                    .untrustedArtifactOnDeployment("Warn")
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Environment", "development"),
                    Map.entry("Purpose", "code-signing")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:lambda:CodeSigningConfig
        properties:
          description: Development code signing configuration
          allowedPublishers:
            signingProfileVersionArns:
              - ${dev.versionArn}
          policies:
            untrustedArtifactOnDeployment: Warn
          tags:
            Environment: development
            Purpose: code-signing
    

    Multiple Environment Configuration

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    // Production signing configuration
    const prod = new aws.lambda.CodeSigningConfig("prod", {
        description: "Production code signing configuration with strict enforcement",
        allowedPublishers: {
            signingProfileVersionArns: [prodAwsSignerSigningProfile.versionArn],
        },
        policies: {
            untrustedArtifactOnDeployment: "Enforce",
        },
        tags: {
            Environment: "production",
            Security: "strict",
        },
    });
    // Development signing configuration
    const dev = new aws.lambda.CodeSigningConfig("dev", {
        description: "Development code signing configuration with warnings",
        allowedPublishers: {
            signingProfileVersionArns: [
                devAwsSignerSigningProfile.versionArn,
                test.versionArn,
            ],
        },
        policies: {
            untrustedArtifactOnDeployment: "Warn",
        },
        tags: {
            Environment: "development",
            Security: "flexible",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    # Production signing configuration
    prod = aws.lambda_.CodeSigningConfig("prod",
        description="Production code signing configuration with strict enforcement",
        allowed_publishers={
            "signing_profile_version_arns": [prod_aws_signer_signing_profile["versionArn"]],
        },
        policies={
            "untrusted_artifact_on_deployment": "Enforce",
        },
        tags={
            "Environment": "production",
            "Security": "strict",
        })
    # Development signing configuration
    dev = aws.lambda_.CodeSigningConfig("dev",
        description="Development code signing configuration with warnings",
        allowed_publishers={
            "signing_profile_version_arns": [
                dev_aws_signer_signing_profile["versionArn"],
                test["versionArn"],
            ],
        },
        policies={
            "untrusted_artifact_on_deployment": "Warn",
        },
        tags={
            "Environment": "development",
            "Security": "flexible",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		// Production signing configuration
    		_, err := lambda.NewCodeSigningConfig(ctx, "prod", &lambda.CodeSigningConfigArgs{
    			Description: pulumi.String("Production code signing configuration with strict enforcement"),
    			AllowedPublishers: &lambda.CodeSigningConfigAllowedPublishersArgs{
    				SigningProfileVersionArns: pulumi.StringArray{
    					prodAwsSignerSigningProfile.VersionArn,
    				},
    			},
    			Policies: &lambda.CodeSigningConfigPoliciesArgs{
    				UntrustedArtifactOnDeployment: pulumi.String("Enforce"),
    			},
    			Tags: pulumi.StringMap{
    				"Environment": pulumi.String("production"),
    				"Security":    pulumi.String("strict"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		// Development signing configuration
    		_, err = lambda.NewCodeSigningConfig(ctx, "dev", &lambda.CodeSigningConfigArgs{
    			Description: pulumi.String("Development code signing configuration with warnings"),
    			AllowedPublishers: &lambda.CodeSigningConfigAllowedPublishersArgs{
    				SigningProfileVersionArns: pulumi.StringArray{
    					devAwsSignerSigningProfile.VersionArn,
    					test.VersionArn,
    				},
    			},
    			Policies: &lambda.CodeSigningConfigPoliciesArgs{
    				UntrustedArtifactOnDeployment: pulumi.String("Warn"),
    			},
    			Tags: pulumi.StringMap{
    				"Environment": pulumi.String("development"),
    				"Security":    pulumi.String("flexible"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        // Production signing configuration
        var prod = new Aws.Lambda.CodeSigningConfig("prod", new()
        {
            Description = "Production code signing configuration with strict enforcement",
            AllowedPublishers = new Aws.Lambda.Inputs.CodeSigningConfigAllowedPublishersArgs
            {
                SigningProfileVersionArns = new[]
                {
                    prodAwsSignerSigningProfile.VersionArn,
                },
            },
            Policies = new Aws.Lambda.Inputs.CodeSigningConfigPoliciesArgs
            {
                UntrustedArtifactOnDeployment = "Enforce",
            },
            Tags = 
            {
                { "Environment", "production" },
                { "Security", "strict" },
            },
        });
    
