AWS KMS keys
Generate a key using AWS KMS CloudHSM
Using AWS KMS keys in your agents is recommended for production environments.
For non-production environments, it may be faster to configure your agents with Hexadecimal keys
1. Create an IAM user
This IAM user will be given permission to sign with the KMS key that you will later configure. Your Hyperlane agent will use this identity when signing transactions.
Go to AWS's Identity and Access Management (IAM) in the AWS console.
On the left, under "Access management", click "Users".
Click the blue button "Add users".
Pick a friendly and informative username, like
hyperlane-validator-${chain_name}
orhyperlane-relayer-${chain_name}
. This username will be referenced in future steps, so if you choose a different username be sure to use your correct username in the future.Click "Next", you do not need to assign the user any permissions.
Click "Create user".
Click into the user that you just created
Click the "Security Credentials" tab
Scroll down to "Access Keys" and click "Create Access Key"
Select "Application running outside AWS" and click "Next"
Click "Next", no need to add a description tag
Click "Create access key"
Copy the "Access key ID" and "Secret access key" to a safe place. These will be passed to your Hyperlane relayer as environment variables.
2. Create a KMS key
This key will be used by your agent for signing.
Go to AWS's Key Management Service (KMS) in the AWS console.
Ensure you are in the region you want to create the key in. This can be confirmed by viewing the region at the top right of the console, or by finding the name in the URL's subdomain (e.g.
us-west-2.console.aws.amazon.com
means you're operating in the regionus-west-2
).On the left, click "Customer managed keys".
Click "Create key".
Select the "Asymmetric" key type.
Select the "Sign and verify" key usage.
Select the
ECC_SECG_P256K1
key spec.Click "Next".
Set the Alias to something friendly and informative, like
hyperlane-validator-signer-${chain_name}
orhyperlane-relayer-signer-${chain_name}
While not necessary, feel free to write a description and add any tags that you think will be useful.
Click "Next".
A key administrator is not required, but if you want, you can select one.
Click "Next".
Give usage permissions to the IAM user you created in section #1.-create-an-iam-user
Click "Next".
In the Review page, scroll to the "Key policy". The generated key policy is acceptable, but you can make the access even less permissive if you wish by:
Removing the
kms:DescribeKey
andkms:Verify
actions from the statement whose "Sid" is "Allow use of the key"Removing the entire statement whose "Sid" is "Allow attachment of persistent resources".
Click "Finish"
3. Query address
In some cases you may need to know the address associated with the KMS key you generated.
The script at the following repo will allow you to query this address: https://github.com/tkporter/get-aws-kms-address
Last updated