Scribd
Upload
7 views68 pages

Amazon Managed Blockchain Guide

The Amazon Managed Blockchain Management Guide provides comprehensive instructions for creating and managing blockchain networks using the Hyperledger Fabric framework. It covers essential concepts, prerequisites, and step-by-step processes for setting up networks, managing members, and running chaincode. The guide also details security measures and resource management within the blockchain environment.

Uploaded by

phani dronamraju
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views68 pages

Amazon Managed Blockchain Guide

The Amazon Managed Blockchain Management Guide provides comprehensive instructions for creating and managing blockchain networks using the Hyperledger Fabric framework. It covers essential concepts, prerequisites, and step-by-step processes for setting up networks, managing members, and running chaincode. The guide also details security measures and resource management within the blockchain environment.

Uploaded by

phani dronamraju
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Amazon Managed Blockchain

Management Guide
Amazon Managed Blockchain Management Guide

Amazon Managed Blockchain: Management Guide


Copyright © 2019 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
Amazon Managed Blockchain Management Guide

Table of Contents
What Is Managed Blockchain ............................................................................................................... 1
How to Get Started with Managed Blockchain ............................................................................... 1
Key Concepts ..................................................................................................................................... 2
................................................................................................................................................ 2
Networks, Proposals, and Members .............................................................................................. 3
Peer Nodes ................................................................................................................................ 4
Connecting to Resources ............................................................................................................. 4
Getting Started .................................................................................................................................. 6
Prerequisites and Considerations .................................................................................................. 6
An AWS account ................................................................................................................ 6
A Linux Client (EC2 Instance) ............................................................................................... 7
A VPC ............................................................................................................................... 7
Permissions to Create an Interface VPC Endpoint ................................................................... 7
EC2 Security Groups That Allow Communication on Required Ports .......................................... 7
Additional Considerations .................................................................................................... 8
Step 1: Create the Network and First Member ............................................................................... 9
Step 2: Create an Endpoint ....................................................................................................... 11
Step 3: Set Up a Client ............................................................................................................. 11
3.1: Install Packages ......................................................................................................... 12
3.2: Set Up the Fabric CA Client ......................................................................................... 14
3.3: Clone Samples ........................................................................................................... 15
3.4: Start the Hyperledger Fabric CLI .................................................................................. 15
Step 4: Enroll the Member Admin .............................................................................................. 15
4.1: Create the Certificate File ............................................................................................ 16
4.2 Enroll the Admin ........................................................................................................ 16
4.3: Copy Certificates ........................................................................................................ 17
Step 5: Create a Peer Node ....................................................................................................... 17
Step 6: Create a Channel ........................................................................................................... 18
6.1: Create configtx .......................................................................................................... 18
6.2: Set Environment Variables .......................................................................................... 20
6.3: Create the Channel .................................................................................................... 20
6.4: Join Peer to Channel .................................................................................................. 20
Step 7: Run Chaincode .............................................................................................................. 21
7.1: Install Chaincode ........................................................................................................ 21
7.2: Instantiate Chaincode ................................................................................................. 21
7.3: Query the Chaincode .................................................................................................. 22
7.4: Invoke the Chaincode ................................................................................................. 22
Step 8: Invite a Member and Create a Joint Channel ..................................................................... 22
8.1: Create an Invitation Proposal ....................................................................................... 23
8.2: Vote Yes on the Proposal ............................................................................................ 23
8.3: Create the New Member ............................................................................................. 24
Create a Network ............................................................................................................................. 31
Create a Managed Blockchain Network ....................................................................................... 31
Delete a Network ............................................................................................................................. 33
Invite or Remove Network Members ................................................................................................... 34
Create an Invitation Proposal ..................................................................................................... 34
Create a Removal Proposal ........................................................................................................ 35
Delete a Member in Your AWS Account ....................................................................................... 36
Accept an Invitation and Create a Member .......................................................................................... 37
Work with Invitations ................................................................................................................ 37
Create a Member ..................................................................................................................... 39
Work with Peer Nodes ...................................................................................................................... 41
Create a Peer Node .................................................................................................................. 41
Peer Node Properties ................................................................................................................ 42

iii
Amazon Managed Blockchain Management Guide

Using Peer Node Metrics ........................................................................................................... 43


Viewing Peer Node Metrics ................................................................................................ 44
Create an Interface VPC Endpoint ...................................................................................................... 46
Work with Proposals ......................................................................................................................... 48
.............................................................................................................................................. 48
View Proposals ......................................................................................................................... 50
Vote on a Proposal ................................................................................................................... 52
Create an Invitation Proposal ..................................................................................................... 53
Create a Removal Proposal ........................................................................................................ 53
Automating with CloudWatch Events .......................................................................................... 54
Example Managed Blockchain Events .................................................................................. 54
Work with Hyperledger Fabric ............................................................................................................ 56
Create an Admin User ............................................................................................................... 56
Develop Chaincode ................................................................................................................... 57
Security ........................................................................................................................................... 58
Data Protection ........................................................................................................................ 58
Encryption at Rest ............................................................................................................ 58
Encryption in Transit ......................................................................................................... 58
Authentication and Access Control ............................................................................................. 58
IAM Policies ..................................................................................................................... 59
Configuring Security Groups .............................................................................................. 60
Document History ............................................................................................................................ 63
AWS Glossary .................................................................................................................................. 64

iv
Amazon Managed Blockchain Management Guide
How to Get Started with Managed Blockchain

What Is Amazon Managed


Blockchain?
Amazon Managed Blockchain is a fully managed service for creating and managing blockchain networks
using open source frameworks. Currently, the Hyperledger Fabric open source framework is supported.
Blockchain allows you to build applications where multiple parties can securely and transparently run
transactions and share data without the need for a trusted, central authority.

You can use Managed Blockchain to create a scalable blockchain network quickly and efficiently using
the AWS Management Console, the AWS CLI, or the Managed Blockchain SDK. Managed Blockchain
scales to meet the demands of thousands of applications running millions of transactions. After the
blockchain network is up and running, Managed Blockchain also simplifies network management
tasks. Managed Blockchain manages your certificates, lets you easily create proposals for a vote among
network members, and tracks operational metrics such as compute, memory, and storage resources.

This guide covers the fundamentals of creating and working with resources in a Managed Blockchain
network.

How to Get Started with Managed Blockchain


We recommend the following resources to get started developing blockchain applications using
Managed Blockchain:

• Key Concepts: Managed Blockchain Networks, Members, and Peer Nodes (p. 2)

This overview helps you understand the fundamental building blocks of a Managed Blockchain
network. It also tells you how to identify and communicate with resources, regardless of the
blockchain framework that you're using.
• Get Started Creating a Hyperledger Fabric Blockchain Network Using Amazon Managed
Blockchain (p. 6)

This tutorial lets you try Managed Blockchain and get a Hyperledger Fabric blockchain application
running in a short time. You create your first network, set up a Hyperledger Fabric client, and use the
open source Hyperledger Fabric peer CLI to query and update the ledger. You then invite another
member to the network. The member can be from a different AWS account, or you can invite a new
member in your own account to simulate a multi-account network. The new member then queries and
updates the ledger.
• Hyperledger Fabric Documentation (v1.2)

The open source documentation for Hyperledger Fabric is a starting point for key concepts and the
architecture of the Hyperledger Fabric blockchain network that you build using Managed Blockchain.
As you develop your blockchain application, you can reference this document for key tasks and code
samples. Use the documentation version that corresponds to the version of Hyperledger Fabric that
you use.

1
Amazon Managed Blockchain Management Guide

Key Concepts: Managed Blockchain


Networks, Members, and Peer Nodes
A blockchain network is a peer-to-peer network running a decentralized blockchain framework. A
network includes one or more members, which are unique identities in the network. For example, a
member might be an organization in a consortium of banks. Each member runs one or more blockchain
peer nodes to run chaincode, endorse transactions, and store a local copy of ledger.

Amazon Managed Blockchain creates and manages these components for each member in a network,
and it also creates components shared by all members in a network, such as the Hyperledger Fabric
ordering service and the general networking configuration.

Managed Blockchain Networks and Editions


When creating a Managed Blockchain network, the creator chooses the blockchain framework and the
edition of Amazon Managed Blockchain to use. The edition determines the capacity and capabilities of
the network as a whole.

The creator also must create the first Managed Blockchain network member. Additional members are
added through a proposal and voting process. There is no charge for the network itself, but each member
pays an hourly rate (billed per second) for their network membership. Charges vary depending on the
edition of the network. Each member also pays for peer nodes, peer node storage, and the amount of
data that the member writes to the network. For more information about available editions and their
attributes, see Managed Blockchain Pricing. For more information about the number of networks that
each AWS account can create and join, see Managed Blockchain Limits in the AWS General Reference.

The blockchain network remains active as long as there are members. The network is deleted only when
the last member deletes itself from the network. No member or AWS account, even the creator's AWS
account, can delete the network until they are the last member and delete themselves.

The following diagram shows the basic components of a Hyperledger Fabric blockchain running on
Managed Blockchain.

2
Amazon Managed Blockchain Management Guide
Networks, Proposals, and Members

Inviting and Removing Members


A Managed Blockchain network is decentralized. An AWS account initially creates a Managed Blockchain
network, but the network is not owned by that AWS account, or any other AWS account. To make
changes to the network, members make proposals that all other members in the network vote on.
For another AWS account to join the network, for example, an existing member creates a proposal to
invite the account. Other members than vote Yes or No on the proposal. If the proposal is approved, an

3
Amazon Managed Blockchain Management Guide
Peer Nodes

invitation is sent to the AWS account. The account then accepts the invitation and creates a member to
join the network. A similar proposal process is required to remove a member in a different AWS account.
A principal in an AWS account with sufficient permissions can remove a member that the account owns
at any time by deleting that member directly, without submitting a proposal.

The network creator also defines a voting policy for the network when they create it. The voting policy
determines the basic rules for all proposal voting on the network. The voting policy includes the
percentage of votes required to pass the proposal, and the duration before the vote expires.
Note
Different frameworks use slightly different terms for the identities that we call members in
Managed Blockchain. For example, Hyperledger Fabric uses the term organizations.

Peer Nodes
When a member joins the network, one of the first things they must do is create at least one peer node in
the membership.

Blockchain networks contain a distributed, cryptographically secure ledger that maintains the history of
transactions in the network that is immutable—it can't be changed after-the fact. Each peer node stores
a local copy of the ledger. Each peer node also holds the global state of the network for the channels
in which they participate, which gets updated with each new transaction. The peer nodes also interact
to create and endorse the transactions that are proposed on the network. Members define the rules in
the endorsement process based on their business logic and the blockchain framework being used. In this
way, every member can independently verify the transaction history without a centralized authority

To configure blockchain applications on peer nodes and to interact with other network resources,
members use a client configured with open source tools such as a CLI or SDK. The applications and
tools that you choose and your client setup depend on the blockchain framework that you use and
your preferred development environment. For example, in the Getting Started (p. 6) tutorial, you
configure an Amazon EC2 instance in a VPC with open source Hyperledger Fabric CLI tools. Regardless of
the framework, the way that you identify and connect to Managed Blockchain resources using framework
tools is the same.

