Skip to content
You are reading Web3Signer development version documentation and some displayed features may not be available in the stable release. You can switch to stable version using the version box at screen bottom.

Use Web3Signer with AWS Secrets Manager

Web3Signer supports signing with BLS private keys stored as secrets in AWS Secrets Manager.

The AWS Secrets Manager documentation provides the information you need to get started.

Store a private key in AWS Secrets Manager

You need an AWS profile to use AWS Secrets Manager.

Use the Create a secret guide to store a new key in AWS Secrets Manager.

The following is an example of creating and storing a BLS private key in AWS Secrets Manager, using Java:


final String AWS_REGION = "us-east-2";
final String SECRET_VALUE = "secret-name";
final SecretsManagerClient secretsManagerClient =
final String secretNamePrefix = "web3signer-aws-integration/";
final String secretName = secretNamePrefix + UUID.randomUUID();
final CreateSecretRequest secretRequest =

Specify the following when configuring the signing key configuration file:

  • Authentication mode. Valid options are ENVIRONMENT and SPECIFIED. If using ENVIRONMENT, credentials are authenticated using the default credential provider chain.

  • Secret name.

  • Region to connect to.

Cache AWS Secrets Manager when loading multiple keys

When loading multiple keys from AWS Secrets Manager, the AWS client is created each time. You can improve performance by caching and reusing the same AWS Secrets Manager for each key that uses the same access key ID and region.

Set the eth2 --aws-connection-cache-size option to the maximum number of AWS Secrets Manager connections to cache. The default is 1.

Questions or feedback? You can discuss issues and obtain free support on Web3Signer Discord channel.