Skip to main content

Serto Agent in AWS

Serto Agent is available in the AWS Marketplace. It's bundled as an AMI which requires KMS access permissions in order to manage your private keys in a secure way.

To run Serto Agent instance correctly, you'll need to execute the following main tasks:

  1. Create IAM role for KMS access (enterprise version)
  2. Launch Serto Agent
  3. Setup HTTPS
  4. First access
  5. Setup DNS

Assumptions and Prerequisites

This tutorial assumes that:

  • You have an AWS account. If you don't already have one, please register here. Be aware that the registration process may take up to 24 hours.

Each DID you create uses AWS KMS to generate a key. This action costs money. Generating a large amount of DIDs may result in substantial AWS charges. Reduce your AWS costs by limiting the amount of DIDs you create to what you need. Learn more about the KMS pricing here.

Step 1 (Enterprise only): Create IAM role for KMS access

The Serto Agent Enterprise requires a KMS to manage its keys. This step is exclusive for that purpose. If you're using Serto Agent Free you can go to the next step.

Before you launch a Serto Agent instance, you need to create an IAM role so that you can associate Serto Agent to that Role later. This allows Agent to access the AWS KMS service.

The first step is to create a policy for your KMS service, and then configure the IAM Role. Follow these steps:

Create a Policy for your KMS service

  1. Log in to AWS Marketplace with your AWS account
  2. Click button Sign in to the Console > IAM > Policies. Remember to select your preferred region
  3. Click button Create policy and select the following options:
    • Service:
      • KMS
    • Access level
      • Read:
        • getPublicKey
      • Write:
        • createKey
        • scheduleKeyDeletion
        • Sign
    • Resources:
      • Select:
        • Any in this account
  4. Click button Next: Tags
    • Add any tags to identitfy the policy (e.g. serto-agent-kms-policy)
  5. Click button Next: Review
    • Give a name to your policy (e.g. serto-agent-kms)
  6. Click button Create

Configure the IAM Role

  1. In the IAM dashboard, go to Roles
  2. Click button Create Role
  3. Select the following options:
    • Type of trusted entity:
      • AWS Service
    • Use case:
      • Ec2
  4. Click button Next: Permissions
  5. Search and select the policy you just created (e.g. serto-agent-kms)
  6. Click button Next: Tags
    • Add tags to help you identify your role (e.g. serto-agent-kms-NAME)
  7. Click button Next: Review
  8. Give the Role a name (e.g. serto-agent-role)
  9. Click button Create Role
  10. Done! When you launch the Serto Agent instance in the next step, you can associate the instance with the IAM Role you just created.

Step 2: Launch Serto Agent Instance

To launch a Serto Agent instance and give it access to the KMS service, follow these steps:

  1. Make sure you are logged in to your AWS account
  2. Go to AWS Console > EC2 > Instances (if you see a Services dropdown in the menu bar, click and go to EC2)
  3. Click button Launch Instances
  4. Click on AWS Marketplace
  5. Search for Serto Agent Free and click Select
  6. Follow the instructions on the screen
    • Step 1: Choose AMI, click button Continue
    • Step 2: Choose Instance Type, t2.micro should be selected. Click button Configure Instance Details
    • Step 3: Configure Instance, under IAM role, select the KMS role (e.g. serto-agent-role) for your instance. If none exists, please create a new IAM role and then select it. This will allow the Agent to access the KMS service later.
    • Continue with the rest of the steps. Once done, click button Launch
    • If you have not selected a key pair, you will see a modal to Select an existing key pair or create a new key pair. Follow the instructions to use an existing key or create a new key pair. Click button Launch Instances
  7. Done! Once your instance is launched, click button View Instances to see instance on the EC2 Dashboard.

Step 3: Setup HTTPS

To protect your Serto Agent instance, you need to configure the HTTPS protocol. Follow these steps:

  1. Go to AWS Console > EC2 > Load Balancers using the same region
  2. Click button Create Load Balancer and choose the Application Load Balancer option
  3. Name the load balancer and a listener for HTTPS port
  4. Choose the Availability Zone used by your EC2 instance
  5. Click button Next
  6. Choose the type of certificate you'll use
  7. Create a security group that gives access to port 443
  8. Name the route and click button Next
  9. Register the Serto Agent EC2 instance as a target and click button Next
  10. Review the information and click button Create

Step 4: First access

  1. Access AWS Console > EC2 > Instances
  2. Click on Instance ID on the dashboard
  3. Click in open address under Public IPv4 Address or DNS to access the Serto Agent front-end
  4. To log in to Serto Agent, use admin as username and the EC2 instance ID as password.

Step 5: Setup DNS

Why a domain for your agent?

There are a few reasons why a DID agent requires a domain connected to it:

  • When using a did:web method for your DIDs, the agent need to serve the well-known/did.json file, under the same domain presented in the did:web identifier. Note that this path is NOT the "DID configuration" but the "DID document" of your did:web identifier.
  • The agent can also serve a DID configuration under .well-known/did-configuration.json, in case the domain is connected to it.
  • In order to expose the DIDComm endpoint for messaging, the agent need to have a public domain.

Additionally, having your agent running under a domain/subdomain that belongs to your organization, will help other parties to recognize and trust DIDs managed by the agent.

How to connect a domain to your agent?

In order to connect a domain to a Serto Agent instance you'll need privileges to access your DNS provider and to manage the DNS entries.

  1. Go to AWS Console > EC2 > Load Balancers
  2. Click the load balacer used by your Serto Agent instance
  3. Copy the DNS name of the Serto Agent load balancer
  4. Go to your DNS provider and create a CNAME record pointing to the DNS name copied in the previous step.