Subcommands
Use the Web3Signer subcommands to specify the platform being used:
web3signer [options] eth2 [Eth2 options]
web3signer [options] eth2 export [Eth2 export options]
web3signer [options] eth2 import [Eth2 import options]
web3signer [options] eth1
web3signer [options] watermark-repair [watermark repair options]
This documentation has been updated in line with the name changes recommended by the Ethereum
Foundation.
The eth1
subcommands relate to the execution layer, previously called “Ethereum 1.0.”
The eth2
subcommands relate to the consensus layer, previously called “Ethereum 2.0.”
Specify subcommand options
The subcommand must be specified on the command line, but the subcommand options can be specified:
- On the command line.
- As environment variables. For each subcommand option, the equivalent environment variable is:
- Uppercase.
_
replaces-
.- Has a
WEB3SIGNER_
+<SIGNING_OPTION>_
prefix.
- In a YAML configuration file.
For example, you can set the --chain-id
option for the eth1
subcommand in an environment
variable export WEB3SIGNER_ETH1_CHAIN_ID=2017
, but the subcommand must be specified in the
command line.
View help
To view the command line help for the subcommands:
Options
eth1
aws-connection-cache-size
- Syntax
- Example
- Environment variable
- Configuration file
--aws-connection-cache-size=<LONG>
--aws-connection-cache-size=5
WEB3SIGNER_ETH1_AWS_CONNECTION_CACHE_SIZE=5
eth1.aws-connection-cache-size: 5
When loading multiple keys from AWS Secrets Manager,
set to the maximum number of connections to cache.
The default is 1
.
aws-endpoint-override
- Syntax
- Example
- Environment variable
- Configuration file
--aws-endpoint-override=<ENDPOINT_URL>
--aws-endpoint-override=http://localstack:4566
WEB3SIGNER_ETH1_AWS_ENDPOINT_OVERRIDE=http://localstack:4566
eth1.aws-endpoint-override="http://localstack:4566"
Endpoint override for AWS KMS. Useful for local testing against LocalStack.
aws-kms-access-key-id
- Syntax
- Example
- Environment variable
- Configuration file
--aws-kms-access-key-id=<STRING>
--aws-kms-access-key-id=AKIA...EXAMPLE
WEB3SIGNER_ETH1_AWS_KMS_ACCESS_KEY_ID=AKIA...EXAMPLE
eth1.aws-kms-access-key-id: "AKIA...EXAMPLE"
AWS Access Key ID to authenticate AWS KMS.
Required when --aws-kms-auth-mode
is SPECIFIED
.
aws-kms-auth-mode
- Syntax
- Example
- Environment variable
- Configuration file
--aws-kms-auth-mode=<STRING>
--aws-kms-auth-mode=ENVIRONMENT
WEB3SIGNER_ETH1_AWS_KMS_AUTH_MODE=ENVIRONMENT
eth1.aws-kms-auth-mode: "ENVIRONMENT"
Authentication mode for AWS KMS.
Options are SPECIFIED
and ENVIRONMENT
.
The default is SPECIFIED
.
Set --aws-kms-access-key-id
,
--aws-kms-secret-access-key
, and
--aws-kms-region
if using SPECIFIED
.
aws-kms-client-cache-size
- Syntax
- Example
- Environment variable
- Configuration file
--aws-kms-client-cache-size=<LONG>
--aws-kms-client-cache-size=5
WEB3SIGNER_ETH1_AWS_KMS_CLIENT_CACHE_SIZE=5
eth1.aws-kms-client-cache-size: "5"
AWS KMS client cache size. Set to the total number of credentials
used to access the service plus the number of regions the service is accessed from. The default is 1
.
aws-kms-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--aws-kms-enabled=<BOOLEAN>
--aws-kms-enabled=true
WEB3SIGNER_ETH1_AWS_KMS_ENABLED=true
eth1.aws-kms-enabled: "true"
Set to true
to enable bulk loading from the AWS KMS. The default is false
.
aws-kms-region
- Syntax
- Example
- Environment variable
- Configuration file
--aws-kms-region=<STRING>
--aws-kms-region=us-east-2
WEB3SIGNER_ETH1_AWS_KMS_REGION=us-east-2
eth1.aws-kms-region: "us-east-2"
AWS region where AWS KMS is available.
Required when --aws-kms-auth-mode
is SPECIFIED
.
aws-kms-secret-access-key
- Syntax
- Example
- Environment variable
- Configuration file
--aws-kms-secret-access-key=<STRING>
--aws-kms-secret-access-key=sk...EXAMPLE
WEB3SIGNER_ETH1_AWS_KMS_SECRET_ACCESS_KEY=sk...EXAMPLE
eth1.aws-kms-secret-access-key: "sk...EXAMPLE"
AWS secret access key to authenticate AWS KMS.
