AWS, Cloud Computing, DevOps

4 Mins Read

Signing with AWS Signer Profile and Deployment to Amazon EKS Cluster

Voiced by Amazon Polly


Container image signing with AWS Signer Profile and deploying to the Amazon EKS cluster ensures the integrity and authenticity of container images before they are deployed to a Kubernetes cluster. This process involves creating an AWS Signer signing profile, signing the container image with the signing profile, and configuring the Kubernetes cluster to verify the signature of the image before it is deployed. This process helps to ensure that only trusted images are deployed to the cluster, which can help to improve security and compliance.


Customers may now sign and validate container images stored in container registries such as Amazon Elastic Container Registry (Amazon ECR) with native AWS support according to a new feature called AWS Signer Container Image Signing.

AWS Signer is a fully managed code signing solution that ensures your code is trustworthy and reliable. In addition to managing public and private keys and code signing certificates, AWS Signer offers several tools that streamline lifecycle management, allowing you to concentrate on signing and validating your code.

AWS Signer is a fully managed code signing service to help you ensure the trust and integrity of your container images. Organizations validate images against a digital signature to confirm that the image is unaltered and from a trusted publisher.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started


  • Amazon EC2 instance
  • Install eksctl
  • Install Kubectl
  • Install helm
  • Install Notation cli
  • Docker
  • Ratify
  • Jq

Steps to be performed on your Amazon EC2 instance

  • Attach a role that contains the Amazon ECR, AWS Signer Profile, Amazon EC2, Amazon EKS, and other required permissions to your Amazon EC2 instance.
  • Install aws cli, eksctl, helm from:
  • Install notation CLI
  • Create an Amazon ECR repo, push one sample image to Amazon ECR (ex: nginx image), and export REPO_URI as a global variable for further reference.

Ex: export REPO_URI=<Account_id>.<repo_name>

Create Amazon EKS Cluster

It will take approx. 15 minutes to create the Amazon EKS Cluster with oidc.

Meanwhile, you can sign off on Amazon ECR Image through the notation CLI.

Sign Container image

Create AWS Signer profile and export the ARN as a Global Variable

Sign the image with the Image tag

Now, you can verify the Amazon ECR image has been signed successfully, and the signature can be seen in the Console.


Deploy Gatekeeper

Although Gatekeeper serves as Kubernetes’ policy controller, the actual validation of images and their artifacts will be carried out by the Ratify container.

We first need to install Gatekeeper into the cluster. We will use the Gatekeeper helm chart with some customizations:

Next, we need to deploy a Gatekeeper policy and constraint.

Configure AWS IAM Permission

Before deploying Ratify, we need to configure Ratify permissions to request AWS Signer. We will use AWS IAM Roles for Service Accounts integration to do this. First, we need to create an AWS IAM policy that has AWS Signer permissions:

Then, we will use eksctl to create a service account and role and attach the policies to the role:

We can validate that the service account was created by using kubectl:

Deploy Ratify

Now we can deploy Ratify to our cluster with the AWS Signer root as the notation verification certificate:

After deploying Ratify, we will download the AWS Signer notation plugin to the Ratify pod:

Finally, we will create a verifier that specifies the trust policy to use when verifying signatures. In this guide, we will use a trust policy that only trusts images signed by the SigningProfile we created earlier:

Deploy Container Image:

Now that the signed container image is in the registry and Ratify is installed into the Amazon EKS cluster, we can deploy our container image:

We should see from the Ratify and Gatekeeper logs that the container signature was validated. The pod for the container should also be running.

We can also test that an image without a valid signature is not able to run:

The command should fail with an error, and we should be able to see from the Ratify and Gatekeeper logs that the signature validation failed.


This post provided an overview of AWS Signer Container Image Signing. This new feature allows you to sign and validate your container images using a fully managed solution. You may implement a straightforward client-based procedure for signing and validating your container images using the open-source Notation client with the carefully chosen AWS Signer plugin.

Drop a query if you have any questions regarding AWS Signer Container Image Signing and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. What is the benefit of using AWS Signer Container Image Signing?

ANS: – This new feature helps ensure the trust and integrity of your container images by adding a digital signature. This signature confirms that the image is unaltered and comes from a trusted publisher like you. This is especially important for sensitive workloads or when you must comply with strict security regulations.

2. How does the process of signing and validating container images work?

ANS: – You can sign your images using the open-source Notation client with the AWS Signer plugin. This creates a unique signature that’s stored with the image. Then, Ratify, a policy controller deployed in your EKS cluster, validates the signature against your trust policy. If the signature matches, the image is allowed to run. If not, it’s blocked. This helps prevent unauthorized or compromised images from running in your cluster.

WRITTEN BY Ravikumar Eranna Murali

Ravikumar works as a Research Intern at CloudThat. His expertise lies in AWS Services and pursuing DevOps technologies like Kubernetes, Docker, and Jenkins. Ravi enjoys learning and working on new challenges to give the best solution.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!