Skip to content
You are reading GoQuorum development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

AWS Secrets Manager key pairs

To configure Tessera to use AWS Secrets Manager key pairs, provide the vault information in the configuration file. You can use Tessera to generate AWS Secrets Manager keys.

Provide the secret IDs for both keys with an optional endpoint.


The endpoint is optional because the AWS SDK can fall back to its built-in property retrieval chain, for example, using the environment variable AWS_REGION or the ~/.aws/config file.

The AWS SDK documentation explains using credentials.

AWS Secrets Manager key pair configuration

"keys": {
    "keyVaultConfigs": [
            "keyVaultConfigType": "AWS",
            "properties": {
                "endpoint": ""
    "keyData": [
            "awsSecretsManagerPublicKeyId": "secretIdPub",
            "awsSecretsManagerPrivateKeyId": "secretIdKey"

This example configuration retrieves the secrets secretIdPub and secretIdKey from AWS Secrets Manager using the endpoint


If you receive a Credential should be scoped to a valid region error when starting Tessera, the region specified in the endpoint differs from the region the AWS SDK has retrieved from its property retrieval chain. You can resolve this by setting the AWS_REGION environment variable to the same region as defined in the endpoint.

Environment variables must be set if using AWS Secrets Manager.

ConsenSys has acquired Quorum from J.P. Morgan. Please read the FAQ.
Questions or feedback? You can discuss issues and obtain free support on Tessera Slack channel.
For paid professional support by ConsenSys, contact us at [email protected].