Required when --aws-kms-auth-mode
is SPECIFIED
.
aws-kms-tag-names-filter
- Syntax
- Example
- Environment variable
- Configuration file
--aws-kms-tag-names-filter=<STRING>[,<STRING>,...]
--aws-kms-tag-names-filter=tagName1,tagName2
WEB3SIGNER_ETH1_AWS_KMS_TAG_NAMES_FILTER=tagName1,tagName2
eth1.aws-kms-tag-names-filter: ["tagName1","tagName2"]
Optional comma-separated list of tag names filter to apply while fetching key IDs from AWS KMS.
Applied as AND
operation with other filters.
aws-kms-tag-values-filter
- Syntax
- Example
- Environment variable
- Configuration file
--aws-kms-tag-values-filter=<STRING>[,<STRING>,...]
--aws-kms-tag-values-filter=tagValue1,tagValue2
WEB3SIGNER_ETH1_AWS_KMS_TAG_VALUES_FILTER=tagValue1,tagValue2
eth1.aws-kms-tag-values-filter: ["tagValue1","tagValue2"]
Optional comma-separated list of tag values filter to apply while fetching key IDs from AWS KMS.
Applied as AND
operation with other filters.
azure-vault-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--azure-vault-enabled=<BOOLEAN>
--azure-vault-enabled=true
WEB3SIGNER_ETH1_AZURE_VAULT_ENABLED=true
eth1.azure-vault-enabled: true
Enables bulk loading keys from Azure Key Vault.
The default is false
.
azure-client-id
- Syntax
- Example
- Environment variable
- Configuration file
--azure-client-id=<STRING>
--azure-client-id=87efaa5b-4029-4b54-98bb2e2e8a11
WEB3SIGNER_ETH1_AZURE_CLIENT_ID=87efaa5b-4029-4b54-98bb2e2e8a11
eth1.azure-client-id: "87efaa5b-4029-4b54-98bb2e2e8a11"
ID used to authenticate with Azure Key Vault.
Required when --azure-vault-auth-mode
is CLIENT_SECRET
or
USER_ASSIGNED_MANAGED_IDENTITY
.
azure-client-secret
- Syntax
- Example
- Environment variable
- Configuration file
--azure-client-secret=<STRING>
--azure-client-secret=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z
WEB3SIGNER_ETH1_AZURE_CLIENT_SECRET=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z
eth1.azure-client-secret: "0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z"
The secret used to access the vault along with the ID specified in azure-client-id
.
azure-response-timeout
- Syntax
- Example
- Environment variable
- Configuration file
--azure-response-timeout=<AZURE_RESPONSE_TIMEOUT>
--azure-response-timeout=40
WEB3SIGNER_ETH1_AZURE_RESPONSE_TIMEOUT=40
eth1.azure-response-timeout: "40"
The response timeout used by the HTTP client (in seconds). The default is 60. You can also set the timeout using
the timeout
field in the Azure metadata file.
azure-tags
- Syntax
- Example
- Environment variable
- Configuration file
--azure-tags=<TAG_NAME=TAG_VALUE>
--azure-tags=ENV=prod
WEB3SIGNER_ETH1_AZURE_TAGS=ENV=prod
eth1.azure-tags: "ENV=prod"
Tags to filter on with Azure Key Vault.
azure-tenant-id
- Syntax
- Example
- Environment variable
- Configuration file
--azure-tenant-id=<STRING>
--azure-tenant-id=34255fb0-379b-4a1a-bd47-d211ab86df81
WEB3SIGNER_ETH1_AZURE_TENANT_ID=34255fb0-379b-4a1a-bd47-d211ab86df81
eth1.azure-tenant-id: "34255fb0-379b-4a1a-bd47-d211ab86df81"
The tenant ID of the Azure Portal instance being used.
azure-vault-auth-mode
- Syntax
- Example
- Environment variable
- Configuration file
--azure-vault-auth-mode=<STRING>
--azure-vault-auth-mode=USER_ASSIGNED_MANAGED_IDENTITY
WEB3SIGNER_ETH1_AZURE_VAULT_AUTH_MODE=USER_ASSIGNED_MANAGED_IDENTITY
eth1.azure-vault-auth-mode: "USER_ASSIGNED_MANAGED_IDENTITY"
Authentication mode for Azure Vault.
