Setting up an AWS Key Management Service (AWS KMS)

1. Log in to the Stream Administration Interface.

2. Go to Keystores and keys and click add_external_ca.

3. In Type, select AWS. In Name, set the name you want to give to your keystore. Optionally, you can add a description to your keystore.

4. Select the AWS credential to use to connect to the AWS Key Management Service. If you do not have your AWS KMS credentials set up in Stream yet, please refer to the Credentials part of the Managing Security section.

5. Input the AWS server’s region in AWS Region. Optionally, you can specify which AWS Role ARN that should be impersonated for that KMS. Additionally, you can specify the proxy to use as well as the timeout period. Once you are done, click "Add".

To make Stream able to use the keys in the AWS KMS for signature, you need to give it the proper permissions in the AWS console. For more information regarding this topic, please refer to this link, under the "Asymmetric KMS keys for signing and verification".

If everything was good, your keystore should appear in your keystores list with a green circle next to its name:

Stream keystores tab with AWS Keystore