Identifying Managed Blockchain Resources and


Connecting from a Client
Because the blockchain network is decentralized, members must interact with each other's peer nodes
and network-wide resources to make transactions, endorse transactions, verify members, and so on.
When a network is created, Managed Blockchain gives the network a unique ID. Similarly, when an AWS
account creates a member on the network and peer nodes, Managed Blockchain gives unique IDs to
those resources.

Each network resource has a unique, addressable endpoint that Managed Blockchain creates from these
IDs. Other members in the Managed Blockchain network, blockchain applications, and tools use these
endpoints to identify and interact with resources on the Managed Blockchain network.

Resource endpoints on the Managed Blockchain network are in the following format:

[Link]:PortNumber

For example, to refer to a peer node with ID nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y, owned by a


member with ID m-K46ICRRXJRCGRNNS4ES4XUUS5A, in a Hyperledger Fabric network with ID n-
MWY63ZJZU5HGNCMBQER7IN6OIU, you use the following peer node endpoint:

4
Amazon Managed Blockchain Management Guide
Connecting to Resources

nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-
[Link]

The port that you use with an endpoint depends on the blockchain framework, and the blockchain
service that you are calling. Managed Blockchain supports only us-east-1 for AWSRegion.

Within the blockchain network, access and authorization for each resource is governed by processes
defined within the network. Outside the confines of the network—that is, from member's client
applications and tools—Managed Blockchain uses AWS PrivateLink to ensure that only network members
can access required resources. In this way, each member has a private connection from a client in
their VPC to the Managed Blockchain network. The interface VPC endpoint uses private DNS, so you
must have a VPC in your account that is enabled for Private DNS. For more information, see Create an
Interface VPC Endpoint to Connect to Managed Blockchain Network Resources (p. 46).

5
Amazon Managed Blockchain Management Guide
Prerequisites and Considerations

Get Started Creating a Hyperledger


Fabric Blockchain Network Using
Amazon Managed Blockchain
This tutorial guides you through creating your first Hyperledger Fabric network using Amazon Managed
Blockchain. It shows you how to set up the network and create a member in your AWS account, set
up chaincode and a channel, and then invite members from other AWS accounts to join a channel.
Instructions for invitees is also provided.

Steps
• Prerequisites and Considerations (p. 6)
• Step 1: Create the Network and First Member (p. 9)
• Step 2: Create and Configure the Interface VPC Endpoint (p. 11)
• Step 3: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client (p. 11)
• Step 4: Enroll an Administrative User (p. 15)
• Step 5: Create a Peer Node in Your Membership (p. 17)
• Step 6: Create a Hyperledger Fabric Channel (p. 18)
• Step 7: Install and Run Chaincode (p. 21)
• Step 8: Invite Another AWS Account to be a Member and Create a Joint Channel (p. 22)

Prerequisites and Considerations


To complete this tutorial, you must have the resources listed in this section. Unless specifically stated
otherwise, the requirements apply to both network creators and invited members.

Topics
• An AWS account (p. 6)
• A Linux Client (EC2 Instance) (p. 7)
• A VPC (p. 7)
• Permissions to Create an Interface VPC Endpoint (p. 7)
• EC2 Security Groups That Allow Communication on Required Ports (p. 7)
• Additional Considerations (p. 8)

An AWS account
Before you use Managed Blockchain for the first time, you must sign up for an Amazon Web Services
(AWS) account.

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

1. Open [Link]
2. Follow the online instructions.

6
Amazon Managed Blockchain Management Guide
A Linux Client (EC2 Instance)

Part of the sign-up procedure involves receiving a phone call and entering a verification code on the
phone keypad.

A Linux Client (EC2 Instance)


You must have a Linux computer with access to resources in the VPC to serve as your Hyperledger
Fabric client. This computer must have the AWS CLI installed. We recommend creating an Amazon
Elastic Compute Cloud (Amazon EC2) instance in the same VPC and AWS region as the VPC endpoint
for the Managed Blockchain network. This is the setup that the tutorial uses. For instructions to set up a
Hyperledger Fabric client using this configuration, see Step 3: Create an Amazon EC2 Instance and Set Up
the Hyperledger Fabric Client (p. 11).

An AWS CloudFormation template to create a Hyperledger Fabric client is available in amazon-managed-


blockchain-client-templates repository on Github. For more information, see the [Link] in that
repository. For more information about using AWS CloudFormation, see Getting Started in the AWS
CloudFormation User Guide.

A VPC
You must have a VPC with an IPv4 CIDR block, and the enableDnsHostnames and enableDnsSupport
options must be set to true. If you will connect to the Hyperledger Fabric client using SSH, the VPC
must have an internet gateway, and the security group configuration associated with the Hyperledger
Framework client must allow inbound SSH access from your SSH client.

• For more information about creating a suitable network, see Getting Started with IPv4 for Amazon
VPC tutorial in the Amazon VPC User Guide.
• For information about using SSH to connect to an Amazon EC2 Instance, see Connecting to Your Linux
Instance Using SSH in the Amazon EC2 User Guide for Linux Instances.
• For instructions about how to verify if DNS options are enabled, see Using DNS with Your VPC in the
Amazon VPC User Guide.

Permissions to Create an Interface VPC Endpoint


The IAM principal (user) identity that you are using must have sufficient IAM permissions to create an
interface VPC endpoint in your AWS account. For more information, see Controlling Access - Creating and
Managing VPC Endpoints in the Amazon VPC User Guide.

EC2 Security Groups That Allow Communication on


Required Ports
The EC2 security groups associated with the Hyperledger Fabric client Amazon EC2 instance and the
Interface VPC Endpoint that you create during this tutorial must have rules that allow traffic between
them for required Hyperledger Fabric services. EC2 security groups are restrictive by default, so you need
to create security group rules that allow required access. In addition, a security group associated with the
Hyperledger Fabric client Amazon EC2 instance must have an inbound rule that allows SSH traffic (Port
22) from trusted SSH clients.

For the purposes of simplicity in this tutorial, we recommend that you create an EC2 security group
that you associate only with the Hyperledger Fabric client Amazon EC2 instance and the Interface VPC
Endpoint. Then create an inbound rule that allows all traffic from within the security group. In addition,
create another security group to associate with the Hyperledger Fabric client Amazon EC2 instance that
allows inbound SSH traffic from trusted clients.

7
Amazon Managed Blockchain Management Guide
Additional Considerations

Important
This security group configuration is recommended for this tutorial only. Carefully consider
security group settings for your desired security posture. For information about the minimum
required rules, see Configuring Security Groups (p. 60).

To create a security group that allows traffic between the Hyperledger Fabric client and the
interface VPC endpoint for use in this tutorial

1. Open the Amazon EC2 console at [Link]


2. Choose Security groups in the navigation pane, and then choose Create security group.
3. Enter a Security group name and Description for the security group that helps you find it. For
example, HFClientAndEndpoint.
4. Make sure that the VPC you select is the default VPC for your account. This is the VPC in which
Hyperledger Fabric network resources and the interface VPC endpoint are created.
5. Choose Create.
6. Select the security group that you just created from the list, choose Inbound, and then choose Edit.
7. Under Type, select All traffic from the list.
8. Under Source, leave Custom selected, and then begin typing the name or ID of this same security
group—for example, HFClientAndEndpoint—and then select the security group so that its ID
appears under Source.
9. Choose Save.

You reference this security group later in this tutorial in Step 2: Create and Configure the Interface
VPC Endpoint (p. 11) and Step 3: Create an Amazon EC2 Instance and Set Up the Hyperledger
Fabric Client (p. 11).

To create a security group for the Hyperledger Fabric client that allows inbound SSH
connections from the computer that you are working with

1. Open the Amazon EC2 console at [Link]


2. Choose Security groups in the navigation pane, and then choose Create security group.
3. Enter a Security group name and Description for the security group that helps you find it. For
example, HFClientSSH.
4. Make sure that the VPC you select is the same VPC that you will select for the interface VPC
endpoint.
5. Choose Inbound, and then choose Add rule.
6. Under Type, select SSH from the list.
7. Under Source, select My IP. This adds the detected IP address of your current computer. Optionally,
you can create additional rules for SSH connections from additional IP addresses or sources if
required.
8. Choose Create.

You will reference this security group later in this tutorial in Step 3: Create an Amazon EC2 Instance
and Set Up the Hyperledger Fabric Client (p. 11).

Additional Considerations
• All commands in the tutorial assume that you are using an Amazon EC2 instance with an Amazon
Linux AMI. Unless noted otherwise, instructions also assume that you are running commands in the
default home directory (/home/ec2-user). If you have a different configuration, modify instructions
to fit your home directory as necessary.

8
Amazon Managed Blockchain Management Guide
Step 1: Create the Network and First Member

• Command examples are preceded by a prompt ([ec2-user@ip-192-0-2-17 ~]$) where


appropriate for clarity. Remove the prompt if you copy and paste examples.
• Hyperledger Fabric 1.2 requires that a channel ID contain only lowercase ASCII alphanumeric
characters, dots (.), and dashes (-). It must start with a letter, and must be fewer than 250 characters.

Step 1: Create the Network and First Member


When you create the network, you specify the following parameters along with basic information such as
names and descriptions:

• The open-source framework and version. This tutorial uses Hyperledger Fabric version 1.2.
• The voting policy for proposals on the network. For more information, see Work with
Proposals (p. 48).
• The first member of the network, including the administrative user and administrative password that
are used to authenticate to the member's certificate authority (CA).

Create the network using the AWS CLI or Managed Blockchain management console according to the
following instructions. It may take a few minutes for Managed Blockchain to provision resources and
bring the network online.

To create a Managed Blockchain network using the AWS


Management Console
1. Open the Managed Blockchain console at [Link]
2. Choose Create network.
3. Under Blockchain framework:

a. Select the blockchain framework to use. This tutorial is based on Hyperledger Fabric version
1.2.
b. Select the Network edition to use. The network edition determines attributes of the network,
such as the maximum number of members, nodes per member, and transaction throughput.
Different editions have different rates associated with the membership. For more information,
see Amazon Managed Blockchain Pricing.
4. Enter a Network name and description.
5. Under Voting Policy, choose the following:

a. Enter the Approval threshold percentage along with the comparator, either Greater than or
Greater than or equal to. For a proposal to pass, the Yes votes cast must meet this threshold
before the vote duration expires.
b. Enter the Proposal duration in hours. If enough votes are not cast within this duration to either
approve or reject a proposal, the proposal status is EXPIRED, no further votes on this proposal
are allowed, and the proposal does not pass.
6. Choose Next, and then, under Create member, do the following to define the first member for the
network, which you own:

a. Enter a Member name that will be visible to all members and an optional Description.
b. Under Hyperledger Fabric certificate authority (CA) configuration specify a username and
password to be used as the administrator on the Hyperledger Fabric CA. Remember the user
name and password. You need them later any time that you create users and resources that
need to authenticate.
c. Choose Create member and join network.

9
Amazon Managed Blockchain Management Guide
Step 1: Create the Network and First Member

7. Review Network options and Member options, and then choose Create network and member.

The Networks list shows the name and Network ID of the network you created, with a Status of
Creating. It may take a minute or two for Managed Blockchain to create your network, after which
the Status is Active.