Options are CLIENT_SECRET
, SYSTEM_ASSIGNED_MANAGED_IDENTITY
, and USER_ASSIGNED_MANAGED_IDENTITY
.
The default is CLIENT_SECRET
.
Set --azure-client-id
if using CLIENT_SECRET
or USER_ASSIGNED_MANAGED_IDENTITY
.
azure-vault-name
- Syntax
- Example
- Environment variable
- Configuration file
--azure-vault-name=<STRING>
--azure-vault-name=AzureKeyVault
WEB3SIGNER_ETH1_AZURE_VAULT_NAME=AzureKeyVault
eth1.azure-vault-name: "AzureKeyVault"
Name of the vault to access.
Subdomain of vault.azure.net
.
chain-id
- Syntax
- Example
- Environment variable
- Configuration file
--chain-id=<LONG>
--chain-id=2017
WEB3SIGNER_ETH1_CHAIN_ID=2017
eth1.chain-id: "2017"
ID of the chain to receive the signed transactions. The Besu documentation lists chain IDs for public networks.
downstream-http-host
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-host=<downstreamHttpHost>
--downstream-http-host=192.168.05.14
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_HOST=192.168.05.14
eth1.downstream-http-host="192.168.05.14"
Host to which received requests are forwarded.
The default is localhost
.
downstream-http-path
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-path=<downstreamHttpPath>
--downstream-http-path=/v3/d0e63ca5bb1e4eef2284422efbc51a56
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_PATH=/v3/d0e63ca5bb1e4eef2284422efbc51a56
eth1.downstream-http-path="/v3/d0e63ca5bb1e4eef2284422efbc51a56"
Path to which received requests are forwarded.
The default is /
.
This might be required if connecting to a cloud-based Ethereum client such as Infura.
downstream-http-port
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-port=<downstreamHttpPort>
--downstream-http-port=6174
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_PORT=6174
eth1.downstream-http-port: 6174
Port to which received requests are forwarded.
downstream-http-proxy-host
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-proxy-host=<HOST>
--downstream-http-proxy-host=192.168.05.14
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_PROXY_HOST=192.168.05.14
eth1.downstream-http-proxy-host: "192.168.05.14"
Hostname for proxy.
There's no proxy if set to null
.
The default is null
.
downstream-http-proxy-port
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-proxy-port=<PORT>
--downstream-http-proxy-port=8545
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_PROXY_PORT=8545
eth1.downstream-http-proxy-port: 8545
Port for proxy.
The default is 80
.
downstream-http-proxy-username
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-proxy-username=<username>
--downstream-http-proxy-username=user
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_PROXY_USERNAME=user
eth1.downstream-http-proxy-username: "user"
Username for proxy.
There's no authentication if set to null
.
The default is null
.
downstream-http-proxy-password
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-proxy-password=<password>
--downstream-http-proxy-password=password
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_PROXY_PASSWORD=password
eth1.downstream-http-proxy-password: "password"
Password for proxy.
There's no authentication if set to null
.
The default is null
.
downstream-http-request-timeout
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-request-timeout=<downstreamHttpRequestTimeout>
--downstream-http-request-timeout=3000
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_REQUEST_TIMEOUT=3000
eth1.downstream-http-request-timeout: 3000
Timeout period (in milliseconds) for downstream requests. The default is 5000.
downstream-http-tls-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-tls-enabled=<BOOLEAN>
--downstream-http-tls-enabled=true
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_TLS_ENABLED=true
eth1.downstream-http-tls-enabled: true
Enables or disables TLS for server connections.
The default is false
.
downstream-http-tls-known-servers-file
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-tls-known-servers-file=<FILE>
--downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers
WEB3SIGNER_ETH1_DOWNSTREAM_HTTP_TLS_KNOWN_SERVERS_FILE=/Users/me/my_node/knownServers
eth1.downstream-http-tls-known-servers-file=/Users/me/my_node/knownServers
File containing the hostnames, ports, and SHA256 certificate fingerprints of trusted servers.
downstream-http-tls-ca-auth-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--downstream-http-tls-ca-auth-enabled=<BOOLEAN>
--downstream-http-tls-ca-auth-enabled=false
WEB3SIGNER_ETH1_HTTP_TLS_CA_AUTH_ENABLED=false
eth1.downstream-http-tls-ca-auth-enabled: false
Enables or disables connections to servers with trusted CAs.
