LogoLogo
  • ⏩Introduction
    • Hyperlane Introduction
    • Getting started
    • Why Should You Use Hyperlane?
  • Permissionless Interoperability
    • Overview
    • Deploy Hyperlane
    • Warp Routes
      • Deploy a Warp Route
      • Deploy a UI for your Warp Route
    • Modular Rollup Interoperability
  • Build With Hyperlane
    • Quickstarts
      • Messaging
      • Accounts
      • Queries
      • hyperlane-quickstart repo
    • Guides
      • Finding my messages
      • Automatically pay for interchain gas
      • Manually pay for interchain gas
      • Choosing an interchain gas paymaster contract
      • Unit testing
      • Specifying an ISM
      • V2 migration guide
    • Explorer
      • Debugging messages
      • Configuring PI Chains
      • REST API
      • GraphQL API
    • Troubleshooting/Developer FAQ
    • Example apps
  • APIs and SDKs
    • Messaging API
      • Send
      • Receive
    • Accounts API
    • Queries API
    • Warp Route API
    • Interchain gas paymaster API
    • Hyperlane App Framework
      • Example usage
        • HelloWorld
        • Interchain Token
      • Solidity SDK
        • HyperlaneConnectionClient
        • Router
      • NodeJS SDK
        • RPC Providers
        • Deployment
        • Interchain testing
        • Quoting gas payments
        • App Abstraction
    • Hooks API
      • Contract addresses
  • Protocol
    • Overview
    • Mailbox
    • Interchain security modules
      • Interface
      • Multisig ISM
      • Routing ISM
      • Aggregation ISM
      • Optimistic ISM
      • Wormhole ISM
      • Hook ISM
      • CCIP-Read ISM
    • Interchain gas payments
    • Staking and slashing
    • Agents
      • Validators
      • Relayers
      • Watchtowers
    • Warp Routes
    • Implementation Guide
  • Operators
    • Validators
      • Guide
      • AWS setup
      • Monitoring and alerting
    • Relayers
      • Guide
      • Message filtering
    • Agent keys
      • Hexadecimal keys
      • AWS KMS keys
    • Agent configuration
      • Configuration reference
    • Running with docker compose
  • Resources
    • FAQ
    • Glossary
    • Contract addresses
      • Permissionless Deployment Contract Addresses
    • Domain identifiers
      • Permissionless Domain Identifiers
    • Default ISM settings
    • Coming Soon: Hyperlane v3
    • Token sources & faucets
    • Latencies
    • Github
    • Discord
    • Website
Powered by GitBook
On this page
  • 1. Create an AWS IAM user and KMS key
  • 2. Create an S3 bucket
  • 3. Configure S3 bucket permissions
  1. Operators
  2. Validators

AWS setup

Configure your signing key and S3 bucket

PreviousGuideNextMonitoring and alerting

Last updated 2 years ago

These instructions are for a production environment where validator keys exist in AWS's Key Management Service and validator signatures are posted publicly in an S3 bucket.

If you're only intending to run a validator for testing or development purposes, consider the instead.

1. Create an AWS IAM user and KMS key

Follow the instructions for AWS KMS keys to generate an AWS IAM user and KMS key. You will use this user and key in the following steps.

2. Create an S3 bucket

Your validator will post their signatures to this bucket.

  1. Go to AWS's S3 in the AWS console.

  2. On the right, click the orange "Create Bucket" button

  3. Pick an informative bucket name, such as hyperlane-validator-signatures-${validator_name}-${chain_name}

  4. Consider choosing the same region as the KMS key you created in the previous step.

  5. Keep the recommended "ACLs disabled" setting for object ownership.

  6. Configure public access settings so that relayers can read your signatures

    1. Uncheck "Block all public access"

    2. Check the first two options that block access via access control lists

    3. Leave the last two options unchecked, we will be granting public read access via a bucket policy

    4. Acknowledge that these settings may result in public access to your bucket

  7. The remaining default settings are fine, click the orange "Create bucket" button on the bottom

3. Configure S3 bucket permissions

Your validator IAM user will need write permissions, and it should be publicly readable by relayers.

  1. Navigate back to "Identity and Access Management (IAM)" in the AWS console

  2. Under "IAM resources" you should see at least one "User", click into that

  3. Click on the name of the user that you provisioned earlier (e.g. hyperlane-validator-${chain_name})

  4. Copy the "User ARN" to your clipboard, it should look something like arn:aws:iam::791444913613:user/hyperlane-validator-${chain_name}

  5. Navigate back to "S3" in the AWS console

  6. Click on the name of the bucket you just created

  7. Just under the name of the bucket, click "Permissions"

  8. Scroll down to "Bucket policy" and click "Edit"

  9. Enter the following contents. The Bucket ARN is shown just above where you enter the policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "${BUCKET_ARN}",
                "${BUCKET_ARN}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "${USER_ARN}"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "Resource": "${BUCKET_ARN}/*"
        }
    ]
}
AWS KMS keys
Local Setup