ECR / Client / put_signing_configuration

put_signing_configuration

ECR.Client.put_signing_configuration(**kwargs)

Creates or updates the registry’s signing configuration, which defines rules for automatically signing images with Amazon Web Services Signer.

For more information, see Managed signing in the Amazon Elastic Container Registry User Guide.

Note

To successfully generate a signature, the IAM principal pushing images must have permission to sign payloads with the Amazon Web Services Signer signing profile referenced in the signing configuration.

See also: AWS API Documentation

Request Syntax

response = client.put_signing_configuration(
    signingConfiguration={
        'rules': [
            {
                'signingProfileArn': 'string',
                'repositoryFilters': [
                    {
                        'filter': 'string',
                        'filterType': 'WILDCARD_MATCH'
                    },
                ]
            },
        ]
    }
)
Parameters:

signingConfiguration (dict) –

[REQUIRED]

The signing configuration to assign to the registry.

  • rules (list) – [REQUIRED]

    A list of signing rules. Each rule defines a signing profile and optional repository filters that determine which images are automatically signed. Maximum of 10 rules.

    • (dict) –

      A signing rule that specifies a signing profile and optional repository filters. When an image is pushed to a matching repository, a signing job is created using the specified profile.

      • signingProfileArn (string) – [REQUIRED]

        The ARN of the Amazon Web Services Signer signing profile to use for signing images that match this rule. For more information about signing profiles, see Signing profiles in the Amazon Web Services Signer Developer Guide.

      • repositoryFilters (list) –

        A list of repository filters that determine which repositories have their images signed on push. If no filters are specified, all images pushed to the registry are signed using the rule’s signing profile. Maximum of 100 filters per rule.

        • (dict) –

          A repository filter used to determine which repositories have their images automatically signed on push. Each filter consists of a filter type and filter value.

          • filter (string) – [REQUIRED]

            The filter value used to match repository names. When using WILDCARD_MATCH, the * character matches any sequence of characters.

            Examples:

            • myapp/* - Matches all repositories starting with myapp/

            • */production - Matches all repositories ending with /production

            • *prod* - Matches all repositories containing prod

          • filterType (string) – [REQUIRED]

            The type of filter to apply. Currently, only WILDCARD_MATCH is supported, which uses wildcard patterns to match repository names.

Return type:

dict

Returns:

Response Syntax

{
    'signingConfiguration': {
        'rules': [
            {
                'signingProfileArn': 'string',
                'repositoryFilters': [
                    {
                        'filter': 'string',
                        'filterType': 'WILDCARD_MATCH'
                    },
                ]
            },
        ]
    }
}

Response Structure

  • (dict) –

    • signingConfiguration (dict) –

      The registry’s updated signing configuration.

      • rules (list) –

        A list of signing rules. Each rule defines a signing profile and optional repository filters that determine which images are automatically signed. Maximum of 10 rules.

        • (dict) –

          A signing rule that specifies a signing profile and optional repository filters. When an image is pushed to a matching repository, a signing job is created using the specified profile.

          • signingProfileArn (string) –

            The ARN of the Amazon Web Services Signer signing profile to use for signing images that match this rule. For more information about signing profiles, see Signing profiles in the Amazon Web Services Signer Developer Guide.

          • repositoryFilters (list) –

            A list of repository filters that determine which repositories have their images signed on push. If no filters are specified, all images pushed to the registry are signed using the rule’s signing profile. Maximum of 100 filters per rule.

            • (dict) –

              A repository filter used to determine which repositories have their images automatically signed on push. Each filter consists of a filter type and filter value.

              • filter (string) –

                The filter value used to match repository names. When using WILDCARD_MATCH, the * character matches any sequence of characters.

                Examples:

                • myapp/* - Matches all repositories starting with myapp/

                • */production - Matches all repositories ending with /production

                • *prod* - Matches all repositories containing prod

              • filterType (string) –

                The type of filter to apply. Currently, only WILDCARD_MATCH is supported, which uses wildcard patterns to match repository names.

Exceptions

  • ECR.Client.exceptions.ServerException

  • ECR.Client.exceptions.InvalidParameterException

  • ECR.Client.exceptions.ValidationException