The default is true
.
keystores-password-file
- Syntax
- Example
- Environment variable
- Configuration file
--keystores-password-file=<FILE>
--keystores-password-file=/Users/me/passwds/keystore_passwords.txt
WEB3SIGNER_ETH1_KEYSTORES_PASSWORD_FILE=/Users/me/passwds/keystore_passwords.txt
eth1.keystores-password-file: "/Users/me/passwds/keystore_passwords.txt"
File that contains the password used by all keystores.
Cannot be set if --keystores-passwords-path
is also specified.
Alternatively, use --keystores-passwords-path
to specify a directory
containing a separate password file for each keystore.
keystores-passwords-path
- Syntax
- Example
- Environment variable
- Configuration file
--keystores-passwords-path=<PATH>
--keystores-passwords-path=/Users/me/passwds
WEB3SIGNER_ETH1_KEYSTORES_PASSWORDS_PATH=/Users/me/passwds
eth1.keystores-passwords-path: "/Users/me/passwds"
Directory containing password files for corresponding keystores.
Each password file name must match the corresponding keystore filename, but with a .txt
extension.
Cannot be set if --keystores-password-file
is also specified.
Alternatively, use --keystores-password-file
to specify a single
password file that contains the password used by all keystores.
keystores-path
- Syntax
- Example
- Environment variable
- Configuration file
--keystores-path=<PATH>
--keystores-path=/Users/me/keystores
WEB3SIGNER_ETH1_KEYSTORES_PATH=/Users/me/keystores
eth1.keystores-path: "/Users/me/keystores"
Directory that stores the keystore files.
Keystore files must use a .json
file extension.
Use --keystores-password-file
or
--keystores-passwords-path
to specify keystore passwords.
Restart Web3Signer if you want to pick up new keystores added to the directory since Web3Signer started.
eth2
aws-connection-cache-size
- Syntax
- Example
- Environment variable
- Configuration file
--aws-connection-cache-size=<LONG>
--aws-connection-cache-size=5
WEB3SIGNER_ETH2_AWS_CONNECTION_CACHE_SIZE=5
eth2.aws-connection-cache-size: 5
When loading multiple keys from AWS Secrets Manager, set to the maximum number of connections to cache. The default is 1.
aws-endpoint-override
- Syntax
- Example
- Environment variable
- Configuration file
--aws-endpoint-override=<ENDPOINT_URL>
--aws-endpoint-override=http://localstack:4566
WEB3SIGNER_ETH2_AWS_ENDPOINT_OVERRIDE=http://localstack:4566
eth2.aws-endpoint-override="http://localstack:4566"
Endpoint override for AWS Secrets Manager. This is useful for local testing against LocalStack.
aws-secrets-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--aws-secrets-enabled=<BOOLEAN>
--aws-secrets-enabled=true
WEB3SIGNER_ETH2_AWS_SECRETS_ENABLED=true
eth2.aws-secrets-enabled: true
Enables or disables bulk loading keys from AWS Secrets Manager.
The default is false
.
aws-secrets-auth-mode
- Syntax
- Example
- Environment variable
- Configuration file
--aws-secrets-auth-mode=<STRING>
--aws-secrets-auth-mode=ENVIRONMENT
WEB3SIGNER_ETH2_AWS_SECRETS_AUTH_MODE=ENVIRONMENT
eth2.aws-secrets-auth-mode: "ENVIRONMENT"
Authentication mode for AWS Secrets Manager.
Options are SPECIFIED
and ENVIRONMENT
.
The default is SPECIFIED
.
Set --aws-secrets-access-key-id
,
--aws-secrets-secret-access-key
, and
--aws-secrets-region
if using SPECIFIED
.
aws-secrets-access-key-id
- Syntax
- Example
- Environment variable
- Configuration file
--aws-secrets-access-key-id=<STRING>
--aws-secrets-access-key-id=AKIA...EXAMPLE
WEB3SIGNER_ETH2_AWS_SECRETS_ACCESS_KEY_ID=AKIA...EXAMPLE
eth2.aws-secrets-access-key-id: "AKIA...EXAMPLE"
AWS access key ID to authenticate AWS Secrets Manager.
Required when --aws-secrets-auth-mode
is SPECIFIED
.
aws-secrets-secret-access-key
- Syntax
- Example
- Environment variable
- Configuration file
--aws-secrets-secret-access-key=<STRING>
--aws-secrets-secret-access-key=sk...EXAMPLE
WEB3SIGNER_ETH2_AWS_SECRETS_SECRET_ACCESS_KEY=sk...EXAMPLE
eth2.aws-secrets-secret-access-key: "sk...EXAMPLE"
AWS secret access key to authenticate AWS Secrets Manager.