To create a Managed Blockchain network using the AWS CLI


Use the create-network command as shown in the following example. Consider the following:

• The example shows HYPERLEDGER_FABRIC as the Framework and 1.2 as the FrameworkVersion.
The FrameworkConfiguration properties for --network-configuration and --member-
configuration options may be different for other frameworks and versions.
• The AdminPassword must be at least 8 characters long and no more than 32 characters. It must
contain at least one uppercase letter, one lowercase letter, and one digit. It cannot have a single
quote(‘), double quote(“), forward slash(/), backward slash(\), @, percent sign (%), or a space.
• Remember the user name and password. You need them later any time you create users and resources
that need to authenticate.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-network \


--network-configuration '{"Name":"MyTestTaigaNetwork", \
"Description":"MyTaigaNetDescription", \
"Framework":"HYPERLEDGER_FABRIC","FrameworkVersion": "1.2", \
"FrameworkConfiguration": {"Fabric": {"Edition": "STARTER"}}, \
"VotingPolicy": {"ApprovalThresholdPolicy": {"ThresholdPercentage": 50, \
"ProposalDurationInHours": 24, \
"ThresholdComparator": "GREATER_THAN"}}}' \
--member-configuration '{"Name":"org1", \
"Description":"Org1 first member of network",\
"FrameworkConfiguration":{"Fabric":
{"AdminUsername":"AdminUser","AdminPassword":"Password123"}}}'

The command returns the Network ID and the Member ID, as shown in the following example:

{
"NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU",
"MemberId": "m-K46ICRRXJRCGRNNS4ES4XUUS5A"
}

The Networks page on the console shows a Status of Active when the network is ready. Alternatively,
you can use the list-networks command, as shown in the following example, to confirm the network
status.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain list-networks

The command returns information about the network, including an AVAILABLE status.

{
"Networks": [
{
"Id": "n-MWY63ZJZU5HGNCMBQER7IN6OIU",
"Name": "MyTestNetwork",
"Description": "MyNetDescription",
"Framework": "HYPERLEDGER_FABRIC",
"FrameworkVersion": "1.2",
"Status": "AVAILABLE",

10
Amazon Managed Blockchain Management Guide
Step 2: Create an Endpoint

"CreationDate": 1541497086.888,
}
]
}

Step 2: Create and Configure the Interface VPC


Endpoint
Now that the network is up and running in your VPC, you set up an interface VPC endpoint (AWS
PrivateLink) for your member. This allows the Amazon EC2 instance that you use as a Hyperledger Fabric
client to interact with the Hyperledger Fabric endpoints that Amazon Managed Blockchain exposes
for your member and network resources. For more information, see Interface VPC Endpoints (AWS
PrivateLink) in the Amazon VPC User Guide. Applicable charges for interface VPC endpoints apply. For
more information, see AWS PrivateLink Pricing.

The AWS Identity and Access Management (IAM) principal (user) identity that you use must have
sufficient IAM permissions to create an interface VPC endpoint in your AWS account. For more
information, see Controlling Access - Creating and Managing VPC Endpoints in the Amazon VPC User
Guide.

You can create the interface VPC endpoint using a shortcut in the Managed Blockchain console.

To create an interface VPC endpoint using the Managed Blockchain console

1. Open the Managed Blockchain console at [Link]


2. Choose Networks, select your network from the list, and then choose View details.
3. Choose Create VPC endpoint.
4. Choose a VPC.
5. For Subnets, choose a subnet from the list, and then choose additional subnets as necessary.
6. For Security groups, choose an EC2 security group from the list, and then choose additional security
groups as necessary. We recommend that you select the same security group that your framework
client EC2 instance is associated with.
7. Choose Create.

Step 3: Create an Amazon EC2 Instance and Set Up


the Hyperledger Fabric Client
To complete this step, you launch an Amazon EC2 instance using the Amazon Linux AMI. Consider the
following requirements and recommendations when you create the Hyperledger Fabric client Amazon
EC2 instance:

• We recommend that you launch the client Amazon EC2 instance in the same VPC and using the same
security group as the VPC Endpoint that you created in Step 2: Create and Configure the Interface VPC
Endpoint (p. 11). This simplifies connectivity between the Amazon EC2 instance and the Interface
VPC Endpoint.
• We recommend that the EC2 security group shared by the VPC Endpoint and the client Amazon EC2
instance have rules that allow all inbound and outbound traffic between members of the security
group. This also simplifies connectivity. In addition, ensure that this security group or another security
group associated with the client Amazon EC2 instance has a rule that allows inbound SSH connections
from a source that includes your SSH client's IP address. For more information about security groups
and required rules, see Configuring Security Groups (p. 60).

11
Amazon Managed Blockchain Management Guide
3.1: Install Packages

• Make sure that the client Amazon EC2 instance is configured with an automatically assigned public IP
address and an Amazon EC2 key pair so that you can connect to it using SSH.

For more information, see Getting Started with Amazon EC2 Linux Instances.
Note
An AWS CloudFormation template to create a Hyperledger Fabric client is available in amazon-
managed-blockchain-client-templates repository on Github. For more information, see the
[Link] in that repository. For more information about using AWS CloudFormation, see
Getting Started in the AWS CloudFormation User Guide.

Step 3.1: Install Packages


Your Hyperledger Fabric client needs some packages and samples installed so that you can work with
the Hyperledger Fabric resources. In this step, you install Go, Docker, Docker Compose, and some other
utilities. You also create variables in the ~/.bash_profile for your development environment. These
are prerequisites for installing and using Hyperledger tools.

While connected to the Hyperledger Fabric client using SSH, run the following commands to install
utilties, install docker, and configure the Docker user to be the default user for the Amazon EC2 instance:

[ec2-user@ip-192-0-2-17 ~]$ sudo yum update -y


[ec2-user@ip-192-0-2-17 ~]$ sudo yum install -y telnet
[ec2-user@ip-192-0-2-17 ~]$ sudo yum -y install emacs
[ec2-user@ip-192-0-2-17 ~]$ sudo yum install -y docker
[ec2-user@ip-192-0-2-17 ~]$ sudo service docker start
[ec2-user@ip-192-0-2-17 ~]$ sudo usermod -a -G docker ec2-user

Log out and log in again for the usermod command to take effect.

Run the following commands to install Docker Compose:

[ec2-user@ip-192-0-2-17 ~]$ sudo curl -L \


[Link] \
-s`-`uname -m` -o /usr/local/bin/docker-compose
[ec2-user@ip-192-0-2-17 ~]$ sudo chmod a+x /usr/local/bin/docker-compose
[ec2-user@ip-192-0-2-17 ~]$ sudo yum install libtool -y

Run the following commands to install golang:

[ec2-user@ip-192-0-2-17 ~]$ wget [Link]


[ec2-user@ip-192-0-2-17 ~]$ tar -xzf [Link]
[ec2-user@ip-192-0-2-17 ~]$ sudo mv go /usr/local
[ec2-user@ip-192-0-2-17 ~]$ sudo yum install libtool-ltdl-devel -y
[ec2-user@ip-192-0-2-17 ~]$ sudo yum install git -y

Use a text editor to set up variables such as GOROOT and GOPATH in your ~/.bashrc or
~/.bash_profile and save the updates. The following example shows entries in .bash_profile.

# .bash_profile

# Get the aliases and functions


if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

# User specific environment and startup programs


PATH=$PATH:$HOME/.local/bin:$HOME/bin

12
Amazon Managed Blockchain Management Guide
3.1: Install Packages

# GOROOT is the location where Go package is installed on your system


export GOROOT=/usr/local/go

# GOPATH is the location of your work directory


export GOPATH=$HOME/go

# Update PATH so that you can access the go binary system wide
export PATH=$GOROOT/bin:$PATH
export PATH=$PATH:/home/ec2-user/go/src/[Link]/hyperledger/fabric-ca/bin

After you update .bash_profile, apply the changes:

[ec2-user@ip-192-0-2-17 ~]$ source ~/.bash_profile

After the installation, verify that you have the correct versions installed:

• Docker–17.06.2-ce or later
• Docker-compose–1.14.0 or later
• Go–1.10.x

To check the Docker version, run the following command:

[ec2-user@ip-192-0-2-17 ~]$ sudo docker version

The command returns output similar to the following:

Client:
Version: 18.06.1-ce
API version: 1.38
Go version: go1.10.3
Git commit: CommitHash
Built: Tue Oct 2 [Link] 2018
OS/Arch: linux/amd64
Experimental: false

Server:
Engine:
Version: 18.06.1-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: e68fc7a/18.06.1-ce
Built: Tue Oct 2 [Link] 2018
OS/Arch: linux/amd64
Experimental: false

To check the version of Docker Compose, run the following command:

[ec2-user@ip-192-0-2-17 ~]$ sudo /usr/local/bin/docker-compose version

The command returns output similar to the following:

docker-compose version 1.22.0, build f46880fe


docker-py version: 3.4.1
CPython version: 3.6.6
OpenSSL version: OpenSSL 1.1.0f 25 May 2017

To check the version of go, run the following command:

13
Amazon Managed Blockchain Management Guide
3.2: Set Up the Fabric CA Client

[ec2-user@ip-192-0-2-17 ~]$ go version

The command returns output similar to the following:

go version go1.10.3 linux/amd64

Step 3.2: Set Up the Hyperledger Fabric CA Client


In this step, you verify that you can connect to the Hyperledger Fabric CA using the VPC endpoint you
configured in Step 2: Create and Configure the Interface VPC Endpoint (p. 11). You then install the
Hyperledger Fabric CA client. The Fabric CA issues certificates to administrators and network peers.

To verify connectivity to the Hyperledger Fabric CA, you need the CAEndpoint. Use the get-member
command to get the CA endpoint for your member, as shown in the following example. Replace the
values of --network-id and --member-id with the values returned in Step 1: Create the Network and
First Member (p. 9).

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain get-member \


--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

Use curl or telnet to verify that the endpoint resolves. In the following example, replace CAEndpoint
with the CAEndpoint returned by the get-member command.

[ec2-user@ip-192-0-2-17 ~]$ curl [Link] -k

The command should return output similar to the following:

{"result":
{"CAName":"abcd1efghijkllmn5op3q52rst","CAChain":"LongStringOfCharacters","Version":"1.2.1-
snapshot-"}
,"errors":[],"messages":[],"success":true}

Alternatively, you can connect to the Fabric CA using Telnet as shown in the following example. Use the
same endpoint in the curl example, but separate the endpoint and the port as shown in the following
example.

[ec2-user@ip-192-0-2-17 ~]$ telnet CaEndpoint-Without-Port CaPort

The command should return output similar to the following:

Trying [Link]...
Connected to ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-
[Link].
Escape character is '^]'.

If you are unable to connect to the Fabric CA, double-check your network settings to ensure that the
client Amazon EC2 instance has connectivity with the VPC Endpoint. In particular, ensure that the
security groups associated with both the VPC Endpoint and the client Amazon EC2 instance have
inbound and outbound rules that allow traffic between them.

Now that you have verified that you can connect to the Hyperledger Fabric CA, run the following
commands to configure the CA client:

14
Amazon Managed Blockchain Management Guide
3.3: Clone Samples

[ec2-user@ip-192-0-2-17 ~]$ go get -u [Link]/hyperledger/fabric-ca/cmd/...


