AWS v7.10.0 published on Friday, Oct 24, 2025 by Pulumi
aws.lambda.getCodeSigningConfig
Provides details about an AWS Lambda Code Signing Config. Use this data source to retrieve information about an existing code signing configuration for Lambda functions to ensure code integrity and authenticity.
For information about Lambda code signing configurations and how to use them, see configuring code signing for Lambda functions.
Example Usage
Basic Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = aws.lambda.getCodeSigningConfig({
arn: "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b",
});
export const configDetails = {
configId: example.then(example => example.configId),
description: example.then(example => example.description),
policy: example.then(example => example.policies?.[0]?.untrustedArtifactOnDeployment),
};
import pulumi
import pulumi_aws as aws
example = aws.lambda.get_code_signing_config(arn="arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b")
pulumi.export("configDetails", {
"configId": example.config_id,
"description": example.description,
"policy": example.policies[0].untrusted_artifact_on_deployment,
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := lambda.LookupCodeSigningConfig(ctx, &lambda.LookupCodeSigningConfigArgs{
Arn: "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b",
}, nil)
if err != nil {
return err
}
ctx.Export("configDetails", pulumi.StringMap{
"configId": example.ConfigId,
"description": example.Description,
"policy": example.Policies[0].UntrustedArtifactOnDeployment,
})
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = Aws.Lambda.GetCodeSigningConfig.Invoke(new()
{
Arn = "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b",
});
return new Dictionary<string, object?>
{
["configDetails"] =
{
{ "configId", example.Apply(getCodeSigningConfigResult => getCodeSigningConfigResult.ConfigId) },
{ "description", example.Apply(getCodeSigningConfigResult => getCodeSigningConfigResult.Description) },
{ "policy", example.Apply(getCodeSigningConfigResult => getCodeSigningConfigResult.Policies[0]?.UntrustedArtifactOnDeployment) },
},
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LambdaFunctions;
import com.pulumi.aws.lambda.inputs.GetCodeSigningConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var example = LambdaFunctions.getCodeSigningConfig(GetCodeSigningConfigArgs.builder()
.arn("arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b")
.build());
ctx.export("configDetails", Map.ofEntries(
Map.entry("configId", example.configId()),
Map.entry("description", example.description()),
Map.entry("policy", example.policies()[0].untrustedArtifactOnDeployment())
));
}
}
variables:
example:
fn::invoke:
function: aws:lambda:getCodeSigningConfig
arguments:
arn: arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-0f6c334abcdea4d8b
outputs:
configDetails:
configId: ${example.configId}
description: ${example.description}
policy: ${example.policies[0].untrustedArtifactOnDeployment}
Use in Lambda Function
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Get existing code signing configuration
const securityConfig = aws.lambda.getCodeSigningConfig({
arn: codeSigningConfigArn,
});
// Create Lambda function with code signing
const example = new aws.lambda.Function("example", {
code: new pulumi.asset.FileArchive("function.zip"),
name: "secure-function",
role: lambdaRole.arn,
handler: "index.handler",
runtime: aws.lambda.Runtime.NodeJS20dX,
codeSigningConfigArn: securityConfig.then(securityConfig => securityConfig.arn),
tags: {
Environment: "production",
Security: "code-signed",
},
});
import pulumi
import pulumi_aws as aws
# Get existing code signing configuration
security_config = aws.lambda.get_code_signing_config(arn=code_signing_config_arn)
# Create Lambda function with code signing
example = aws.lambda_.Function("example",
code=pulumi.FileArchive("function.zip"),
name="secure-function",
role=lambda_role["arn"],
handler="index.handler",
runtime=aws.lambda_.Runtime.NODE_JS20D_X,
code_signing_config_arn=security_config.arn,
tags={
"Environment": "production",
"Security": "code-signed",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Get existing code signing configuration
securityConfig, err := lambda.LookupCodeSigningConfig(ctx, &lambda.LookupCodeSigningConfigArgs{
Arn: codeSigningConfigArn,
}, nil)
if err != nil {
return err