Required when --aws-secrets-auth-mode
is SPECIFIED
.
aws-secrets-region
- Syntax
- Example
- Environment variable
- Configuration file
--aws-secrets-region=<STRING>
--aws-secrets-region=us-east-2
WEB3SIGNER_ETH2_AWS_SECRETS_REGION=us-east-2
eth2.aws-secrets-region: "us-east-2"
AWS region where AWS Secrets Manager is available.
Required when --aws-secrets-auth-mode
is SPECIFIED
.
aws-secrets-prefixes-filter
- Syntax
- Example
- Environment variable
- Configuration file
--aws-secrets-prefixes-filter=<STRING>[,<STRING>,...]
--aws-secrets-prefixes-filter=prefix1,prefix2
WEB3SIGNER_ETH2_AWS_SECRETS_PREFIXES_FILTER=prefix1,prefix2
eth2.aws-secrets-prefixes-filter: ["prefix1","prefix2"]
Optional comma-separated list of secret name prefixes filter to apply while fetching secrets from
AWS Secrets Manager.
Applied as AND
operation with other filters.
aws-secrets-tag-names-filter
- Syntax
- Example
- Environment variable
- Configuration file
--aws-secrets-tag-names-filter=<STRING>[,<STRING>,...]
--aws-secrets-tag-names-filter=tagName1,tagName2
WEB3SIGNER_ETH2_AWS_SECRETS_TAG_NAMES_FILTER=tagName1,tagName2
eth2.aws-secrets-tag-names-filter: ["tagName1","tagName2"]
Optional comma-separated list of tag names filter to apply while fetching secrets from AWS Secrets Manager.
Applied as AND
operation with other filters.
aws-secrets-tag-values-filter
- Syntax
- Example
- Environment variable
- Configuration file
--aws-secrets-tag-values-filter=<STRING>[,<STRING>,...]
--aws-secrets-tag-values-filter=tagValue1,tagValue2
WEB3SIGNER_ETH2_AWS_SECRETS_TAG_VALUES_FILTER=tagValue1,tagValue2
eth2.aws-secrets-tag-values-filter: ["tagValue1","tagValue2"]
Optional comma-separated list of tag values filter to apply while fetching secrets from AWS Secrets Manager.
Applied as AND
operation with other filters.
azure-vault-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--azure-vault-enabled=<BOOLEAN>
--azure-vault-enabled=true
WEB3SIGNER_ETH2_AZURE_VAULT_ENABLED=true
eth2.azure-vault-enabled: true
Enables bulk loading keys from Azure Key Vault.
The default is false
.
azure-client-id
- Syntax
- Example
- Environment variable
- Configuration file
--azure-client-id=<STRING>
--azure-client-id=87efaa5b-4029-4b54-98bb2e2e8a11
WEB3SIGNER_ETH2_AZURE_CLIENT_ID=87efaa5b-4029-4b54-98bb2e2e8a11
eth2.azure-client-id: "87efaa5b-4029-4b54-98bb2e2e8a11"
ID used to authenticate with Azure Key Vault.
Required when --azure-vault-auth-mode
is CLIENT_SECRET
or
USER_ASSIGNED_MANAGED_IDENTITY
.
azure-client-secret
- Syntax
- Example
- Environment variable
- Configuration file
--azure-client-secret=<STRING>
--azure-client-secret=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z
WEB3SIGNER_ETH2_AZURE_CLIENT_SECRET=0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z
eth2.azure-client-secret: "0DgK4V_YA99RPk7.f_1op0-em_a46wSe.Z"
The secret used to access the vault along with the ID specified in azure-client-id
.
azure-response-timeout
- Syntax
- Example
- Environment variable
- Configuration file
--azure-response-timeout=<AZURE_RESPONSE_TIMEOUT>
--azure-response-timeout=40
WEB3SIGNER_ETH2_AZURE_RESPONSE_TIMEOUT=40
eth2.azure-response-timeout: "40"
The response timeout used by the HTTP client (in seconds). The default is 60. You can also set the timeout using the timeout
field in the Azure metadata file.
azure-tags
- Syntax
- Example
- Environment variable
- Configuration file
--azure-tags=<TAG_NAME=TAG_VALUE>
--azure-tags=ENV=prod
WEB3SIGNER_ETH2_AZURE_TAGS=ENV=prod
eth2.azure-tags: "ENV=prod"
Tags to filter on using Azure Key Vault.
azure-tenant-id
- Syntax
- Example
- Environment variable
- Configuration file
--azure-tenant-id=<STRING>
--azure-tenant-id=34255fb0-379b-4a1a-bd47-d211ab86df81
WEB3SIGNER_ETH2_AZURE_TENANT_ID=34255fb0-379b-4a1a-bd47-d211ab86df81
eth2.azure-tenant-id: "34255fb0-379b-4a1a-bd47-d211ab86df81"
The tenant ID of the Azure Portal instance being used.
