Skip to main content

AWS Secrets Manager key pairs

To configure Tessera to use AWS Secrets Manager key pairs, provide the vault information in the configuration file. You can use Tessera to generate AWS Secrets Manager keys.

Provide the secret IDs for both keys with an optional endpoint.


The endpoint is optional because the AWS SDK can fall back to its built-in property retrieval chain, for example, using the environment variable AWS_REGION or the ~/.aws/config file.

The AWS SDK documentation explains using credentials.

AWS Secrets Manager key pair configuration
"keys": {
"keyVaultConfigs": [
"keyVaultConfigType": "AWS",
"properties": {
"endpoint": ""
"keyData": [
"awsSecretsManagerPublicKeyId": "secretIdPub",
"awsSecretsManagerPrivateKeyId": "secretIdKey"

This example configuration retrieves the secrets secretIdPub and secretIdKey from AWS Secrets Manager using the endpoint


If you receive a Credential should be scoped to a valid region error when starting Tessera, the region specified in the endpoint differs from the region the AWS SDK has retrieved from its property retrieval chain. You can resolve this by setting the AWS_REGION environment variable to the same region as defined in the endpoint.

Environment variables must be set if using AWS Secrets Manager.