fix(agents): remove rusoto-based AWS region validation for signer config

paulbalaji · paulbalaji · commit e672e7b06d3e · 2026-04-23T23:14:19.000+01:00
PR #8669 removed rusoto's `FromStr` validation for S3 checkpoint-syncer regions but missed the same validation on agent signer regions (`validator.region`, `chains.<name>.signer.region`), which still rejected regions like `eu-central-2`. Store `SignerConf::Aws.region` as a plain `String` and resolve it to a `rusoto_core::Region` at KMS client construction time: use the enum variant when rusoto recognizes the name, otherwise fall back to `Region::Custom` with a synthesized commercial KMS endpoint.
diff --git a/rust/main/hyperlane-base/src/settings/parser/mod.rs b/rust/main/hyperlane-base/src/settings/parser/mod.rs
@@ -456,8 +456,9 @@ fn parse_signer(signer: ValueParser) -> ConfigResult<SignerConf> {
             let region = signer
                 .chain(&mut err)
                 .get_key("region")
-                .parse_from_str("Expected AWS region")
-                .unwrap_or_default();
+                .parse_string()
+                .unwrap_or_default()
+                .to_owned();
             err.into_result(SignerConf::Aws { id, region })
         }};
         (cosmosKey) => {{
diff --git a/rust/main/hyperlane-base/src/settings/signers.rs b/rust/main/hyperlane-base/src/settings/signers.rs
@@ -7,6 +7,7 @@ use ethers::utils::hex::ToHex;
 use eyre::{bail, Context, Report};
 use rusoto_core::Region;
 use rusoto_kms::KmsClient;
+use std::str::FromStr;
 use tracing::instrument;
 
 use hyperlane_core::{AccountAddressType, H256};
@@ -16,6 +17,16 @@ use crate::types::utils;
 
 const AWS_SIGNER_TIMEOUT: Duration = Duration::from_secs(30);
 
+/// Resolve an AWS region string into a `rusoto_core::Region` without relying on
+/// rusoto's `FromStr` allowlist, which rejects regions added after rusoto was
+/// last updated (e.g. `eu-central-2`).
+fn resolve_kms_region(region: &str) -> Region {
+    Region::from_str(region).unwrap_or_else(|_| Region::Custom {
+        name: region.to_owned(),
+        endpoint: format!("https://kms.{region}.amazonaws.com"),
+    })
+}
+
 /// Signer types
 #[derive(Default, Debug, Clone)]
 pub enum SignerConf {
@@ -30,7 +41,7 @@ pub enum SignerConf {
         /// The UUID identifying the AWS KMS Key
         id: String,
         /// The AWS region
-        region: Region,
+        region: String,
     },
     /// Cosmos Specific key
     CosmosKey {
@@ -100,7 +111,7 @@ impl BuildableWithSignerConf for hyperlane_ethereum::Signers {
                     .map_err(|err| eyre::eyre!(err.to_string()))?;
                 let client = KmsClient::new_with_client(
                     rusoto_core::Client::new_with(AwsChainCredentialsProvider::new(), http_client),
-                    region.clone(),
+                    resolve_kms_region(region),
                 );
                 let signer = AwsSigner::new(client, id, 0, Some(AWS_SIGNER_TIMEOUT)).await?;
                 hyperlane_ethereum::Signers::Aws(signer)
@@ -142,7 +153,7 @@ impl BuildableWithSignerConf for hyperlane_tron::TronSigner {
                     .map_err(|err| eyre::eyre!(err.to_string()))?;
                 let client = KmsClient::new_with_client(
                     rusoto_core::Client::new_with(AwsChainCredentialsProvider::new(), http_client),
-                    region.clone(),
+                    resolve_kms_region(region),
                 );
                 let signer = AwsSigner::new(client, id, 0, Some(AWS_SIGNER_TIMEOUT)).await?;
                 Ok(hyperlane_tron::TronSigner::Aws(signer))
@@ -323,9 +334,28 @@ impl ChainSigner for hyperlane_aleo::AleoSigner {
 mod tests {
     use ethers::{signers::LocalWallet, utils::hex};
     use hyperlane_core::{AccountAddressType, Encode, H256};
+    use rusoto_core::Region;
 
+    use super::resolve_kms_region;
     use crate::settings::{ChainSigner, SignerConf};
 
+    #[test]
+    fn resolve_kms_region_known_region_uses_enum_variant() {
+        assert_eq!(resolve_kms_region("us-east-1"), Region::UsEast1);
+    }
+
+    #[test]
+    fn resolve_kms_region_unknown_region_uses_custom() {
+        let region = resolve_kms_region("eu-central-2");
+        match region {
+            Region::Custom { name, endpoint } => {
+                assert_eq!(name, "eu-central-2");
+                assert_eq!(endpoint, "https://kms.eu-central-2.amazonaws.com");
+            }
+            other => panic!("expected Region::Custom, got {other:?}"),
+        }
+    }
+
     #[test]
     fn address_h256_ethereum() {
         const PRIVATE_KEY: &str =
