Skip to content

Setting up AWS Secrets Manager

The private/public key pairs used by Tessera can be stored in and retrieved from a key vault, preventing the need to store the keys locally.

This page details how to set up and configure an AWS Secrets Manager for use with Tessera.

The AWS Secrets Manager documentation provides much of the information needed to get started. The information in this section has been taken from the following pages of the AWS documentation:

Creating the AWS Secrets Manager

Once you have set up your AWS profile, you will be able to use AWS Secrets Manager.

Enabling Tessera to use the AWS Secrets Manager

Environment Variables

If using an AWS Secrets Manager, configuration credentials can be provided in many ways as outlined in the AWS docs - Supplying and Retrieving AWS Credentials.

To use environment variables set the following:

  1. AWS_REGION: region_to_connect_to (i.e. us-west-2)
  2. AWS_ACCESS_KEY_ID: your_access_key_id
  3. AWS_SECRET_ACCESS_KEY: your_secret_access_key

The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for a particular user can be retrieved from the AWS IAM Management Console.


The AWS Secrets Manager dependencies are included in the tessera-app-<version>-app.jar. If using the tessera-simple-<version>-app.jar then aws-key-vault-<version>-all.jar must be added to the classpath.