        // Development signing configuration
        var dev = new Aws.Lambda.CodeSigningConfig("dev", new()
        {
            Description = "Development code signing configuration with warnings",
            AllowedPublishers = new Aws.Lambda.Inputs.CodeSigningConfigAllowedPublishersArgs
            {
                SigningProfileVersionArns = new[]
                {
                    devAwsSignerSigningProfile.VersionArn,
                    test.VersionArn,
                },
            },
            Policies = new Aws.Lambda.Inputs.CodeSigningConfigPoliciesArgs
            {
                UntrustedArtifactOnDeployment = "Warn",
            },
            Tags = 
            {
                { "Environment", "development" },
                { "Security", "flexible" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.lambda.CodeSigningConfig;
    import com.pulumi.aws.lambda.CodeSigningConfigArgs;
    import com.pulumi.aws.lambda.inputs.CodeSigningConfigAllowedPublishersArgs;
    import com.pulumi.aws.lambda.inputs.CodeSigningConfigPoliciesArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            // Production signing configuration
            var prod = new CodeSigningConfig("prod", CodeSigningConfigArgs.builder()
                .description("Production code signing configuration with strict enforcement")
                .allowedPublishers(CodeSigningConfigAllowedPublishersArgs.builder()
                    .signingProfileVersionArns(prodAwsSignerSigningProfile.versionArn())
                    .build())
                .policies(CodeSigningConfigPoliciesArgs.builder()
                    .untrustedArtifactOnDeployment("Enforce")
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Environment", "production"),
                    Map.entry("Security", "strict")
                ))
                .build());
    
            // Development signing configuration
            var dev = new CodeSigningConfig("dev", CodeSigningConfigArgs.builder()
                .description("Development code signing configuration with warnings")
                .allowedPublishers(CodeSigningConfigAllowedPublishersArgs.builder()
                    .signingProfileVersionArns(                
                        devAwsSignerSigningProfile.versionArn(),
                        test.versionArn())
                    .build())
                .policies(CodeSigningConfigPoliciesArgs.builder()
                    .untrustedArtifactOnDeployment("Warn")
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Environment", "development"),
                    Map.entry("Security", "flexible")
                ))
                .build());
    
        }
    }
    
    resources:
      # Production signing configuration
      prod:
        type: aws:lambda:CodeSigningConfig
        properties:
          description: Production code signing configuration with strict enforcement
          allowedPublishers:
            signingProfileVersionArns:
              - ${prodAwsSignerSigningProfile.versionArn}
          policies:
            untrustedArtifactOnDeployment: Enforce
          tags:
            Environment: production
            Security: strict
      # Development signing configuration
      dev:
        type: aws:lambda:CodeSigningConfig
        properties:
          description: Development code signing configuration with warnings
          allowedPublishers:
            signingProfileVersionArns:
              - ${devAwsSignerSigningProfile.versionArn}
              - ${test.versionArn}
          policies:
            untrustedArtifactOnDeployment: Warn
          tags:
            Environment: development
            Security: flexible
    

    Create CodeSigningConfig Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new CodeSigningConfig(name: string, args: CodeSigningConfigArgs, opts?: CustomResourceOptions);
    @overload
    def CodeSigningConfig(resource_name: str,
                          args: CodeSigningConfigArgs,
                          opts: Optional[ResourceOptions] = None)
    