}
// Create Lambda function with code signing
_, err = lambda.NewFunction(ctx, "example", &lambda.FunctionArgs{
Code: pulumi.NewFileArchive("function.zip"),
Name: pulumi.String("secure-function"),
Role: pulumi.Any(lambdaRole.Arn),
Handler: pulumi.String("index.handler"),
Runtime: pulumi.String(lambda.RuntimeNodeJS20dX),
CodeSigningConfigArn: pulumi.String(securityConfig.Arn),
Tags: pulumi.StringMap{
"Environment": pulumi.String("production"),
"Security": pulumi.String("code-signed"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// Get existing code signing configuration
var securityConfig = Aws.Lambda.GetCodeSigningConfig.Invoke(new()
{
Arn = codeSigningConfigArn,
});
// Create Lambda function with code signing
var example = new Aws.Lambda.Function("example", new()
{
Code = new FileArchive("function.zip"),
Name = "secure-function",
Role = lambdaRole.Arn,
Handler = "index.handler",
Runtime = Aws.Lambda.Runtime.NodeJS20dX,
CodeSigningConfigArn = securityConfig.Apply(getCodeSigningConfigResult => getCodeSigningConfigResult.Arn),
Tags =
{
{ "Environment", "production" },
{ "Security", "code-signed" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LambdaFunctions;
import com.pulumi.aws.lambda.inputs.GetCodeSigningConfigArgs;
import com.pulumi.aws.lambda.Function;
import com.pulumi.aws.lambda.FunctionArgs;
import com.pulumi.asset.FileArchive;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Get existing code signing configuration
final var securityConfig = LambdaFunctions.getCodeSigningConfig(GetCodeSigningConfigArgs.builder()
.arn(codeSigningConfigArn)
.build());
// Create Lambda function with code signing
var example = new Function("example", FunctionArgs.builder()
.code(new FileArchive("function.zip"))
.name("secure-function")
.role(lambdaRole.arn())
.handler("index.handler")
.runtime("nodejs20.x")
.codeSigningConfigArn(securityConfig.arn())
.tags(Map.ofEntries(
Map.entry("Environment", "production"),
Map.entry("Security", "code-signed")
))
.build());
}
}
resources:
# Create Lambda function with code signing
example:
type: aws:lambda:Function
properties:
code:
fn::FileArchive: function.zip
name: secure-function
role: ${lambdaRole.arn}
handler: index.handler
runtime: nodejs20.x
codeSigningConfigArn: ${securityConfig.arn}
tags:
Environment: production
Security: code-signed
variables:
# Get existing code signing configuration
securityConfig:
fn::invoke:
function: aws:lambda:getCodeSigningConfig
arguments:
arn: ${codeSigningConfigArn}
Multi-Environment Configuration
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Production code signing config
const prod = aws.lambda.getCodeSigningConfig({
arn: "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-prod-123",
});
// Development code signing config
const dev = aws.lambda.getCodeSigningConfig({
arn: "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-dev-456",
});
const prodPolicy = prod.then(prod => prod.policies?.[0]?.untrustedArtifactOnDeployment);
const devPolicy = dev.then(dev => dev.policies?.[0]?.untrustedArtifactOnDeployment);
const configComparison = {
prodEnforcement: prodPolicy,
devEnforcement: devPolicy,
policiesMatch: Promise.all([prodPolicy, devPolicy]).then(([prodPolicy, devPolicy]) => prodPolicy == devPolicy),
};
export const environmentComparison = configComparison;
import pulumi
import pulumi_aws as aws
# Production code signing config
prod = aws.lambda.get_code_signing_config(arn="arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-prod-123")
# Development code signing config
dev = aws.lambda.get_code_signing_config(arn="arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-dev-456")
prod_policy = prod.policies[0].untrusted_artifact_on_deployment
dev_policy = dev.policies[0].untrusted_artifact_on_deployment
config_comparison = {
"prodEnforcement": prod_policy,
"devEnforcement": dev_policy,
"policiesMatch": prod_policy == dev_policy,
}
pulumi.export("environmentComparison", config_comparison)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/lambda"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Production code signing config
prod, err := lambda.LookupCodeSigningConfig(ctx, &lambda.LookupCodeSigningConfigArgs{
Arn: "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-prod-123",
}, nil)
if err != nil {
return err
}
// Development code signing config
dev, err := lambda.LookupCodeSigningConfig(ctx, &lambda.LookupCodeSigningConfigArgs{
