mirror of https://github.com/poanetwork/quorum.git
added documentation for Tessera AWS Secrets Manager integration
This commit is contained in:
parent
877f85208e
commit
1b6eeb9588
|
@ -159,6 +159,27 @@ Passwords must be provided so that Tessera can decrypt and use the private keys.
|
|||
| Direct | `"passwords": ["pwd1", "pwd2", ...]`<br/>Empty strings should be used for unlocked keys. Passwords must be provided in the order that key pairs are defined in the config. Not recommended for production use. |
|
||||
| CLI | Tessera will prompt on the CLI for the passwords of any encrypted keys that have not had passwords provided in the config. This process only needs to be performed once, when starting the node. |
|
||||
|
||||
### AWS Secrets Manager key pairs
|
||||
The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys, while the endpoint is optional as the _AWS SDK_ can choose the right one based on _AWS_REGION_ environment variable value:
|
||||
```json
|
||||
"keys": {
|
||||
"awsKeyVaultConfig":{
|
||||
"endpoint": "https://secretsmanager.us-west-2.amazonaws.com"
|
||||
},
|
||||
"keyData": [
|
||||
{
|
||||
"awsSecretsManagerPublicKeyId": "secretIdPub",
|
||||
"awsSecretsManagerPrivateKeyId": "secretIdKey"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
This example configuration will retrieve the specified versions of the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`.
|
||||
|
||||
!!! info
|
||||
Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager.md)
|
||||
|
||||
### Azure Key Vault key pairs
|
||||
The keys in the pair are stored as secrets in an Azure Key Vault. This requires providing the vault url and the secret IDs for both keys:
|
||||
```json
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
|
||||
The private/public key pairs used by Tessera can be [stored](../Keys) in and [retrieved](../../../Configuration/Keys) from a key vault, preventing the need to store the keys locally.
|
||||
|
||||
This page details how to set up and configure an _AWS Secrets Manager_ for use with Tessera.
|
||||
|
||||
The _AWS Secrets Manager_ documentation provides much of the information needed to get started. The information in this section has been taken from the following pages of the _AWS_ documentation:
|
||||
|
||||
* [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html)
|
||||
* [AWS SDK for Java Developer Guide](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html)
|
||||
|
||||
## Enabling Tessera to use the vault
|
||||
### Environment Variables
|
||||
|
||||
If using an _AWS Secrets Manager_, Tessera requires four environment variables to be set:
|
||||
|
||||
1. `AWS_REGION`: region_to_connect_to (i.e. us-west-2)
|
||||
1. `AWS_ACCESS_KEY_ID`: your_access_key_id
|
||||
1. `AWS_SECRET_ACCESS_KEY`: your_secret_access_key
|
||||
1. `AWS_SESSION_TOKEN`: your_session_token
|
||||
|
||||
To retrieve the last three values you should log into your [AWS Managemenet Console](https://aws.amazon.com/)
|
||||
|
||||
### Dependencies
|
||||
The AWS Secrets Manager dependencies are included in the `tessera-app-<version>-app.jar`. If using the `tessera-simple-<version>-app.jar` then `aws-key-vault-<version>-all.jar` must be added to the classpath.
|
Loading…
Reference in New Issue