Overview

The issuer API support AWS KMS as a key management solution. This allows you to store your cryptographic keys in a secure and scalable way. The API is designed to be stateless and does not store cryptographic key material. Therefore, every API call requires the cryptographic key to be provided. When signing and issuing a credential e.g. via OID4VC, either the complete key in JWK format or a reference to a key stored in an external KMS solution is needed. In production systems, the recommended approach is to use an external KMS solution, so that the private key used to sign a credential never leaves a secure environment. We support the following key types offered by the AWS KMS:

  • RSA
  • SECP256R1
  • SECP256K1

We have created a Kotlin-based extension that enhances walt.id crypto with native AWS key management capabilities. This extension introduces AwsKey, a robust implementation leveraging the AWS SDK for Kotlin to manage cryptographic keys. It serves as a more integrated alternative to the platform-agnostic AWSKeyRestAPI found in the base walt.id crypto library.

Key Features

  • Native AWS SDK integration for optimal performance
  • Kotlin-specific implementation
  • Seamless key management through AWS KMS

Authentication

The extension utilizes AWS SDK's default credential provider chain for authentication, automatically detecting credentials from multiple sources including:

  • Environment variables
  • AWS credentials file
  • IAM roles for EC2
  • Container credentials
  • SSO credentials

Comparison to Base Implementation

While the base AWSKeyRestAPI offers cross-platform compatibility through REST endpoints, this extension provides:

  • Improved performance through direct SDK calls
  • Enhanced error handling
  • Native integration with AWS services

Get Started

ListAWS SDK