-
Couldn't load subscription status.
- Fork 0
AWS
This guide will try to cover how to use AWS KMS to sign minting and release operations.
This guide will also assume that you want to use AWS KMS, but run the node in your own infrastructure.
A different key can be used for ethereum and tezos, but the same one can also be used. So create one or two keys, depending on what you decide.
Connect to your AWS management console, and go to Key Management Service.
|
ℹ️
|
AWS is present in all kind of regions. Pick one that is close to your actual infrastructure location. |
In Customer managed keys, create a new key according to this spec :
- Key type
-
Asymetric
- Usage
-
Sign and verify
- Key spec
-
ECC_SECG_P256K1 (this is the Secp256k1 curve)
You can leave blank other parts (admin and roles), but uncheck Allow key administrators to delete this key. in step 3
Copy the generated ARN. We will use it below
Go to IAM→Policies, and create a new one.
Use the json below as a template. Replace of course the appropriate parts.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Sign",
"kms:Verify",
"kms:GetPublicKey"
],
"Resource": ["<your keys arns"]
}
]
}
|
❗
|
If you have a fix IP in your infrastracture, it’s a good idea to change the policy above to whitelist it. Add a new statement in policy above {
"Effect": "Deny",
"Resource": ["<your keys arns"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp":["<your ips addresses>"]
}
}
}
|
Back to IAM, go to Users, and add user:
-
Programmatic access
-
Attach existing policies → select the policy you just created
Copy the access key id and the secret access key
|
❗
|
Securing these secrets is obviously, very important. Rotating the secret, or even using something like Ashicorp Vault to do it for you is a good idea. |
Change the env file defined in Setup
Ethereum__Signer__Type=AWS Ethereum__Signer__KeyId=<your aws kws key id> Tezos__Signer_Type=AWS Tezos__Signer__KeyId=<your aws kws key id> AWS_ACCESS_KEY_ID=<aws key id> AWS_SECRET_ACCESS_KEY=<aws secret access key> AWS_REGION=<the region where the kms key is>
You don’t need to backup the key, since the material is managed by AWS itself and you don’t have access to it.
What you have to pay attention to, is to not delete the key accidentally. In practice, it’s difficult to do so, because AWS enforces a deletion waiting period. You cannot delete a key without specifying this period, with a minimun of 7 days.