azure-vault-auth-mode
- Syntax
- Example
- Environment variable
- Configuration file
--azure-vault-auth-mode=<STRING>
--azure-vault-auth-mode=USER_ASSIGNED_MANAGED_IDENTITY
WEB3SIGNER_ETH2_AZURE_VAULT_AUTH_MODE=USER_ASSIGNED_MANAGED_IDENTITY
eth2.azure-vault-auth-mode: "USER_ASSIGNED_MANAGED_IDENTITY"
Authentication mode for Azure Vault.
Options are CLIENT_SECRET
, SYSTEM_ASSIGNED_MANAGED_IDENTITY
, and USER_ASSIGNED_MANAGED_IDENTITY
.
The default is CLIENT_SECRET
.
Set --azure-client-id
if using CLIENT_SECRET
or USER_ASSIGNED_MANAGED_IDENTITY
.
azure-vault-name
- Syntax
- Example
- Environment variable
- Configuration file
--azure-vault-name=<STRING>
--azure-vault-name=AzureKeyVault
WEB3SIGNER_ETH2_AZURE_VAULT_NAME=AzureKeyVault
eth2.azure-vault-name: "AzureKeyVault"
Name of the vault to access.
Subdomain of vault.azure.net
.
gcp-project-id
- Syntax
- Example
- Environment variable
- Configuration file
--gcp-project-id=<STRING>
--gcp-project-id=my-project
WEB3SIGNER_ETH2_GCP_PROJECT_ID=my-project
eth2.gcp-project-id: "my-project"
Globally unique identifier for the Google Cloud Platform (GCP) project where the secrets to be used by Web3Signer are stored.
gcp-secrets-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--gcp-secrets-enabled=<BOOLEAN>
--gcp-secrets-enabled=true
WEB3SIGNER_ETH2_GCP_SECRETS_ENABLED=true
eth2.gcp-secrets-enabled: true
Set to true
to enable bulk loading from the GCP Secrets Manager service. The default is false
.
gcp-secrets-filter
- Syntax
- Example
- Environment variable
- Configuration file
--gcp-secrets-filter=<STRING>
--gcp-secrets-filter=my-secrets-filter
WEB3SIGNER_ETH2_GCP_SECRETS_FILTER=my-secrets-filter
eth2.gcp-secrets-filter: "my-secrets-filter"
Filter to use when loading secrets into Web3Signer. List operation filtering is applied.
Only secrets matching the filter are loaded. If not specified, all secrets from the project identified by
--gcp-project-id
are loaded.
key-manager-api-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--key-manager-api-enabled=<BOOLEAN>
--key-manager-api-enabled=true
WEB3SIGNER_ETH2_KEY_MANAGER_API_ENABLED=true
eth2.key-manager-api-enabled: true
Enables the key manager API.
The default is false
.
keystores-password-file
- Syntax
- Example
- Environment variable
- Configuration file
--keystores-password-file=<FILE>
--keystores-password-file=/Users/me/passwds/keystore_passwords.txt
WEB3SIGNER_ETH2_KEYSTORES_PASSWORD_FILE=/Users/me/passwds/keystore_passwords.txt
eth2.keystores-password-file: "/Users/me/passwds/keystore_passwords.txt"
File that contains the password used by all keystores.
Cannot be set if --keystores-passwords-path
is also specified.
Alternatively, use --keystores-passwords-path
to specify a directory
containing a separate password file for each keystore.
keystores-passwords-path
- Syntax
- Example
- Environment variable
- Configuration file
--keystores-passwords-path=<PATH>
--keystores-passwords-path=/Users/me/passwds
WEB3SIGNER_ETH2_KEYSTORES_PASSWORDS_PATH=/Users/me/passwds
eth2.keystores-passwords-path: "/Users/me/passwds"
Directory containing password files for corresponding keystores.
Each password file name must match the corresponding keystore filename, but with a .txt
extension.
Cannot be set if --keystores-password-file
is also specified.
Alternatively, use --keystores-password-file
to specify a single
password file that contains the password used by all keystores.
keystores-path
- Syntax
- Example
- Environment variable
- Configuration file
--keystores-path=<PATH>
--keystores-path=/Users/me/keystores
WEB3SIGNER_ETH2_KEYSTORES_PATH=/Users/me/keystores
eth2.keystores-path: "/Users/me/keystores"
Directory that stores the keystore files.
