Skip to main content
A Cloud KMS signer uses a signing key generated and stored inside a cloud key management service — AWS KMS, Azure Key Vault, or GCP Cloud HSM. The key is non-extractable by design: no employee at your company (or at the cloud provider) can ever retrieve the raw key material. Cloud KMS signers support advanced enterprise security controls natively, including IP allowlisting, cloud IAM-based access policies, rate limiting, circuit breakers, and detailed audit logs and alerting. For a conceptual overview, see Cloud KMS in the Wallet Signers guide. To learn how to register additional operational signers on an existing wallet, see Registering a signer.

Configuration

For a step-by-step guide on setting up an AWS KMS signer, see the AWS KMS signer guide.
Guides for Azure Key Vault and GCP Cloud HSM signers are coming soon. Contact our team if you need help configuring Cloud KMS signers for your project.