[ec2-user@ip-192-0-2-17 ~]$ cd /home/ec2-user/go/src/[Link]/hyperledger/fabric-ca
[ec2-user@ip-192-0-2-17 ~]$ git fetch
[ec2-user@ip-192-0-2-17 ~]$ git checkout release-1.2
[ec2-user@ip-192-0-2-17 ~]$ make fabric-ca-client

Step 3.3: Clone the Samples Repository


[ec2-user@ip-192-0-2-17 ~]$ cd /home/ec2-user
[ec2-user@ip-192-0-2-17 ~]$ git clone [Link]

Step 3.4: Configure and Run Docker Compose to


Start the Hyperledger Fabric CLI
Use a text editor to create a configuration file for Docker Compose named [Link]
in the /home/ec2-user directory, which you use to run the Hyperledger Fabric CLI. You use this CLI to
interact with peer nodes that your member owns. Copy the following contents into the file, and then
save the file in your home directory.

version: '2'
services:
cli:
container_name: cli
image: hyperledger/fabric-tools:1.2.0
tty: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/[Link]
- CORE_LOGGING_LEVEL=info # Set logging level to debug for more verbose logging
- CORE_PEER_ID=cli
- CORE_CHAINCODE_KEEPALIVE=10
working_dir: /opt/gopath/src/[Link]/hyperledger/fabric/peer
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- /home/ec2-user/fabric-samples/chaincode:/opt/gopath/src/[Link]/
- /home/ec2-user:/opt/home

Run the following command to start the Hyperledger Fabric peer CLI container:

[ec2-user@ip-192-0-2-17 ~]$ docker-compose -f [Link] up -d

If you restarted or logged out and back in after the usermod command in Step 3.1: Install
Packages (p. 12), you shouldn't need to run this command with sudo. If the command fails, you can
log out and log back in. Alternatively, you can run the command using sudo, as shown in the following
example:

[ec2-user@ip-192-0-2-17 ~]$ sudo /usr/local/bin/docker-compose -f [Link]


up -d

Step 4: Enroll an Administrative User


In this step, you use a pre-configured certificate to enroll a user with administrative permissions to
your member's certificate authority (CA). To do this, you must create a certificate file. You also need the

15
Amazon Managed Blockchain Management Guide
4.1: Create the Certificate File

endpoint for the CA of your member, and the user name and password for the user that you created in
Step 1: Create the Network and First Member (p. 9).

Step 4.1: Create the Certificate File


Run the following command to copy the [Link] to the /home/ec2-
user directory:

aws s3 cp s3://[Link]/etc/[Link] /home/ec2-


user/[Link]

Run the following command to test that you copied the contents to the file correctly:

[ec2-user@ip-192-0-2-17 ~]$ openssl x509 -noout -text -in /home/ec2-user/managedblockchain-


[Link]

The command should return the contents of the certificate in human-readable format.

Step 4.2: Enroll the Administrative User


Managed Blockchain registers the user identity that you specified when you created the member as an
administrator. In Hyperledger Fabric, this user is known as the bootstrap identity because the identity
is used to enroll itself. To enroll, you need the CA endpoint, as well as the user name and password
for the administrator that you created in Step 1: Create the Network and First Member (p. 9). For
information about registering other user identities as administrators before you enroll them, see Register
and Enroll a User as an Administrator (p. 56).

Use the get-member command to get the CA endpoint for your membership as shown in the following
example. Replace the values of --network-id and --member-id with the values returned in Step 1:
Create the Network and First Member (p. 9).

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain get-member \


--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns information about the initial member that you created in the network, as shown
in the following example. Make a note of the CaEndpoint. You also need the AdminUsername and
password that you created along with the network.

The command returns output similar to the following:

{
"Member": {
"NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU",
"Status": "AVAILABLE",
"Description": "MyNetDescription",
"FrameworkAttributes": {
"Fabric": {
"CaEndpoint": "ca.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-
[Link]",
"AdminUsername": "AdminUser"
}
},
"StatusReason": "Network member created successfully",
"CreationDate": 1542255358.74,
"Id": "m-K46ICRRXJRCGRNNS4ES4XUUS5A",

16
Amazon Managed Blockchain Management Guide
4.3: Copy Certificates

"Name": "org1"
}
}

Use the CA endpoint, administrator profile, and the certificate file to enroll the member administrator
using the fabric-ca-client enroll command, as shown in the following example:

[ec2-user@ip-192-0-2-17 ~]$ fabric-ca-client enroll \


-u [Link] \
--[Link] /home/ec2-user/[Link] -M /home/ec2-user/admin-msp

An example command with fictitious administrator name, password, and endpoint is shown in the
following example:

[ec2-user@ip-192-0-2-17 ~]$ fabric-ca-client enroll \


-u [Link]
[Link] \
--[Link] /home/ec2-user/[Link] -M /home/ec2-user/admin-msp

The command returns output similar to the following:

2018/11/16 [Link] [INFO] Created a default configuration file at /home/ec2-user/.fabric-


ca-client/[Link]
2018/11/16 [Link] [INFO] TLS Enabled
2018/11/16 [Link] [INFO] generating key: &{A:ecdsa S:256}
2018/11/16 [Link] [INFO] encoded CSR
2018/11/16 [Link] [INFO] Stored client certificate at /home/ec2-user/admin-msp/signcerts/
[Link]
2018/11/16 [Link] [INFO] Stored root CA certificate at /home/ec2-user/admin-msp/cacerts/
ca-abcd1efghijkllmn5op3q52rst-uqz2f2xakfd7vcfewqhckr7q5m-managedblockchain-us-east-1-
[Link]

Step 4.3: Copy Certificates for the MSP


In Hyperledger Fabric, the Membership Service Provider (MSP) identifies which root CAs and intermediate
CAs are trusted to define the members of a trust domain. Certificates for the administrator's MSP are in
$FABRIC_CA_CLIENT_HOME, which is /home/ec2-user/admin-msp in this tutorial. Because this MSP
is for the member administrator, copy the certificates from signcerts to admincerts as shown in the
following example:

[ec2-user@ip-192-0-2-17 ~]$ cp -r admin-msp/signcerts admin-msp/admincerts

Important
It may take a minute or two after you enroll for you to be able to use your administrator
certificate to create a channel with the ordering service.

Step 5: Create a Peer Node in Your Membership


Now that you are enrolled as an administrator for your member, you can use your client to create a peer
node. Your member's peer nodes interact with other members' peer nodes on the blockchain to query
and update the ledger, and store a local copy of the ledger.

Wait a minute or two for the administrative permissions from previous steps to propagate, and then use
one of the following procedures to create a peer node.

17
Amazon Managed Blockchain Management Guide
Step 6: Create a Channel

To create a peer node using the AWS Management Console


1. Open the Managed Blockchain console at [Link]
2. Choose Networks, select the network from the list, and then choose View details.
3. Select a Member from the list, and then choose Create peer node.
4. Choose configuration parameters for your peer node according to the previous guidelines, and then
choose Create peer node.

To create a peer node using the AWS CLI


• Use the create-node command, as shown in the following example. Replace the value of --
network-id, --member-id, and AvailabilityZone as appropriate.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-node \


--node-configuration '{"InstanceType":"[Link]","AvailabilityZone":"us-east-1a"}' \
--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns output that includes the peer node's NodeID, as shown in the following
example:

{
"NodeId": "nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y"
}

Step 6: Create a Hyperledger Fabric Channel


In Hyperledger Fabric, a ledger exists in the scope of a channel. The ledger can be shared across the
entire network if every member is operating on a common channel. A channel also can be privatized to
include only a specific set of participants. Members can be in your AWS account, or they can be members
that you invite from other AWS accounts.

In this step, you set up a basic channel. Later on in the tutorial, in Step 8: Invite Another AWS Account to
be a Member and Create a Joint Channel (p. 22), you go through a similar process to set up a channel
that includes another member.

Step 6.1: Create configtx for Hyperledger Fabric


Channel Creation
The [Link] file contains details of the channel configuration. For more information, see
Channel Configuration (configtx) in the Hyperledger Fabric documentation.

Use a text editor to create a file with the following contents and save it as [Link] on your
Hyperledger File client. Replace MemberID with the MemberID you returned previously. For example m-
K46ICRRXJRCGRNNS4ES4XUUS5A.
Important
This file is sensitive. Artifacts from pasting can cause the file to fail with marshalling errors.
We recommend using emacs to edit it. You can also use VI, but before using VI, enter :set
paste, press i to enter insert mode, paste the contents, press escape, and then enter :set
nopaste before saving.

18
Amazon Managed Blockchain Management Guide
6.1: Create configtx

################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the [Link] development environment
Name: MemberID
# ID to load the MSP definition as
ID: MemberID
MSPDir: /opt/home/admin-msp
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
AnchorPeers:
- Host:
Port:

################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:

################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
OneOrgChannel:
Consortium: AWSSystemConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1

Run the following command to generate the configtx peer block:

[ec2-user@ip-192-0-2-17 ~]$ docker exec cli configtxgen \


-outputCreateChannelTx /opt/home/[Link] \
-profile OneOrgChannel -channelID mychannel \
--configPath /opt/home/

Important
Hyperledger Fabric 1.2 requires that a channel ID contain only lowercase ASCII alphanumeric
characters, dots (.), and dashes (-). It must start with a letter, and must be fewer than 250
characters.

19
Amazon Managed Blockchain Management Guide
6.2: Set Environment Variables

Step 6.2: Set Environment Variables for Convenience


Set the following environment variables for convenience. Replace the following values as indicated:

• m-K46ICRRXJRCGRNNS4ES4XUUS5A is the MemberID returned by the aws blockchain list-


members AWS CLI command and shown on the member details page of the Managed Blockchain
console.
• [Link] is
the OrderingServiceEndpoint returned by the aws blockchain get-network command and
listed on the network details page of the Managed Blockchain console.
• nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-
[Link]
is the PeerEndpoint returned by the aws blockchain list-nodes command and listed on the
node details page of the Managed Blockchain console.

[ec2-user@ip-192-0-2-17 ~]$ export MSP_PATH=/opt/home/admin-msp


[ec2-user@ip-192-0-2-17 ~]$ export MSP=m-K46ICRRXJRCGRNNS4ES4XUUS5A
[ec2-user@ip-192-0-2-17 ~]$ export ORDERER=orderer.n-
[Link]
[ec2-user@ip-192-0-2-17 ~]$ export PEER=nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y.m-
[Link]-
[Link]

These variables must be exported each time you log out of the client. To persist the variables across
sessions, add the export statement to your ~/.bash_profile as shown in the following example.

# .bash_profile
...other configurations
export MSP_PATH=/opt/home/admin-msp
export MSP=MemberID
export ORDERER=OrderingServiceEndpoint
export PEER=PeerNodeEndpoint

After updating .bash_profile, apply the changes:

[ec2-user@ip-192-0-2-17 ~]$source ~/.bash_profile

Step 6.3: Create the Channel


Run the following command to create a channel using the variables that you established and the
configtx peer block that you created:

docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer channel create -c mychannel \
-f /opt/home/[Link] -o $ORDERER \
--cafile /opt/home/[Link] --tls

Step 6.4: Join Your Peer Node to the Channel


Run the following command to join the peer node that you created earlier to the channel:

20
Amazon Managed Blockchain Management Guide
Step 7: Run Chaincode

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer channel join -b [Link] \
-o $ORDERER --cafile /opt/home/[Link] --tls

Step 7: Install and Run Chaincode


This section shows you how to install sample chaincode on your peer, instantiating the chaincode,
querying the chaincode, and invoking the chaincode to update values.