    @overload
    def CodeSigningConfig(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          allowed_publishers: Optional[CodeSigningConfigAllowedPublishersArgs] = None,
                          description: Optional[str] = None,
                          policies: Optional[CodeSigningConfigPoliciesArgs] = None,
                          region: Optional[str] = None,
                          tags: Optional[Mapping[str, str]] = None)
    func NewCodeSigningConfig(ctx *Context, name string, args CodeSigningConfigArgs, opts ...ResourceOption) (*CodeSigningConfig, error)
    public CodeSigningConfig(string name, CodeSigningConfigArgs args, CustomResourceOptions? opts = null)
    public CodeSigningConfig(String name, CodeSigningConfigArgs args)
    public CodeSigningConfig(String name, CodeSigningConfigArgs args, CustomResourceOptions options)
    
    type: aws:lambda:CodeSigningConfig
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args CodeSigningConfigArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args CodeSigningConfigArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args CodeSigningConfigArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args CodeSigningConfigArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args CodeSigningConfigArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var codeSigningConfigResource = new Aws.Lambda.CodeSigningConfig("codeSigningConfigResource", new()
    {
        AllowedPublishers = new Aws.Lambda.Inputs.CodeSigningConfigAllowedPublishersArgs
        {
            SigningProfileVersionArns = new[]
            {
                "string",
            },
        },
        Description = "string",
        Policies = new Aws.Lambda.Inputs.CodeSigningConfigPoliciesArgs
        {
            UntrustedArtifactOnDeployment = "string",
        },
        Region = "string",
        Tags = 
        {
            { "string", "string" },
        },
    });
    
    example, err := lambda.NewCodeSigningConfig(ctx, "codeSigningConfigResource", &lambda.CodeSigningConfigArgs{
    	AllowedPublishers: &lambda.CodeSigningConfigAllowedPublishersArgs{
    		SigningProfileVersionArns: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	Description: pulumi.String("string"),
    	Policies: &lambda.CodeSigningConfigPoliciesArgs{
    		UntrustedArtifactOnDeployment: pulumi.String("string"),
    	},
    	Region: pulumi.String("string"),
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    })
    
    var codeSigningConfigResource = new CodeSigningConfig("codeSigningConfigResource", CodeSigningConfigArgs.builder()
        .allowedPublishers(CodeSigningConfigAllowedPublishersArgs.builder()
            .signingProfileVersionArns("string")
            .build())
        .description("string")
        .policies(CodeSigningConfigPoliciesArgs.builder()
            .untrustedArtifactOnDeployment("string")
            .build())
        .region("string")
        .tags(Map.of("string", "string"))
        .build());
    
    code_signing_config_resource = aws.lambda_.CodeSigningConfig("codeSigningConfigResource",
        allowed_publishers={
            "signing_profile_version_arns": ["string"],
        },
        description="string",
        policies={
            "untrusted_artifact_on_deployment": "string",
        },
        region="string",
        tags={
            "string": "string",
        })
    
    const codeSigningConfigResource = new aws.lambda.CodeSigningConfig("codeSigningConfigResource", {
        allowedPublishers: {
            signingProfileVersionArns: ["string"],
        },
        description: "string",
        policies: {
            untrustedArtifactOnDeployment: "string",
        },
        region: "string",
        tags: {
            string: "string",
        },
    });
    
    type: aws:lambda:CodeSigningConfig
    properties:
        allowedPublishers:
            signingProfileVersionArns:
                - string
        description: string
        policies:
            untrustedArtifactOnDeployment: string
        region: string
        tags:
            string: string
    

    CodeSigningConfig Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The CodeSigningConfig resource accepts the following input properties:

    AllowedPublishers CodeSigningConfigAllowedPublishers

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    Description string
    Descriptive name for this code signing configuration.
    Policies CodeSigningConfigPolicies
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    Region string
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    Tags Dictionary<string, string>
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    AllowedPublishers CodeSigningConfigAllowedPublishersArgs

