LogoLogo
  • ⏩Introduction
    • Hyperlane Introduction
    • Getting started
    • Why Should You Use Hyperlane?
  • Permissionless Interoperability
    • Overview
    • Deploy Hyperlane
    • Warp Routes
      • Deploy a Warp Route
      • Deploy a UI for your Warp Route
    • Modular Rollup Interoperability
  • Build With Hyperlane
    • Quickstarts
      • Messaging
      • Accounts
      • Queries
      • hyperlane-quickstart repo
    • Guides
      • Finding my messages
      • Automatically pay for interchain gas
      • Manually pay for interchain gas
      • Choosing an interchain gas paymaster contract
      • Unit testing
      • Specifying an ISM
      • V2 migration guide
    • Explorer
      • Debugging messages
      • Configuring PI Chains
      • REST API
      • GraphQL API
    • Troubleshooting/Developer FAQ
    • Example apps
  • APIs and SDKs
    • Messaging API
      • Send
      • Receive
    • Accounts API
    • Queries API
    • Warp Route API
    • Interchain gas paymaster API
    • Hyperlane App Framework
      • Example usage
        • HelloWorld
        • Interchain Token
      • Solidity SDK
        • HyperlaneConnectionClient
        • Router
      • NodeJS SDK
        • RPC Providers
        • Deployment
        • Interchain testing
        • Quoting gas payments
        • App Abstraction
    • Hooks API
      • Contract addresses
  • Protocol
    • Overview
    • Mailbox
    • Interchain security modules
      • Interface
      • Multisig ISM
      • Routing ISM
      • Aggregation ISM
      • Optimistic ISM
      • Wormhole ISM
      • Hook ISM
      • CCIP-Read ISM
    • Interchain gas payments
    • Staking and slashing
    • Agents
      • Validators
      • Relayers
      • Watchtowers
    • Warp Routes
    • Implementation Guide
  • Operators
    • Validators
      • Guide
      • AWS setup
      • Monitoring and alerting
    • Relayers
      • Guide
      • Message filtering
    • Agent keys
      • Hexadecimal keys
      • AWS KMS keys
    • Agent configuration
      • Configuration reference
    • Running with docker compose
  • Resources
    • FAQ
    • Glossary
    • Contract addresses
      • Permissionless Deployment Contract Addresses
    • Domain identifiers
      • Permissionless Domain Identifiers
    • Default ISM settings
    • Coming Soon: Hyperlane v3
    • Token sources & faucets
    • Latencies
    • Github
    • Discord
    • Website
Powered by GitBook
On this page
  • 1. Create an IAM user
  • 2. Create a KMS key
  • 3. Query address
  1. Operators
  2. Agent keys

AWS KMS keys

Generate a key using AWS KMS CloudHSM

PreviousHexadecimal keysNextAgent configuration

Last updated 2 years ago

Using AWS KMS keys in your agents is recommended for production environments.

For non-production environments, it may be faster to configure your agents with Hexadecimal keys

1. Create an IAM user

This IAM user will be given permission to sign with the KMS key that you will later configure. Your Hyperlane agent will use this identity when signing transactions.

  1. Go to AWS's Identity and Access Management (IAM) in the .

  2. On the left, under "Access management", click "Users".

  3. Click the blue button "Add users".

  4. Pick a friendly and informative username, like hyperlane-validator-${chain_name} or hyperlane-relayer-${chain_name}. This username will be referenced in future steps, so if you choose a different username be sure to use your correct username in the future.

  5. Click "Next", you do not need to assign the user any permissions.

  6. Click "Create user".

  7. Click into the user that you just created

  8. Click the "Security Credentials" tab

  9. Scroll down to "Access Keys" and click "Create Access Key"

  10. Select "Application running outside AWS" and click "Next"

  11. Click "Next", no need to add a description tag

  12. Click "Create access key"

  13. Copy the "Access key ID" and "Secret access key" to a safe place. These will be passed to your Hyperlane relayer as environment variables.

2. Create a KMS key

This key will be used by your agent for signing.

  1. Go to AWS's Key Management Service (KMS) in the AWS console.

  2. Ensure you are in the region you want to create the key in. This can be confirmed by viewing the region at the top right of the console, or by finding the name in the URL's subdomain (e.g. us-west-2.console.aws.amazon.com means you're operating in the region us-west-2).

  3. On the left, click "Customer managed keys".

  4. Click "Create key".

  5. Select the "Asymmetric" key type.

  6. Select the "Sign and verify" key usage.

  7. Select the ECC_SECG_P256K1 key spec.

  8. Click "Next".

  9. Set the Alias to something friendly and informative, like hyperlane-validator-signer-${chain_name} or hyperlane-relayer-signer-${chain_name}

  10. While not necessary, feel free to write a description and add any tags that you think will be useful.

  11. Click "Next".

  12. A key administrator is not required, but if you want, you can select one.

  13. Click "Next".

  14. Give usage permissions to the IAM user you created in section #1.-create-an-iam-user

  15. Click "Next".

  16. In the Review page, scroll to the "Key policy". The generated key policy is acceptable, but you can make the access even less permissive if you wish by:

    1. Removing the kms:DescribeKey and kms:Verify actions from the statement whose "Sid" is "Allow use of the key"

    2. Removing the entire statement whose "Sid" is "Allow attachment of persistent resources".

  17. Click "Finish"

3. Query address

In some cases you may need to know the address associated with the KMS key you generated.

The script at the following repo will allow you to query this address:

AWS console
https://github.com/tkporter/get-aws-kms-address