Arn: "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-dev-456",
}, nil)
if err != nil {
return err
}
prodPolicy := prod.Policies[0].UntrustedArtifactOnDeployment
devPolicy := dev.Policies[0].UntrustedArtifactOnDeployment
configComparison := map[string]interface{}{
"prodEnforcement": prodPolicy,
"devEnforcement": devPolicy,
"policiesMatch": prodPolicy == devPolicy,
}
ctx.Export("environmentComparison", configComparison)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
// Production code signing config
var prod = Aws.Lambda.GetCodeSigningConfig.Invoke(new()
{
Arn = "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-prod-123",
});
// Development code signing config
var dev = Aws.Lambda.GetCodeSigningConfig.Invoke(new()
{
Arn = "arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-dev-456",
});
var prodPolicy = prod.Apply(getCodeSigningConfigResult => getCodeSigningConfigResult.Policies[0]?.UntrustedArtifactOnDeployment);
var devPolicy = dev.Apply(getCodeSigningConfigResult => getCodeSigningConfigResult.Policies[0]?.UntrustedArtifactOnDeployment);
var configComparison =
{
{ "prodEnforcement", prodPolicy },
{ "devEnforcement", devPolicy },
{ "policiesMatch", Output.Tuple(prodPolicy, devPolicy).Apply(values =>
{
var prodPolicy = values.Item1;
var devPolicy = values.Item2;
return prodPolicy == devPolicy;
}) },
};
return new Dictionary<string, object?>
{
["environmentComparison"] = configComparison,
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lambda.LambdaFunctions;
import com.pulumi.aws.lambda.inputs.GetCodeSigningConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Production code signing config
final var prod = LambdaFunctions.getCodeSigningConfig(GetCodeSigningConfigArgs.builder()
.arn("arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-prod-123")
.build());
// Development code signing config
final var dev = LambdaFunctions.getCodeSigningConfig(GetCodeSigningConfigArgs.builder()
.arn("arn:aws:lambda:us-west-2:123456789012:code-signing-config:csc-dev-456")
.build());
final var prodPolicy = prod.policies()[0].untrustedArtifactOnDeployment();
final var devPolicy = dev.policies()[0].untrustedArtifactOnDeployment();
final var configComparison = Map.ofEntries(
Map.entry("prodEnforcement", prodPolicy),
Map.entry("devEnforcement", devPolicy),
Map.entry("policiesMatch", prodPolicy == devPolicy)
);
ctx.export("environmentComparison", configComparison);
}
}
Example coming soon!
Using getCodeSigningConfig
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getCodeSigningConfig(args: GetCodeSigningConfigArgs, opts?: InvokeOptions): Promise<GetCodeSigningConfigResult>
function getCodeSigningConfigOutput(args: GetCodeSigningConfigOutputArgs, opts?: InvokeOptions): Output<GetCodeSigningConfigResult>def get_code_signing_config(arn: Optional[str] = None,
region: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetCodeSigningConfigResult
def get_code_signing_config_output(arn: Optional[pulumi.Input[str]] = None,
region: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetCodeSigningConfigResult]func LookupCodeSigningConfig(ctx *Context, args *LookupCodeSigningConfigArgs, opts ...InvokeOption) (*LookupCodeSigningConfigResult, error)
func LookupCodeSigningConfigOutput(ctx *Context, args *LookupCodeSigningConfigOutputArgs, opts ...InvokeOption) LookupCodeSigningConfigResultOutput> Note: This function is named LookupCodeSigningConfig in the Go SDK.
public static class GetCodeSigningConfig
{
public static Task<GetCodeSigningConfigResult> InvokeAsync(GetCodeSigningConfigArgs args, InvokeOptions? opts = null)
public static Output<GetCodeSigningConfigResult> Invoke(GetCodeSigningConfigInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetCodeSigningConfigResult> getCodeSigningConfig(GetCodeSigningConfigArgs args, InvokeOptions options)
public static Output<GetCodeSigningConfigResult> getCodeSigningConfig(GetCodeSigningConfigArgs args, InvokeOptions options)
fn::invoke:
function: aws:lambda/getCodeSigningConfig:getCodeSigningConfig
arguments:
# arguments dictionaryThe following arguments are supported:
getCodeSigningConfig Result
The following output properties are available:
- Allowed
Publishers List<GetCode Signing Config Allowed Publisher> - List of allowed publishers as signing profiles for this code signing configuration. See below.