Step 7.1: Install Chaincode


Run the following command to install example chaincode on the peer node:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
-e "CORE_PEER_ADDRESS=$PEER" \
cli peer chaincode install \
-n mycc -v v0 -p [Link]/chaincode_example02/go

Step 7.2: Instantiate Chaincode


Run the following command to instantiate the chaincode:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
-e "CORE_PEER_ADDRESS=$PEER" \
cli peer chaincode instantiate \
-o $ORDERER -C mychannel -n mycc -v v0 \
-c '{"Args":["init","a","100","b","200"]}' \
--cafile /opt/home/[Link] --tls

You may have to wait a minute or two for the instantiation to propagate to the peer node. Use the
following command to verify instantiation:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
-e "CORE_PEER_ADDRESS=$PEER" \
cli peer chaincode list --instantiated \
-o $ORDERER -C mychannel \
--cafile /opt/home/[Link] --tls

The command returns the following when the chaincode is instantiated:

Get instantiated chaincodes on channel mychannel:

21
Amazon Managed Blockchain Management Guide
7.3: Query the Chaincode

Name: mycc, Version: v0, Path: [Link]/chaincode_example02/go, Escc: escc, Vscc: vscc

Step 7.3: Query the Chaincode


You may need to wait a brief moment for the instantiation from the previous step to complete before
you run the following command to query a value:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer chaincode query -C mychannel \
-n mycc -c '{"Args":["query","a"]}'

The command should return the value of a, which you instantiated to a value of 100.

Step 7.4: Invoke the Chaincode


In the previous steps, we instantiated the key a with a value of 100 and queried to verify. Using the
invoke command in the following example, we remove 10 from that initial value:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" -e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer chaincode invoke -C mychannel \
-n mycc -c '{"Args":["invoke","a","b","10"]}' \
-o $ORDERER --cafile /opt/home/[Link] --tls

When we query again using the following command:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer chaincode query -C mychannel \
-n mycc -c '{"Args":["query","a"]}'

The command should return the value of a as the new value 90.

Step 8: Invite Another AWS Account to be a


Member and Create a Joint Channel
Now that you have a Hyperledger Fabric network set up using Amazon Managed Blockchain, with an
initial member in your AWS account and a VPC endpoint with a service name, you are ready to invite
additional members. You invite additional members by creating a proposal for an invitation that existing
members vote on. Since the blockchain network at this point consists of only one member, the first
member always has the only vote on the invitation proposal for the second member. In the steps that
follow, the network creator has an initial member named org1 and the invited member is named org2.
For proof of concept, you can create an invitation proposal for an additional member in the same AWS

22
Amazon Managed Blockchain Management Guide
8.1: Create an Invitation Proposal

account that you used to create the network, or you can create an invitation proposal for a different AWS
account.

After the invitation proposal is approved, the invited account can create a member. Invited members
are free to reject the invitation or ignore it until the invitation proposal expires. The invited account
needs the network ID and VPC endpoint service name of the blockchain network to create a member.
For more information, see Work with Invitations (p. 37). The invited account also needs to fulfill the
prerequisites listed in Prerequisites and Considerations (p. 6).

Step 8.1: Create an Invitation Proposal


Create a proposal to invite an AWS account to create a member and join the network according to the
following procedures. You need the AWS account ID of the member you want to invite. You can also
invite your own account to create an additional member. If you are using the CLI, you also need the
Network ID and Member ID that you created in Step 1: Create the Network and First Member (p. 9).

To create an invitation proposal using the AWS Management Console


1. Open the Managed Blockchain console at [Link]
2. From the navigation pane, choose Networks, and then choose the network to which you want to
invite an AWS account.
3. Choose Proposals and then choose Propose invitation.
4. For Submit proposal as, choose the member in your account that submits the proposal.
Note
The member who submits the proposal must also vote on it. A Yes vote is not automatically
assumed.
5. Enter an optional Description . The description appears to other members. It's a good way to
communicate key points or a reminder about the proposal before they vote.
6. For each AWS account that you want to invite, enter the account number in the space provided.
Choose Add to enter additional accounts.

To create an invitation proposal using the AWS CLI


• Type a command similar to the following. Replace the value of Principal with the AWS account ID
that you want to invite. Replace the value of --member-id with the value for the member in your
account that submits the proposal.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-proposal \


--actions Invitations=[{Principal=123456789012}] \
--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns the proposal ID, as shown in the following example:

{
"ProposalId": "p-ZR7KUD2YYNESLNG6RQ33X3FUFE"
}

Step 8.2: Vote Yes on the Proposal


After you create the invitation proposal, use the first member that you created to vote Yes and approve
the proposal. You must do this within the duration defined by the network voting policy.

23
Amazon Managed Blockchain Management Guide
8.3: Create the New Member

1. Open the Managed Blockchain console at [Link]


2. From the navigation pane, choose Networks, and then choose the Network for which the proposal
was made.
3. Choose Proposals.
4. Under Active proposals, choose the Proposal ID to vote on.
5. Under Vote on proposal, select the member in your account to vote as. If your account has multiple
members, each member gets a vote.
6. Choose Yes to vote to approve the proposal. Voting yes is a requirement for the second member to
be created in the next step. Choosing No rejects the proposal and an invitation is not created.
7. Choose to Confirm your vote.

Step 8.3: Create the New Member


To accept an invitation to create a member and join a network, the steps are similar whether you are
creating a member in a Managed Blockchain network in a different AWS account or your own AWS
account. You first create the member as shown in the following procedures. If you use the AWS CLI, make
sure that you have the relevant information, including the Network ID and the Invitation ID that the
network sent to your account. When you create a member, you specify the name that identifies your
member on the network. You also specify the admin user and password to authenticate to your member
certificate authority (CA).

To accept an invitation to create a member and join a network using the AWS
Management Console
1. Open the Managed Blockchain console at [Link]
2. From the navigation pane, choose Invitations.
3. Select the invitation that you want to accept from the list, and then choose Accept invitation. To
view more information about the network you are invited to join, choose the network Name from
the list
4. Under Join network, configure your network member according to the following guidelines:

a. Enter a Member name that will be visible to all members and an optional Description.
b. Under Hyperledger Fabric certificate authority (CA) configuration specify a username and
password to be used as the administrator on the Hyperledger Fabric CA. Remember the user
name and password. You need them later any time that you create users and resources that
need to authenticate.
c. Choose Create member and join network.
5. Choose Create member.

To accept an invitation to create a member and join a network using the AWS
CLI
• Use the create-member command similar to the example below. Replace the value of --network-
id with the Network ID that you are joining and --invitation-id with the Invitation ID sent to
your account from the network.

aws managedblockchain create-member \


--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--invitation-id i-XL9MDD6LVWWDNA9FF94Y4TFTE \
--member-configuration 'Name=org2,Description=MyMemberDesc,\
FrameworkConfiguration={Fabric={AdminUsername=MyAdminUsername,\

24
Amazon Managed Blockchain Management Guide
8.3: Create the New Member

AdminPassword=Password123}}'

The command returns output similar to the following:

{
"MemberId": "m-J46DNSFRTVCCLONS9DT5TTLS2A"
}

Additional Steps to Configure a Member


After you create the member, perform the following steps to configure the member. As you perform
the steps, replace values with those specific to your member configuration, including the Member ID
returned by the previous command. The Network ID and OrderingServiceEndpoint are the same for
all members.

• Step 2: Create and Configure the Interface VPC Endpoint (p. 11)

This step is only required if you are creating the second member in a different AWS account.
• Step 3: Create an Amazon EC2 Instance and Set Up the Hyperledger Fabric Client (p. 11)

If you are creating an additional member in the same AWS account, and you already have a
Hyperledger Fabric client, you can skip most of these steps. However, you should verify connectivity to
the Hyperledger Fabric CA as described in Step 3.2: Set Up the Hyperledger Fabric CA Client (p. 14),
using the new CA endpoint for the new member.
• Step 4: Enroll an Administrative User (p. 15)
• Step 5: Create a Peer Node in Your Membership (p. 17)

Step 8.4: Share Artifacts and Information with the Network


Creator
Before a shared channel can be created, the following artifacts and information need to be shared with
org1 by org2:

• org1 needs the org2 administrative certificate—This certificate is saved the /home/ec2-user/
admin-msp/admincerts directory on org2's Hyperledger Fabric client after Step 4: Enroll an
Administrative User (p. 15). This is referenced in the following steps as Org2AdminCertFile
• org1 needs the org2 root CA—This certificate is saved to org2's /home/ec2-user/admin-msp/
cacerts directory on org2's Hyperledger Fabric client after the same step as previous. This is
referenced in the following steps as Org2CACertFile
• org1 needs the Endpoint of the peer node that will join the channel—This Endpoint value is
output by the get-node command after Step 5: Create a Peer Node in Your Membership (p. 17) is
complete.

Step 8.5: The Channel Creator (org1) Creates Artifacts for org2's
MSP
In the following example, the channel creator is org1. The CA administrator for org1 copies the
certificates from the step above to a location on the Hyperledger Fabric client computer. The
Membership Service Provider (MSP) uses the certificates to authenticate the member.

On the channel creator's Hyperledger Fabric client, use the following commands to create directories to
store the certificates, and then copy the certificates from the previous step to the new directories:

25
Amazon Managed Blockchain Management Guide
8.3: Create the New Member

[ec2-user@ip-192-0-2-17 ~]$ mkdir /home/ec2-user/org2-msp


[ec2-user@ip-192-0-2-17 ~]$ mkdir /home/ec2-user/org2-msp/admincerts
[ec2-user@ip-192-0-2-17 ~]$ mkdir /home/ec2-user/org2-msp/cacerts

cp Org2AdminCerts /home/ec2-user/org2-msp/admincerts
cp Org2CACerts /home/ec2-user/org2-msp/cacerts

Org1 needs org2's member ID. You can get this by running the list-members command on org1's
Hyperledger Fabric client as shown in the following example:

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain list-members \


--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU

The channel creator (org1) should verify that the required artifacts for channel creation are saved on the
Hyperledger Fabric client as shown in the following list:

• Org1 MSP artifacts:


• /home/ec2-user/admin-msp/signcerts/[Link]
• /home/ec2-user/admin-msp/admincerts/[Link]
• /home/ec2-user/admin-msp/cacerts/[Link]
• /home/ec2-user/admin-msp/keystore/keyname_sk
• Org2 MSP artifacts
• /home/ec2-user/org2-msp/admincerts/[Link]
• /home/ec2-user/org2-msp/cacerts/[Link]
• The TLS CA cert used for the Region:
• /home/ec2-user/[Link]
• Addresses of all peer nodes to join the channel for both org1 and org2.
• The respective member IDs of org1 and org2.
• A [Link] file, which you create in the following step, saved to the /home/ec2-user
directory on the channel creator's Hyperledger Fabric client.
Note
If you created this configtx file earlier, delete the old file, rename it, or replace it.