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    Description string
    Descriptive name for this code signing configuration.
    Policies CodeSigningConfigPoliciesArgs
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    Region string
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    Tags map[string]string
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    allowedPublishers CodeSigningConfigAllowedPublishers

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    description String
    Descriptive name for this code signing configuration.
    policies CodeSigningConfigPolicies
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    region String
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    tags Map<String,String>
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    allowedPublishers CodeSigningConfigAllowedPublishers

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    description string
    Descriptive name for this code signing configuration.
    policies CodeSigningConfigPolicies
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    region string
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    tags {[key: string]: string}
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    allowed_publishers CodeSigningConfigAllowedPublishersArgs

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    description str
    Descriptive name for this code signing configuration.
    policies CodeSigningConfigPoliciesArgs
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    region str
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    tags Mapping[str, str]
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    allowedPublishers Property Map

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    description String
    Descriptive name for this code signing configuration.
    policies Property Map
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    region String
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    tags Map<String>
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the CodeSigningConfig resource produces the following output properties:

    Arn string
    ARN of the code signing configuration.
    ConfigId string
    Unique identifier for the code signing configuration.
    Id string
    The provider-assigned unique ID for this managed resource.
    LastModified string
    Date and time that the code signing configuration was last modified.
    TagsAll Dictionary<string, string>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    Arn string
    ARN of the code signing configuration.
    ConfigId string
    Unique identifier for the code signing configuration.
    Id string
    The provider-assigned unique ID for this managed resource.
    LastModified string
    Date and time that the code signing configuration was last modified.
    TagsAll map[string]string
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    arn String
    ARN of the code signing configuration.
    configId String
    Unique identifier for the code signing configuration.
    id String
    The provider-assigned unique ID for this managed resource.
    lastModified String
    Date and time that the code signing configuration was last modified.
    tagsAll Map<String,String>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    arn string
    ARN of the code signing configuration.
    configId string
    Unique identifier for the code signing configuration.
    id string
    The provider-assigned unique ID for this managed resource.
    lastModified string
    Date and time that the code signing configuration was last modified.
    tagsAll {[key: string]: string}
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    arn str
    ARN of the code signing configuration.
    config_id str
    Unique identifier for the code signing configuration.
    id str
    The provider-assigned unique ID for this managed resource.
    last_modified str
    Date and time that the code signing configuration was last modified.
    tags_all Mapping[str, str]
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    arn String
    ARN of the code signing configuration.
    configId String
    Unique identifier for the code signing configuration.
    id String
    The provider-assigned unique ID for this managed resource.
    lastModified String
    Date and time that the code signing configuration was last modified.
    tagsAll Map<String>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Look up Existing CodeSigningConfig Resource

    Get an existing CodeSigningConfig resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: CodeSigningConfigState, opts?: CustomResourceOptions): CodeSigningConfig
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            allowed_publishers: Optional[CodeSigningConfigAllowedPublishersArgs] = None,
            arn: Optional[str] = None,
            config_id: Optional[str] = None,
            description: Optional[str] = None,
            last_modified: Optional[str] = None,
            policies: Optional[CodeSigningConfigPoliciesArgs] = None,
            region: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None) -> CodeSigningConfig
    func GetCodeSigningConfig(ctx *Context, name string, id IDInput, state *CodeSigningConfigState, opts ...ResourceOption) (*CodeSigningConfig, error)
    public static CodeSigningConfig Get(string name, Input<string> id, CodeSigningConfigState? state, CustomResourceOptions? opts = null)
    public static CodeSigningConfig get(String name, Output<String> id, CodeSigningConfigState state, CustomResourceOptions options)
    resources:  _:    type: aws:lambda:CodeSigningConfig    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AllowedPublishers CodeSigningConfigAllowedPublishers

