Skip to main content
This tutorial demonstrates how to use an ECC_SECG_P256K1 key in AWS KMS to sign Hedera transactions. This solution ensures that your private keys are never exposed in your application environment.
SDK constraint: In Rust, C++, and Swift, the one-shot setECDSAKeyWithAlias() / set_ecdsa_key_with_alias() / keyWithAlias() methods require a local PrivateKey and cannot be used in HSM flows. In these SDKs, use the manual two-step pattern:
In JavaScript, Java, Python, and Go, the one-shot method accepts PublicKey directly.

Prerequisites

Before you begin, ensure you have:
  • An AWS account with appropriate permissions
  • AWS CLI installed and configured (Installation Instructions)
  • Node.js (version 18.0.0 or higher)
  • A Hedera Testnet account. If you don’t have one, you can register at the Hedera Developer Portal

Part 1: AWS KMS Setup

1. Create an ECC Key in AWS KMS

Create an asymmetric key with the ECC_SECG_P256K1 key spec, which is compatible with Hedera’s ECDSA key requirements.
Save the Key ID from the output. It will look like: arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-EXAMPLE11111 Create an alias for easier reference to your key.

3. Set Up IAM Permissions

Create an IAM policy that allows your application to use the KMS key for signing operations.
Attach this policy to an IAM user or role that your application will use.

Part 2: Application Setup

1. Install Dependencies

Create a new Node.js project and install the required dependencies.

2. Create the .env File

Create a .env file with your AWS credentials and Hedera account details.

3. Create the Signer Function

Create a custom signer function that uses AWS KMS to sign transaction bytes.

4. Create and Sign a Transaction

Use the custom signer to create and sign a Hedera transaction.

Part 3: Verification

1. Verify Key Configuration

Verify that your KMS key is configured correctly:
The output should show:
  • KeySpec: ECC_SECG_P256K1
  • KeyUsage: SIGN_VERIFY

2. Test Transaction Signing

Run your application and verify that transactions are being signed successfully with the KMS key.

Cleanup

To avoid ongoing charges, delete the KMS key when you’re done:
Important: Deleting a KMS key is irreversible. Make sure you have backups of any data encrypted with this key before deletion.

Resources