Keystore files must use a .json
file extension.
Use --keystores-password-file
or
--keystores-passwords-path
to specify keystore passwords.
Restart Web3Signer if you want to pick up new keystores added to the directory since Web3Signer started.
network
- Syntax
- Example
- Environment variable
- Configuration file
--network=<NETWORK>
--network=mainnet
WEB3SIGNER_ETH2_NETWORK=mainnet
eth2.network: "mainnet"
Predefined network configuration. Accepts a predefined network name, or file path or URL to a YAML configuration file. See the consensus specification for examples.
The default is mainnet
.
If Teku connects to a network other than mainnet
, then this option must be specified, and it must
match the --network
value of the connected Teku client.
Possible values are:
Network | Chain | Type | Description |
---|---|---|---|
mainnet | Consensus layer | Production | Ethereum main network. |
minimal | Consensus layer | Test | Used for local testing and development networks. |
sepolia | Consensus layer | Test | Multi-client permissioned testnet. |
holesky | Consensus layer | Test | Multi-client testnet. |
lukso | Consensus layer | Production | Lukso main network. |
gnosis | Consensus layer | Production | Gnosis main network. |
chiado | Consensus layer | Test | Multi-client Gnosis testnet. |
slashing-protection-db-health-check-interval-milliseconds
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-db-health-check-interval-milliseconds=<INTERVAL>
--slashing-protection-db-health-check-interval-milliseconds=20000
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_HEALTH_CHECK_INTERVAL_MILLISECONDS=20000
eth2.slashing-protection-db-health-check-interval-milliseconds: 20000
Milliseconds between the slashing protection database health checks. The default is 30000.
The service responds with a 200
message if healthy, and 503
if unhealthy.
slashing-protection-db-health-check-timeout-milliseconds
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-db-health-check-timeout-milliseconds=<INTERVAL>
--slashing-protection-db-health-check-timeout-milliseconds=2000
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_HEALTH_CHECK_TIMEOUT_MILLISECONDS=2000
eth2.slashing-protection-db-health-check-timeout-milliseconds: 2000
Milliseconds after which to fail the database health check. For example, if the health check connects to the slashing protection database, but does not report back in a timely manner.
The default is 3000.
slashing-protection-db-password
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-db-password=<PASSWORD>
--slashing-protection-db-password=changeme
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_PASSWORD=changeme
eth2.slashing-protection-db-password: "changeme"
The password to connect to the slashing protection database.
slashing-protection-db-pool-configuration-file
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-db-pool-configuration-file=<FILE>
--slashing-protection-db-pool-configuration-file=/Users/me/config/HikariConfig.properties
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_POOL_CONFIGURATION_FILE=/Users/me/config/HikariConfig.properties
eth2.slashing-protection-db-pool-configuration-file: "/Users/me/config/HikariConfig.properties"
HikariCP connection pool configuration file.
Web3Signer uses HikariCP to manage database connections, and uses the default configuration values. The defaults perform well in most deployments, but you can override them using this option.
slashing-protection-db-url
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-db-url=<JDBC_URL>
--slashing-protection-db-url=jdbc:postgresql://localhost/web3signer
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_URL=jdbc:postgresql://localhost/web3signer
eth2.slashing-protection-db-url: "jdbc:postgresql://localhost/web3signer"
The Java Database Connectivity (JDBC) URL of the slashing protection database.
If using a non-default port number for your PostgreSQL database, then include the port number in the database URL.
slashing-protection-db-username
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-db-username=<USERNAME>
--slashing-protection-db-username=postgres
WEB3SIGNER_ETH2_SLASHING_PROTECTION_DB_USERNAME=postgres
eth2.slashing-protection-db-username: "postgres"
The username to use when connecting to the slashing protection database.
slashing-protection-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-enabled=<BOOLEAN>
--slashing-protection-enabled=false
WEB3SIGNER_ETH2_SLASHING_PROTECTION_ENABLED=false
eth2.slashing-protection-enabled: false
Enables Web3Signer slashing protection.
If true
, then all signing operations are validated against historical data before signing.
The default is true
.
slashing-protection-pruning-at-boot-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-pruning-at-boot-enabled=<BOOLEAN>
--slashing-protection-pruning-at-boot-enabled=true
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_AT_BOOT_ENABLED=true
eth2.slashing-protection-pruning-at-boot-enabled: true
When set to true
, slashing protection database pruning
is enabled at startup and at the defined pruning intervals.