Step 8.6: Create configtx for the Joint Channel


The [Link] file contains details of the channel configuration. For more information, see
Channel Configuration (configtx) in the Hyperledger Fabric documentation.

The channel creator creates this file on the Hyperledger File client. If you compare this file to the file
created in Step 6.1: Create configtx for Hyperledger Fabric Channel Creation (p. 18), you see that this
[Link] specifies two members in the channel.

Use a text editor to create a file with the following contents and save it as [Link] on your
Hyperledger File client. In the example below, replace Member1ID with the member ID of org1, which
was created with the network in Step 1: Create the Network and First Member (p. 9). For example m-
K46ICRRXJRCGRNNS4ES4XUUS5A. Replace Member2ID with the member ID of org2, which was created
with Step 8.3: Create the New Member (p. 24).
Important
This file is sensitive. Artifacts from pasting can cause the file to fail with marshalling errors.
We recommend using emacs to edit it. You can also use VI, but before using VI, enter :set
paste, press i to enter insert mode, paste the contents, press escape, and then enter :set
nopaste before saving.

26
Amazon Managed Blockchain Management Guide
8.3: Create the New Member

################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
- &Org1
# member id defines the organization
Name: Member1ID
# ID to load the MSP definition as
ID: Member1ID
#msp dir of org1 in the docker container
MSPDir: /opt/home/admin-msp
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
AnchorPeers:
- Host:
Port:
- &Org2
Name: Member2ID
ID: Member2ID
MSPDir: /opt/home/org2-msp
AnchorPeers:
- Host:
Port:

################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:

################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
TwoOrgChannel:
Consortium: AWSSystemConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2

Run the following command to generate the configtx peer block:

[ec2-user@ip-192-0-2-17 ~]$ docker exec cli configtxgen \


-outputCreateChannelTx /opt/home/[Link] \

27
Amazon Managed Blockchain Management Guide
8.3: Create the New Member

-profile TwoOrgChannel -channelID ourchannel \


--configPath /opt/home/

Step 8.7: Create the Channel


The channel creator (org1) uses the following command on their Hyperledger Fabric client to create the
channel ourchannel. The command example assumes that environment variables have been configured
as described in Step 6.2: Set Environment Variables for Convenience (p. 20).

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer channel create -c ourchannel \
-f /opt/home/[Link] -o $ORDERER \
--cafile /opt/home/[Link] --tls

Step 8.8: Get Channel Genesis Block


A member who joins the channel must get the channel genesis block. In this example, org2 runs the
following command from their Hyperledger Fabric client to get the genesis block.

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" -e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer channel fetch oldest /opt/home/[Link] \
-c ourchannel -o $ORDERER \
--cafile /opt/home/[Link] --tls

Step 8.9: Join Peer Nodes to the Channel


Both org1 and org2 need to run the following command on their respective Hyperledger Fabric clients to
join their peer nodes to the channel:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer channel join -b /opt/home/[Link] \
-o $ORDERER --cafile /opt/home/[Link] --tls

Step 8.10: Install Chaincode


Both org1 and org2 run the following command on their respective Hyperledger Fabric clients to install
example chaincode on their respective peer nodes:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
-e "CORE_PEER_ADDRESS=$PEER" \
cli peer chaincode install -n mycc -v v0 \
-p [Link]/chaincode_example02/go

28
Amazon Managed Blockchain Management Guide
8.3: Create the New Member

Step 8.11: Instantiate Chaincode


The channel creator (org1) runs the following command to instantiate the chaincode with an
endorsement policy that requires both org1 and org2 to endorse all transactions. Replace Member1ID
with the member ID of org1 and Member2ID with the member ID of org2. You can use the list-
members command to get them.

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
-e "CORE_PEER_ADDRESS=$PEER" \
cli peer chaincode instantiate -o $ORDERER \
-C ourchannel -n mycc -v v0 \
-c '{"Args":["init","a","100","b","200"]}' \
--cafile /opt/home/[Link] --tls \
-P "AND ('[Link]','[Link]')"

You may need to wait a brief moment for the instantiation from the previous step to complete before
you run the following command to query a value:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer chaincode query -C ourchannel \
-n mycc -c '{"Args":["query","a"]}'

The command should return the value of a, which you instantiated to a value of 100.

Step 8.12: Invoke Chaincode


With the channel created and configured with both members, and the chaincode instantiated with
values and an endorsement policy, channel members can invoke chaincode. This example command
is similar to the example in Step 7.4: Invoke the Chaincode (p. 22). However, the command uses
the --peerAddresses option to specify the endpoints of peer nodes that belong to members in the
endorsement policy. The example specifies Org2PeerNodeEndpoint in addition to $PEER, which
indicates the command is run from an org1 Hyperledger Fabric client. If the command runs from the
org1 Hyperledger Fabric client, Org2PeerNodeEndpoint is specified.

docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \
-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer chaincode invoke \
-C ourchannel -n mycc -c '{"Args":["invoke","a","b","10"]}' \
--peerAddresses $PEER \
--tlsRootCertFiles /opt/home/[Link] \
--peerAddresses Org2PeerNodeEndpoint \
--tlsRootCertFiles /opt/home/[Link] \
-o $ORDERER --cafile /opt/home/[Link] --tls

When we query again using the following command:

[ec2-user@ip-192-0-2-17 ~]$ docker exec -e "CORE_PEER_TLS_ENABLED=true" \


-e "CORE_PEER_TLS_ROOTCERT_FILE=/opt/home/[Link]" \

29
Amazon Managed Blockchain Management Guide
8.3: Create the New Member

-e "CORE_PEER_ADDRESS=$PEER" \
-e "CORE_PEER_LOCALMSPID=$MSP" \
-e "CORE_PEER_MSPCONFIGPATH=$MSP_PATH" \
cli peer chaincode query -C ourchannel \
-n mycc -c '{"Args":["query","a"]}'

The command should return the value of a as the new value 90.

30
Amazon Managed Blockchain Management Guide
Create a Managed Blockchain Network

Create an Amazon Managed


Blockchain Network
When a user in an AWS account creates a blockchain network on Amazon Managed Blockchain, they also
create the first member in the network. This first member has no peer nodes associated with it until you
create them. After you create the network and the first member, you can use that member to create an
invitation proposal for other members in the same AWS account or in other AWS accounts. Any member
can create an invitation proposal.

When you create the network and the first member in your AWS account, the network exists. However,
transactions cannot be conducted and the ledger does not exist because there are no peer nodes. Do the
following tasks to make your network functional:

• Create an interface VPC endpoint based on the network's VPC service name so that you can privately
connect to resources. For more information, see Create an Interface VPC Endpoint to Connect to
Managed Blockchain Network Resources (p. 46).
• Create at least one peer node in your first membership to interact with the network and to create
and endorse transactions. For more information, see Work with Peer Nodes in a Managed Blockchain
Network (p. 41).
• Create an invitation proposal for other AWS accounts to be members of the network, or invite an
additional member in your account to simulate a multi-AWS account network. Vote Yes on your own
proposal to approve it and create the invitation. For more information about inviting members, see
Create an Invitation Proposal (p. 53).

Create a Managed Blockchain Network


You can create a Managed Blockchain network using the AWS Management Console, the AWS CLI, or the
Managed Blockchain SDK CreateNetwork action.

To create a Managed Blockchain network using the AWS


Management Console
1. Open the Managed Blockchain console at [Link]
2. Choose Create network.
3. Under Blockchain framework:

a. Select the blockchain framework to use. This tutorial is based on Hyperledger Fabric version
1.2.
b. Select the Network edition to use. The network edition determines attributes of the network,
such as the maximum number of members, nodes per member, and transaction throughput.
Different editions have different rates associated with the membership. For more information,
see Amazon Managed Blockchain Pricing.
4. Enter a Network name and description.
5. Under Voting Policy, choose the following:

a. Enter the Approval threshold percentage along with the comparator, either Greater than or
Greater than or equal to. For a proposal to pass, the Yes votes cast must meet this threshold
before the vote duration expires.

31
Amazon Managed Blockchain Management Guide
Create a Managed Blockchain Network

b. Enter the Proposal duration in hours. If enough votes are not cast within this duration to either
approve or reject a proposal, the proposal status is EXPIRED, no further votes on this proposal
are allowed, and the proposal does not pass.
6. Choose Next, and then, under Create member, do the following to define the first member for the
network, which you own:

a. Enter a Member name that will be visible to all members and an optional Description.
b. Under Hyperledger Fabric certificate authority (CA) configuration specify a username and
password to be used as the administrator on the Hyperledger Fabric CA. Remember the user
name and password. You need them later any time that you create users and resources that
need to authenticate.
c. Choose Create member and join network.
7. Review Network options and Member options, and then choose Create network and member.

The Networks list shows the name and Network ID of the network you created, with a Status of
Creating. It may take a minute or two for Managed Blockchain to create your network, after which
the Status is Active.

To create a Managed Blockchain network using the AWS CLI


Use the create-network command as shown in the following example. Consider the following:

• The example shows HYPERLEDGER_FABRIC as the Framework and 1.2 as the FrameworkVersion.
The FrameworkConfiguration properties for --network-configuration and --member-
configuration options may be different for other frameworks and versions.
• The AdminPassword must be at least 8 characters long and no more than 32 characters. It must
contain at least one uppercase letter, one lowercase letter, and one digit. It cannot have a single
quote(‘), double quote(“), forward slash(/), backward slash(\), @, percent sign (%), or a space.
• Remember the user name and password. You need them later any time you create users and resources
that need to authenticate.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-network \


--network-configuration '{"Name":"MyTestTaigaNetwork", \
"Description":"MyTaigaNetDescription", \
"Framework":"HYPERLEDGER_FABRIC","FrameworkVersion": "1.2", \
"FrameworkConfiguration": {"Fabric": {"Edition": "STARTER"}}, \
"VotingPolicy": {"ApprovalThresholdPolicy": {"ThresholdPercentage": 50, \
"ProposalDurationInHours": 24, \
"ThresholdComparator": "GREATER_THAN"}}}' \
--member-configuration '{"Name":"org1", \
"Description":"Org1 first member of network",\
"FrameworkConfiguration":{"Fabric":
{"AdminUsername":"AdminUser","AdminPassword":"Password123"}}}'

The command returns the Network ID and the Member ID, as shown in the following example:

{
"NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU",
"MemberId": "m-K46ICRRXJRCGRNNS4ES4XUUS5A"
}

32
Amazon Managed Blockchain Management Guide

Delete an Amazon Managed


Blockchain Network
A blockchain network on Amazon Managed Blockchain remains active as long as there are members.
A network is deleted only when the last member deletes itself from the network. No member or AWS
account, even the creator's AWS account, can delete the network until they are the last member and
delete themselves. When you delete the last member, all resources for that member and the blockchain
network are deleted. For more information, see Delete a Member in Your AWS Account (p. 36).

33
Amazon Managed Blockchain Management Guide
Create an Invitation Proposal

Invite or Remove Members


To invite and remove other network members, any member can create a proposal that is submitted for a
vote to all network members. If a proposal is approved within the duration and with the percentage of
Yes votes specified in the voting policy for the network, the appropriate action is carried out.

