diff --git a/docs/Privacy/Tessera/Configuration/Keys.md b/docs/Privacy/Tessera/Configuration/Keys.md index 2e2f69ad2..0bb1aa664 100644 --- a/docs/Privacy/Tessera/Configuration/Keys.md +++ b/docs/Privacy/Tessera/Configuration/Keys.md @@ -14,6 +14,9 @@ You can use existing private/public key pairs as well as use Tessera to generate "tlsKeyStorePath": "Path", "tlsTrustStorePath": "Path" }, + "awsKeyVaultConfig":{ + "endpoint": "Url" + } "keyData": [ { // The data for a private/public key pair @@ -159,30 +162,6 @@ Passwords must be provided so that Tessera can decrypt and use the private keys. | Direct | `"passwords": ["pwd1", "pwd2", ...]`
Empty strings should be used for unlocked keys. Passwords must be provided in the order that key pairs are defined in the config. Not recommended for production use. | | CLI | Tessera will prompt on the CLI for the passwords of any encrypted keys that have not had passwords provided in the config. This process only needs to be performed once, when starting the node. | -### AWS Secrets Manager key pairs -The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys. The endpoint is optional as the _AWS SDK_ can fallback to its inbuilt property retrieval chain (e.g. using the environment variable `AWS_REGION` or `~/.aws/config` file - see [the AWS docs](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html) for similar behaviour explained in the context of credentials): -```json -"keys": { - "awsKeyVaultConfig":{ - "endpoint": "https://secretsmanager.us-west-2.amazonaws.com" - }, - "keyData": [ - { - "awsSecretsManagerPublicKeyId": "secretIdPub", - "awsSecretsManagerPrivateKeyId": "secretIdKey" - } - ] - } -``` - -This example configuration will retrieve the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. - -!!! info - A `Credential should be scoped to a valid region` error when starting means that the region specified in the `endpoint` differs from the region the AWS SDK has retrieved from its [property retrieval chain](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html). This can be resolved by setting the `AWS_REGION` environment variable to the same region as defined in the `endpoint`. - -!!! info - Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager) - ### Azure Key Vault key pairs The keys in the pair are stored as secrets in an Azure Key Vault. This requires providing the vault url and the secret IDs for both keys: ```json @@ -238,6 +217,30 @@ Tessera requires TLS certificates and keys to be stored in `.jks` Java keystore !!! info If using a Hashicorp Vault additional environment variables must be set and a version 2 K/V secret engine must be enabled. For more information see [Setting up a Hashicorp Vault](../../Tessera%20Services/Keys/Setting%20up%20a%20Hashicorp%20Vault). +### AWS Secrets Manager key pairs +The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys. The endpoint is optional as the _AWS SDK_ can fallback to its inbuilt property retrieval chain (e.g. using the environment variable `AWS_REGION` or `~/.aws/config` file - see [the AWS docs](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html) for similar behaviour explained in the context of credentials): +```json +"keys": { + "awsKeyVaultConfig":{ + "endpoint": "https://secretsmanager.us-west-2.amazonaws.com" + }, + "keyData": [ + { + "awsSecretsManagerPublicKeyId": "secretIdPub", + "awsSecretsManagerPrivateKeyId": "secretIdKey" + } + ] + } +``` + +This example configuration will retrieve the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`. + +!!! info + A `Credential should be scoped to a valid region` error when starting means that the region specified in the `endpoint` differs from the region the AWS SDK has retrieved from its [property retrieval chain](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/credentials.html). This can be resolved by setting the `AWS_REGION` environment variable to the same region as defined in the `endpoint`. + +!!! info + Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager) + ## Multiple Keys If wished, multiple key pairs can be specified for a Tessera node. In this case, any one of the public keys can be used to address a private transaction to that node. Tessera will sequentially try each key to find one that can decrypt the payload. This can be used, for example, to simplify key rotation. diff --git a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md index 0ab8adc67..bd434c0b2 100644 --- a/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md +++ b/docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md @@ -8,6 +8,10 @@ The _AWS Secrets Manager_ documentation provides much of the information needed * [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) * [AWS SDK for Java Developer Guide](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html) +## Creating the AWS Secrets Manager + +Once you have set up your AWS profile, you will be able to use AWS Secrets Manager. + ## Enabling Tessera to use the _AWS Secrets Manager_ ### Environment Variables