The default is false
.
slashing-protection-pruning-db-pool-configuration-file
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-pruning-db-pool-configuration-file=<FILE>
--slashing-protection-pruning-db-pool-configuration-file=/Users/me/config/HikariConfig.properties
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_DB_POOL_CONFIGURATION_FILE=/Users/me/config/HikariConfig.properties
eth2.slashing-protection-pruning-db-pool-configuration-file: "/Users/me/config/HikariConfig.properties"
HikariCP connection pool configuration file used by the pruning process.
Web3Signer uses HikariCP to manage database connections, and uses the default configuration values. The defaults perform well in most deployments, but you can override them using this option.
slashing-protection-pruning-enabled
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-pruning-enabled=<BOOLEAN>
--slashing-protection-pruning-enabled=true
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_ENABLED=true
eth2.slashing-protection-pruning-enabled: true
Enables slashing protection database pruning.
The default is false
.
slashing-protection-pruning-epochs-to-keep
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-pruning-epochs-to-keep=<LONG>
--slashing-protection-pruning-epochs-to-keep=64
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_EPOCHS_TO_KEEP=64
eth2.slashing-protection-pruning-epochs-to-keep: 64
Number of epochs to keep when pruning the slashing protection database.
The default is 250.
slashing-protection-pruning-interval
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-pruning-interval=<LONG>
--slashing-protection-pruning-interval=48
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_INTERVAL=48
eth2.slashing-protection-pruning-interval: 48
Hours between slashing protection database pruning operations.
The default is 24.
slashing-protection-pruning-slots-per-epoch
- Syntax
- Example
- Environment variable
- Configuration file
--slashing-protection-pruning-slots-per-epoch=<LONG>
--slashing-protection-pruning-slots-per-epoch=20
WEB3SIGNER_ETH2_SLASHING_PROTECTION_PRUNING_SLOTS_PER_EPOCH=20
eth2.slashing-protection-pruning-slots-per-epoch: 20
Number of slots per epoch. This number multiplied by the number of epochs to keep determines what blocks to keep when pruning the slashing protection database.
The default is 32 as defined on Mainnet.
eth2 export
Exports the slashing protection database to a file.
to
- Syntax
- Example
- Environment variable
- Configuration file
--to=<FILE>
--to=/Users/me/my_node/interchange.json
WEB3SIGNER_ETH2_EXPORT_TO=/Users/me/my_node/interchange.json
eth2.export.to: /Users/me/my_node/interchange.json
The file to export the slashing protection database to. The exported file uses the validator client interchange format.
eth2 import
Imports a slashing protection database from a file.
from
- Syntax
- Example
- Environment variable
- Configuration file
--from=<FILE>
--from=/Users/me/my_node/interchange.json
WEB3SIGNER_ETH2_IMPORT_FROM=/Users/me/my_node/interchange.json
eth2.import.from: /Users/me/my_node/interchange.json
The file to import the slashing protection database from. The file must be formatted in the validator client interchange format.
watermark-repair
Updates the slashing protection low or high watermark for all validators. You can only increase the low watermark, not decrease it. If you set the high watermark, you should set this to a future epoch and slot. Setting a high watermark prevents the validator from signing at or beyond this point.
We only recommend this subcommand for advanced users.
epoch
- Syntax
- Example
- Environment variable
- Configuration file
--epoch=<LONG>
--epoch=30000
WEB3SIGNER_WATERMARK_REPAIR_EPOCH=30000
watermark-repair.epoch: 30000
Low watermark to set the attestation source and target to.
(Sets the high watermark epoch when --set-high-watermark
is true
.)
slot
- Syntax
- Example
- Environment variable
- Configuration file
--slot=<LONG>
--slot=20000
WEB3SIGNER_WATERMARK_REPAIR_SLOT=20000
watermark-repair.slot: 20000
Low watermark to set the block slot to.
(Sets the high watermark slot when --set-high-watermark
is true
.)
remove-high-watermark
- Syntax
- Example
- Environment variable
- Configuration file
--remove-high-watermark=<BOOLEAN>
--remove-high-watermark=true
WEB3SIGNER_REMOVE_HIGH_WATERMARK=true
watermark-repair.remove-high-watermark: true
Removes the high watermark.
When set to true
, all other watermark-repair
options are ignored.
The default is false
.
set-high-watermark
- Syntax
- Example
- Environment variable
- Configuration file
--set-high-watermark=<BOOLEAN>
--set-high-watermark=true
WEB3SIGNER_SET_HIGH_WATERMARK=true
watermark-repair.set-high-watermark: true
Sets the high watermark to the specified epoch and slot.
(Sets the low watermark when --set-high-watermark
is false
.)
The default is false
.