A member can only join the network through an approved invitation proposal. The exception is the
first member, which is created along with the network. The first member then submits a proposal and
is the sole voter on the proposal to invite the second member. An AWS account can delete members
from the network that they own directly. A proposal is not required. To delete a member in a different
AWS account, a proposal to remove the member is required. Information about all proposals, including
the member who created the proposal, the current vote count, and more is available to all network
members.

This topic provides basic information for creating proposals to invite or remove members, and to delete a
member that your AWS account owns. For more detailed information about proposals, including how to
vote on a proposal, see Work with Proposals (p. 48).

Create a Proposal to Invite an AWS Account to the


Network
You can use the AWS Management Console, the AWS CLI, or the Managed Blockchain API to create an
invitation proposal. When a proposal to invite a member is approved, an invitation is sent to the specified
AWS accounts. An administrator with the appropriate permissions in that account can then choose to
either create a member and join the network or reject the invitation.

To create an invitation proposal using the AWS Management


Console
1. Open the Managed Blockchain console at [Link]
2. From the navigation pane, choose Networks, and then choose the network to which you want to
invite an AWS account.
3. Choose Proposals and then choose Propose invitation.
4. For Submit proposal as, choose the member in your account that submits the proposal.
Note
The member who submits the proposal must also vote on it. A Yes vote is not automatically
assumed.
5. Enter an optional Description . The description appears to other members. It's a good way to
communicate key points or a reminder about the proposal before they vote.
6. For each AWS account that you want to invite, enter the account number in the space provided.
Choose Add to enter additional accounts.

To create an invitation proposal using the AWS CLI


• Type a command similar to the following. Replace the value of Principal with the AWS account ID
that you want to invite. Replace the value of --member-id with the value for the member in your
account that submits the proposal.

34
Amazon Managed Blockchain Management Guide
Create a Removal Proposal

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-proposal \


--actions Invitations=[{Principal=123456789012}] \
--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns the proposal ID, as shown in the following example:

{
"ProposalId": "p-ZR7KUD2YYNESLNG6RQ33X3FUFE"
}

Create a Proposal to Remove a Member From the


Network
You can use the AWS Management Console, the AWS CLI, or the Managed Blockchain API to create a
proposal to remove a member owned by another AWS account.

To create a proposal to remove a member using the AWS


Management Console
1. Open the Managed Blockchain console at [Link]
2. From the navigation pane, choose Networks, and then choose the network.
3. Choose Proposals and then choose Propose removal.
4. For Submit proposal as, choose the member in your account that submits the proposal.
Note
The member who submits the proposal must also vote on it. A Yes vote is not automatically
assumed.
5. Enter an optional Description . The description appears to other members. It's a good way to
communicate key points or a reminder about the proposal before they vote.
6. For each member that you want to remove, enter the member ID in the space provided. Choose Add
to enter additional members.

To create a removal proposal using the AWS CLI


• Type a command similar to the following. Replace the value of Principal with the AWS account ID
that you want to invite. Replace the value of --member-id with the value for the member in your
account that submits the proposal.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-proposal \


--actions Removals=[{MemberID=m-K46ICRRXJRCGRNNS4ES4XUUS5A}] \
--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-J46DNSFRTVCCLONS9DT5TTLS2A

The command returns the proposal ID, as shown in the following example:

{
"ProposalId": "p-ZR7KUD2YYNESLNG6RQ33X3FUFE"
}

35
Amazon Managed Blockchain Management Guide
Delete a Member in Your AWS Account

Delete a Member in Your AWS Account


You can use the AWS Management Console, the AWS CLI, or the Managed Blockchain API to directly
remove members that your AWS account owns from a network.
Warning
Removing a member in your account deletes all associated resources, such as peer nodes. For
your AWS account to rejoin the network, an existing member must create a proposal to invite
your AWS account, and the proposal must be approved.

To delete a member in your account using the AWS


Management Console
1. Open the Managed Blockchain console at [Link]
2. Choose Networks, choose the network Name, and then choose Members.
3. Under Members owned by you, select a member and then choose Delete member.
4. Choose Delete when prompted to confirm.

To delete a member in your account using the AWS CLI


• Use the delete-member command as shown in the following example. Replace the values of --
network-id and --member-id as appropriate.

aws managedblockchain delete-member --network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU --member-


id m-J46DNSFRTVCCLONS9DT5TTLS2A

36
Amazon Managed Blockchain Management Guide
Work with Invitations

Accept an Invitation to Create


a Member and Join a Managed
Blockchain Network
In Amazon Managed Blockchain, a member is a distinct identity within the Managed Blockchain
network associated with an AWS account. An AWS account can have multiple members on the network.
Every member in a Managed Blockchain network must be invited to participate through a proposal
made by an existing member and approved according to the network's voting policy. The exception
is the first member, which is created along with the network. For more information, see Work with
Proposals (p. 48). After the invitation is approved, the invited AWS account can create a member and
join the network using the invitation ID.

Each member pays an hourly rate, billed per second, for their network membership, peer nodes, and
peer node storage. Charges also apply to the amount of data written to the network. Charges may vary
depending on the network edition selected when the network was created. For more information, see
Amazon Managed Blockchain Pricing. The resources associated with a member's account depend on the
specific blockchain framework and application requirements, but each member must have the following
resources:

• An interface VPC endpoint in the account–Managed Blockchain is a PrivateLink-powered service, so


you must have an interface VPC endpoint in your account to communicate with the service endpoint
that the Managed Blockchain network makes available. For more information, see Create an Interface
VPC Endpoint to Connect to Managed Blockchain Network Resources (p. 46) and Key Concepts:
Managed Blockchain Networks, Members, and Peer Nodes (p. 2).
• One or more peer nodes–Each member must have at least one peer node to actively participate
in the blockchain network. When you create a member it has no peer nodes by default. You create
peer nodes after you create the member. Peer nodes run on Managed Blockchain instances. Custom
Amazon EC2 instances or on-premises instances cannot participate as peer nodes on a Managed
Blockchain network. For more information, see Work with Peer Nodes in a Managed Blockchain
Network (p. 41).

Topics
• Work with Invitations (p. 37)
• Create a Member and Join a Network (p. 39)

Work with Invitations


If you are invited to join a Managed Blockchain network, you can accept the invitation by creating a
member using the invitation ID. You can also reject the invitation. After you reject an invitation, the
invitation ID is no longer valid. A new invitation proposal must be approved, and a new invitation ID is
required to create a member. If don't accept or reject an invitation before it expires, the invitation lapses.
As with a rejected invitation, a new invitation ID is required.

You can see all pending, accepted, and rejected invitations for your AWS account in the AWS
Management Console. Alternatively, you can use the AWS CLI or the Managed Blockchain SDK
ListInvitations action.

37
Amazon Managed Blockchain Management Guide
Work with Invitations

You can set up Amazon CloudWatch Events along with Amazon Simple Notification Service so that you
receive an alert when there is an invitation for your account. For more information, see Automating
Managed Blockchain Proposal Notifications with CloudWatch Events (p. 54).

To list blockchain network member invitations for your AWS


account using the console
1. Open the Managed Blockchain console at [Link]
2. Choose Invitations, and then do one of the following:

To... Do this...

View details about the network, such as the Select the invitation from the list and choose
network ID, the description, endpoints, voting View details.
policy details, and current members.

Use the invitation to create a member and join Select the invitation from the list and choose
the network. Accept Invitation. For next steps, see Create a
Member and Join a Network (p. 39)

Reject the invitation. Select the invitation from the list and choose
Reject Invitation.

To list blockchain network member invitations for your AWS


account using the AWS CLI
• Use the following command:

aws managedblockchain list-invitations

The command returns a list of invitations, along with detail for each invitation, as shown in the
following example for an invitation in the PENDING status:

{
"Invitations": [
{
"CreationDate": 2019-04-08T[Link].628Z,
"ExpirationDate": 2019-04-09T[Link].628Z,
"InvitationId": "i-XL9MDD6LVWWDNA9FF94Y4TFTE",
"NetworkSummary": {
"CreationDate": 2019-04-03T[Link].345Z,
"Description": "Test network for supply chain blockchain.",
"Framework": "HYPERLEDGER_FABRIC",
"FrameworkVersion": "1.2",
"Id": "n-MWY63ZJZU5HGNCMBQER7IN6OIU",
"Name": "Example Corp.",
"Status": "AVAILABLE"
},
"Status": "PENDING"
}
]
}

38
Amazon Managed Blockchain Management Guide
Create a Member

You can use the InvitationID with the create-member command to create a member and join the
network. For next steps, see Create a Member and Join a Network (p. 39).

Create a Member and Join a Network


You can use the Managed Blockchain console, the AWS CLI, or the Managed Blockchain SDK
CreateMember action to create a member in a network that your account is invited to. If you created the
Managed Blockchain network, you create the first member when you create the network. All subsequent
members must be invited to join by way of a member proposal.

After you create the member, for the member to be functional on the network, your account must
have a VPC endpoint associated with the VPC endpoint service name published by the network. For
more information, see Create an Interface VPC Endpoint to Connect to Managed Blockchain Network
Resources (p. 46). You also must create at least one peer node in your membership. For more
information, see Work with Peer Nodes in a Managed Blockchain Network (p. 41).

To accept an invitation to create a member and join a network


using the AWS Management Console
1. Open the Managed Blockchain console at [Link]
2. From the navigation pane, choose Invitations.
3. Select the invitation that you want to accept from the list, and then choose Accept invitation. To
view more information about the network you are invited to join, choose the network Name from
the list
4. Under Join network, configure your network member according to the following guidelines:

a. Enter a Member name that will be visible to all members and an optional Description.
b. Under Hyperledger Fabric certificate authority (CA) configuration specify a username and
password to be used as the administrator on the Hyperledger Fabric CA. Remember the user
name and password. You need them later any time that you create users and resources that
need to authenticate.
c. Choose Create member and join network.
5. Choose Create member.

To accept an invitation to create a member and join a network


using the AWS CLI
• Use the create-member command similar to the example below. Replace the value of --network-
id with the Network ID that you are joining and --invitation-id with the Invitation ID sent to
your account from the network.

aws managedblockchain create-member \


--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--invitation-id i-XL9MDD6LVWWDNA9FF94Y4TFTE \
--member-configuration 'Name=org2,Description=MyMemberDesc,\
FrameworkConfiguration={Fabric={AdminUsername=MyAdminUsername,\
AdminPassword=Password123}}'

The command returns output similar to the following:

39
Amazon Managed Blockchain Management Guide
Create a Member

"MemberId": "m-J46DNSFRTVCCLONS9DT5TTLS2A"
}

After you create the member, you can use the get-member command to return important details about
the member configuration.

40
Amazon Managed Blockchain Management Guide
Create a Peer Node

Work with Peer Nodes in a Managed


Blockchain Network
Peer nodes are essential. They do the work for your member on the Managed Blockchain network. They
keep a local copy of the shared ledger, let you query the ledger, and interact with clients and other peer
nodes to perform transactions. A new member has no peer nodes. Create at least one peer node per
member.

Each peer node runs on an Managed Blockchain instance type. You cannot add a custom Amazon EC2
instance to your member, nor can you connect an on-premises machine. The number of peer nodes and
the Managed Blockchain instance type of peer nodes available to each member depends on the network
edition specified when the network was created. For more information, see Amazon Managed Blockchain
Pricing.

