Use AWS KMS Signer
Use this guide to run ev-node with an AWS KMS-backed signer (signer_type: kms, kms.provider: aws) instead of a local key file.
Prerequisites
- An AWS KMS asymmetric key with:
KeyUsage: SIGN_VERIFYKeySpec: ECC_NIST_EDWARDS25519
- IAM permissions for initial key creation/management (example policy):
json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowKeyCreation",
"Effect": "Allow",
"Action": [
"kms:CreateKey",
"kms:TagResource",
"kms:EnableKey",
"kms:PutKeyPolicy",
"kms:GetPublicKey",
"kms:Sign",
"kms:ListKeys",
"kms:ListAliases"
],
"Resource": "*"
}
]
}- Runtime IAM permissions for
ev-node(minimum):kms:GetPublicKeykms:Sign
- AWS credentials available to the node process (IAM role, env vars, or shared profile).
1. Create an ED25519 KMS key (example)
bash
aws kms create-key \
--description "ev-node signer" \
--key-usage SIGN_VERIFY \
--key-spec ECC_NIST_EDWARDS25519Copy the returned key ARN (or key ID). You can also create an alias and use that.
2. Configure evnode.yaml
yaml
signer:
signer_type: "kms"
kms:
provider: "aws"
aws:
key_id: "arn:aws:kms:us-east-1:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
region: "us-east-1" # optional but recommended
profile: "prod" # optional; omit when using IAM role/env creds
timeout: "1s" # must be > 0
max_retries: 3 # must be >= 03. Start as an aggregator
bash
evnode start --evnode.node.aggregatorYou should see a startup log line:
initialized AWS KMS signer via factory
Troubleshooting
evnode.signer.kms.aws.key_id is required when signer.signer_type is kms and signer.kms.provider is aws: Setsigner.kms.aws.key_id.unsupported key type from KMS: expected ed25519: Recreate the key asECC_NIST_EDWARDS25519.KMS Sign failed ...: Check IAM permissions, key policy, region/profile, and network access to AWS KMS.