- Arn string
- Config
Id string - Unique identifier for the code signing configuration.
- Description string
- Code signing configuration description.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Modified string - Date and time that the code signing configuration was last modified.
- Policies
List<Get
Code Signing Config Policy> - List of code signing policies that control the validation failure action for signature mismatch or expiry. See below.
- Region string
- Allowed
Publishers []GetCode Signing Config Allowed Publisher - List of allowed publishers as signing profiles for this code signing configuration. See below.
- Arn string
- Config
Id string - Unique identifier for the code signing configuration.
- Description string
- Code signing configuration description.
- Id string
- The provider-assigned unique ID for this managed resource.
- Last
Modified string - Date and time that the code signing configuration was last modified.
- Policies
[]Get
Code Signing Config Policy - List of code signing policies that control the validation failure action for signature mismatch or expiry. See below.
- Region string
- allowed
Publishers List<GetCode Signing Config Allowed Publisher> - List of allowed publishers as signing profiles for this code signing configuration. See below.
- arn String
- config
Id String - Unique identifier for the code signing configuration.
- description String
- Code signing configuration description.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Modified String - Date and time that the code signing configuration was last modified.
- policies
List<Get
Code Signing Config Policy> - List of code signing policies that control the validation failure action for signature mismatch or expiry. See below.
- region String
- allowed
Publishers GetCode Signing Config Allowed Publisher[] - List of allowed publishers as signing profiles for this code signing configuration. See below.
- arn string
- config
Id string - Unique identifier for the code signing configuration.
- description string
- Code signing configuration description.
- id string
- The provider-assigned unique ID for this managed resource.
- last
Modified string - Date and time that the code signing configuration was last modified.
- policies
Get
Code Signing Config Policy[] - List of code signing policies that control the validation failure action for signature mismatch or expiry. See below.
- region string
- allowed_
publishers Sequence[GetCode Signing Config Allowed Publisher] - List of allowed publishers as signing profiles for this code signing configuration. See below.
- arn str
- config_
id str - Unique identifier for the code signing configuration.
- description str
- Code signing configuration description.
- id str
- The provider-assigned unique ID for this managed resource.
- last_
modified str - Date and time that the code signing configuration was last modified.
- policies
Sequence[Get
Code Signing Config Policy] - List of code signing policies that control the validation failure action for signature mismatch or expiry. See below.
- region str
- allowed
Publishers List<Property Map> - List of allowed publishers as signing profiles for this code signing configuration. See below.
- arn String
- config
Id String - Unique identifier for the code signing configuration.
- description String
- Code signing configuration description.
- id String
- The provider-assigned unique ID for this managed resource.
- last
Modified String - Date and time that the code signing configuration was last modified.
- policies List<Property Map>
- List of code signing policies that control the validation failure action for signature mismatch or expiry. See below.
- region String
Supporting Types
GetCodeSigningConfigAllowedPublisher
- Signing
Profile List<string>Version Arns - Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package.
- Signing
Profile []stringVersion Arns - Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package.
- signing
Profile List<String>Version Arns - Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package.
- signing
Profile string[]Version Arns - Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package.
- signing_
profile_ Sequence[str]version_ arns - Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package.
- signing
Profile List<String>Version Arns - Set of ARNs for each of the signing profiles. A signing profile defines a trusted user who can sign a code package.
GetCodeSigningConfigPolicy
- Untrusted
Artifact stringOn Deployment - Code signing configuration policy for deployment validation failure. Valid values:
Warn,Enforce.
- Untrusted
Artifact stringOn Deployment - Code signing configuration policy for deployment validation failure. Valid values:
Warn,Enforce.
- untrusted
Artifact StringOn Deployment - Code signing configuration policy for deployment validation failure. Valid values:
Warn,Enforce.
- untrusted
Artifact stringOn Deployment - Code signing configuration policy for deployment validation failure. Valid values:
Warn,Enforce.
- untrusted_
artifact_ stron_ deployment - Code signing configuration policy for deployment validation failure. Valid values:
Warn,Enforce.
- untrusted
Artifact StringOn Deployment - Code signing configuration policy for deployment validation failure. Valid values:
Warn,Enforce.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
