ECC_SECG_P256K1 key in AWS KMS to sign Hedera transactions. This solution ensures that your private keys are never exposed in your application environment.
SDK constraint: In Rust, C++, and Swift, the one-shot In JavaScript, Java, Python, and Go, the one-shot method accepts
setECDSAKeyWithAlias() / set_ecdsa_key_with_alias() / keyWithAlias() methods require a local PrivateKey and cannot be used in HSM flows. In these SDKs, use the manual two-step pattern:PublicKey directly.Prerequisites
Before you begin, ensure you have:- An AWS account with appropriate permissions
- AWS CLI installed and configured (Installation Instructions)
- Node.js (version 18.0.0 or higher)
- A Hedera Testnet account. If you don’t have one, you can register at the Hedera Developer Portal
Part 1: AWS KMS Setup
1. Create an ECC Key in AWS KMS
Create an asymmetric key with theECC_SECG_P256K1 key spec, which is compatible with Hedera’s ECDSA key requirements.
arn:aws:kms:us-east-1:123456789012:key/abcd1234-5678-90ab-cdef-EXAMPLE11111
2. Create a Key Alias (Optional but Recommended)
Create an alias for easier reference to your key.3. Set Up IAM Permissions
Create an IAM policy that allows your application to use the KMS key for signing operations.Part 2: Application Setup
1. Install Dependencies
Create a new Node.js project and install the required dependencies.2. Create the .env File
Create a .env file with your AWS credentials and Hedera account details.
3. Create the Signer Function
Create a custom signer function that uses AWS KMS to sign transaction bytes.4. Create and Sign a Transaction
Use the custom signer to create and sign a Hedera transaction.Part 3: Verification
1. Verify Key Configuration
Verify that your KMS key is configured correctly:KeySpec: ECC_SECG_P256K1KeyUsage: SIGN_VERIFY