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    Arn string
    ARN of the code signing configuration.
    ConfigId string
    Unique identifier for the code signing configuration.
    Description string
    Descriptive name for this code signing configuration.
    LastModified string
    Date and time that the code signing configuration was last modified.
    Policies CodeSigningConfigPolicies
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    Region string
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    Tags Dictionary<string, string>
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    AllowedPublishers CodeSigningConfigAllowedPublishersArgs

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    Arn string
    ARN of the code signing configuration.
    ConfigId string
    Unique identifier for the code signing configuration.
    Description string
    Descriptive name for this code signing configuration.
    LastModified string
    Date and time that the code signing configuration was last modified.
    Policies CodeSigningConfigPoliciesArgs
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    Region string
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    Tags map[string]string
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    allowedPublishers CodeSigningConfigAllowedPublishers

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    arn String
    ARN of the code signing configuration.
    configId String
    Unique identifier for the code signing configuration.
    description String
    Descriptive name for this code signing configuration.
    lastModified String
    Date and time that the code signing configuration was last modified.
    policies CodeSigningConfigPolicies
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    region String
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    tags Map<String,String>
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    allowedPublishers CodeSigningConfigAllowedPublishers

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    arn string
    ARN of the code signing configuration.
    configId string
    Unique identifier for the code signing configuration.
    description string
    Descriptive name for this code signing configuration.
    lastModified string
    Date and time that the code signing configuration was last modified.
    policies CodeSigningConfigPolicies
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    region string
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    tags {[key: string]: string}
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    allowed_publishers CodeSigningConfigAllowedPublishersArgs

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    arn str
    ARN of the code signing configuration.
    config_id str
    Unique identifier for the code signing configuration.
    description str
    Descriptive name for this code signing configuration.
    last_modified str
    Date and time that the code signing configuration was last modified.
    policies CodeSigningConfigPoliciesArgs
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    region str
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    tags Mapping[str, str]
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
    allowedPublishers Property Map

    Configuration block of allowed publishers as signing profiles for this code signing configuration. See below.

    The following arguments are optional:

    arn String
    ARN of the code signing configuration.
    configId String
    Unique identifier for the code signing configuration.
    description String
    Descriptive name for this code signing configuration.
    lastModified String
    Date and time that the code signing configuration was last modified.
    policies Property Map
    Configuration block of code signing policies that define the actions to take if the validation checks fail. See below.
    region String
    Region where this resource will be managed. Defaults to the Region set in the provider configuration.
    tags Map<String>
    Map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Supporting Types

    CodeSigningConfigAllowedPublishers, CodeSigningConfigAllowedPublishersArgs

    SigningProfileVersionArns List<string>
    Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. Maximum of 20 signing profiles.
    SigningProfileVersionArns []string
    Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. Maximum of 20 signing profiles.
    signingProfileVersionArns List<String>
    Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. Maximum of 20 signing profiles.
    signingProfileVersionArns string[]
    Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. Maximum of 20 signing profiles.
    signing_profile_version_arns Sequence[str]
    Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. Maximum of 20 signing profiles.
    signingProfileVersionArns List<String>
    Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package. Maximum of 20 signing profiles.

    CodeSigningConfigPolicies, CodeSigningConfigPoliciesArgs

    UntrustedArtifactOnDeployment string
    Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: Warn, Enforce. Default value: Warn.
    UntrustedArtifactOnDeployment string
    Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: Warn, Enforce. Default value: Warn.
    untrustedArtifactOnDeployment String
    Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: Warn, Enforce. Default value: Warn.
    untrustedArtifactOnDeployment string
    Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: Warn, Enforce. Default value: Warn.
    untrusted_artifact_on_deployment str
    Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: Warn, Enforce. Default value: Warn.
    untrustedArtifactOnDeployment String
    Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: Warn, Enforce. Default value: Warn.

    Import

    For backwards compatibility, the following legacy pulumi import command is also supported:

    $ pulumi import aws:lambda/codeSigningConfig:CodeSigningConfig example arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo
    AWS v7.4.0 published on Wednesday, Aug 13, 2025 by Pulumi