When you create a peer node, you select the following characteristics:

• Managed Blockchain instance type

This determines the computational and memory capacity allocated to this node for the blockchain
workload. You can choose more CPU and RAM if you anticipate a more demanding workload for each
node. For example, your nodes may need to process a higher rate of transactions. Different instance
types are subject to different pricing.
• Allocated storage

This is the amount of storage in GiB that is available to the peer node for storing local copies of the
ledger. Storage rates apply.
• Availability Zone

You can select the Availability Zone to launch the peer node in. The ability to distribute peer nodes
in a member across different Availability Zones allows you to design your blockchain application for
resiliency. For more information, see Regions and Availability Zones in the Amazon EC2 User Guide for
Linux Instances.

You can monitor CPU and memory utilization to determine if your Managed Blockchain instance type is
sized appropriately. For more information, see Using Peer Node Metrics (p. 43).

Create a Peer Node


You can create a peer node in a member that is in your AWS account using the AWS Management
Console, the AWS CLI, or the Managed Blockchain SDK CreateNode action.

To create a peer node using the AWS Management Console


1. Open the Managed Blockchain console at [Link]
2. Choose Networks, select the network from the list, and then choose View details.

41
Amazon Managed Blockchain Management Guide
Peer Node Properties

3. Select a Member from the list, and then choose Create peer node.
4. Choose configuration parameters for your peer node according to the previous guidelines, and then
choose Create peer node.

To create a peer node using the AWS CLI


• Use the create-node command, as shown in the following example. Replace the value of --
network-id, --member-id, and AvailabilityZone as appropriate.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-node \


--node-configuration '{"InstanceType":"[Link]","AvailabilityZone":"us-east-1a"}' \
--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns output that includes the peer node's NodeID, as shown in the following
example:

{
"NodeId": "nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y"
}

View Peer Node Properties


You can view information about each peer node in your member using the AWS Management Console,
the AWS CLI or the Managed Blockchain API GetNode command. Details include basic information like
the Managed Blockchain instance type, Availability Zone, and creation date, along with the following
important properties:

• Status
• Creating

Managed Blockchain is provisioning and configuring the Managed Blockchain instance for the peer
node.
• Available

The peer node is running and available on the Managed Blockchain network.
• Failed

The peer node has an issue that has caused Managed Blockchain to add it to the deny list on the
network. This usually indicates that the peer node has reached memory or storage capacity. As a first
step, we recommend that you delete the instance and provision an instance with more capacity.
• Create Failed

The node could not be created with the Managed Blockchain instance type and the Availability Zone
specified. We recommend trying another availability zone, a different instance type, or both.
• Deleting

The node is being deleted. This can happen because the node was deleted by the member, the
member was deleted by the AWS account, or the member was deleted through an approved removal
proposal.
• Deleted

The node has been deleted. See the previous item for possible reasons.

42
Amazon Managed Blockchain Management Guide
Using Peer Node Metrics

• Endpoints

Hyperledger Fabric uses endpoints associated with each peer node to identify the peer node on the
network for different processes. Managed Blockchain assigns unique peer node endpoints to each
peer node on each network when the peer node is created. The peer node endpoint consists of the
applicable port and the domain name of the peer node derived from the network ID, member ID, and
peer node ID. For more information, see Identifying Managed Blockchain Resources and Connecting
from a Client (p. 4). Do not assume that the ports for a service are the same among members; different
members may use different ports for the same service. Conversely, peer nodes in different networks
may use the same ports, but their endpoints are always unique.
• Peer endpoint

Use this endpoint, including the port, within Hyperledger Fabric to address the peer node when
using all services other than peer channel-based event services.
• Peer event endpoint

Use this endpoint, including the port, within Hyperledger Fabric to address the peer node for peer
channel-based event services.

You can also view and monitor Metrics related to peer node performance. For more information, see
Using Peer Node Metrics (p. 43).

You can check the peer node status using the get-node command, as shown in the following example:

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain get-node \


--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A \
--node-id nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y

The command returns output that includes the peer node's PeerEndpoint and PeerEventEndpoint,
as shown in the following example. You need this endpoint and port when communicating with the node
using your blockchain framework client or addressing the node within an application.

{
"Node": {
"AvailabilityZone": "us-east-1a",
"CreationDate": 2019-04-08T[Link].628Z,
"FrameworkAttributes": {
"Fabric": {
"PeerEndpoint": "nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y.m-K46ICRRXJRCGRNNS4ES4XUUS5A.n-
[Link]",
"PeerEventEndpoint": "nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y.m-
[Link]-
[Link]"
}
},
"Id": "nd-6EAJ5VA43JGGNPXOUZP7Y47E4Y",
"InstanceType": "[Link]",
"Status": "AVAILABLE"
}
}

Using Peer Node Metrics


You can use peer node metrics to track that activity and health of peer nodes that belong to your
Amazon Managed Blockchain member. You can use the Managed Blockchain console to view the

43
Amazon Managed Blockchain Management Guide
Viewing Peer Node Metrics

metrics for a peer node. Managed Blockchain also reports metrics to Amazon CloudWatch. You can use
CloudWatch to set up dashboards, receive alarms, and view log files for peer node metrics. For more
information, see Using Amazon CloudWatch Metrics in the Amazon CloudWatch User Guide.

Managed Blockchain collects the following metrics for each peer node in the AWS/ManagedBlockchain
namespace.

Metric Description

Channel metrics

Transactions The number of transactions that a peer node


receives per minute.

Units: Count

Utilization metrics

CPUUtilization(%) The percentage of total CPU capacity used on the


peer node's Managed Blockchain instance at any
given instant.

Units: Percent

MemoryUtilization(%) The percentage of total available memory used on


the peer node's Managed Blockchain instance at
any given instant.

Units: Percent

Viewing Peer Node Metrics


You can use the Amazon Managed Blockchain console to view graphs for peer node metrics. Metrics are
available on the peer node details page.

To view metrics using the Managed Blockchain console

1. Open the Managed Blockchain console at [Link]


2. Under Network, choose the Name of the network.
3. Choose Members. Under Members owned by you, choose the Name of the member to which the
node belongs.
4. Under Peer Nodes, choose the Node ID you want to view.

Under Metrics, tabs for Channel Metrics and Utilization Metrics are available.
5. For Channel Metrics, choose the channels you want to view or compare from the list.
6. Choose a chart and then use Statistics, Time Range, and Period to customize the chart.

44
Amazon Managed Blockchain Management Guide
Viewing Peer Node Metrics

45
Amazon Managed Blockchain Management Guide

Create an Interface VPC Endpoint


to Connect to Managed Blockchain
Network Resources
Each member of a blockchain network on Managed Blockchain needs to privately access resource
endpoints from their client applications and tools. Amazon Managed Blockchain uses Interface VPC
Endpoints (AWS PrivateLink) to accomplish this.

Managed Blockchain creates a VPC service name for each network when it is created. Each Managed
Blockchain network is a unique endpoint service with its own VPC service name. Each member then uses
the VPC service name to create an interface VPC endpoint in their account. This interface VPC endpoint
lets you access resources on the Managed Blockchain network through their endpoints. AWS accounts
that are not invited to the network don't have access to the VPC service name and cannot set up an
interface VPC endpoint for access.

The IAM principal (user) identity that you are using must have sufficient IAM permissions to create an
interface VPC endpoint in your AWS account. For more information, see Controlling Access - Creating and
Managing VPC Endpoints in the Amazon VPC User Guide.

Any blockchain framework clients that access resources on the network need access to the interface VPC
endpoint. For example, if you use an Amazon EC2 instance as a blockchain framework client, you can
create it in a subnet and security group that are shared with the interface VPC endpoint.

Applicable charges for interface VPC endpoints apply. For more information, see AWS PrivateLink Pricing.

The interface VPC endpoint that you set up to access a Managed Blockchain network must be
enabled for private DNS names. This requires that you create the endpoint in a VPC that has the
enableDnsHostnames and enableDnsSupport options set to true.

To create an interface VPC endpoint using the Managed Blockchain console

1. Open the Managed Blockchain console at [Link]


2. Choose Networks, select your network from the list, and then choose View details.
3. Choose Create VPC endpoint.
4. Choose a VPC.
5. For Subnets, choose a subnet from the list, and then choose additional subnets as necessary.
6. For Security groups, choose an EC2 security group from the list, and then choose additional security
groups as necessary. We recommend that you select the same security group that your framework
client EC2 instance is associated with.
7. Choose Create.

To create an interface VPC Endpoint for the Managed Blockchain network

1. Find the VPC endpoint service name of the network. This value is returned by get-network
command using the Managed Blockchain CLI, and is available on the network Details page using the
Managed Blockchain console (choose Networks, select the network from the list, and then choose
View details).
2. Open the Amazon VPC console at [Link]

46
Amazon Managed Blockchain Management Guide

3. Choose Endpoints, Create Endpoint.


4. Choose Find service by name. For Service Name, enter the VPC Endpoint Service Name from step 1.
5. Choose Verify and then choose Create endpoint.
6. Make sure that Enable Private DNS Name is selected. This option is only available if the VPC you
selected has Enable DNS hostnames and Enable DNS support set to true for the VPC. This is a
requirement for the VPC.
7. We recommend that the EC2 security group that you specify for the VPC endpoint is the same as the
EC2 security group for the blockchain client that you create to work with the Managed Blockchain
network.

47
Amazon Managed Blockchain Management Guide

Work with Proposals


To make a change to the network in Amazon Managed Blockchain that requires consensus among
network members, network members create a proposal. For example, members can create a proposal to
invite another AWS account to become a member, to invite multiple accounts, or to remove one or more
members in different AWS accounts.

A proposal is submitted to all network members to make a Yes or No vote. If the proposal is approved
within the duration and with the percentage of Yes votes specified in the voting policy for the network,
the proposed action is carried out. The voting policy is established when the network is created and
governs votes on all proposals. It can't be updated after the network is created. For more information,
see Create an Amazon Managed Blockchain Network (p. 31).

Understanding the Proposal Lifecycle


To understand the proposal lifecycle, consider a hypothetical proposal to invite AWS account
123456789012 to join a Managed Blockchain network made by a member named Org3. The Managed
Blockchain network currently has six members: Org1, Org2, Org3, and so on. The network was created by
Org1, who specified a voting policy with a 50% approval threshold, a greater than comparator, and a
proposal duration of 24 hours.

The following flow diagrams depict the possible outcomes of a proposal using this example:

• Approved with Full Vote (p. 48)


• Approved with Partial Vote (p. 49)
• Rejected with Full Vote (p. 49)
• Rejected with Partial Vote (p. 49)
• Expired, Does Not Pass (p. 50)

Example – Proposal approved with full member vote


For the following proposal, all members cast a vote before the duration expired. The proposal is
APPROVED, and an invitation is extended to the AWS account.

48
Amazon Managed Blockchain Management Guide

Example – Proposal approved with partial member vote

For the following proposal, not all members cast a vote before the duration expired. However, enough
Yes votes were cast to approve the proposal according to the voting policy. The proposal is APPROVED,
and an invitation is extended to the AWS account.

Example – Proposal rejected with full member vote

For the following proposal, all members cast a vote before the duration expired. Because the comparator
in the voting policy is greater than, a three-to-three vote does not pass the threshold for approval. The
proposal is REJECTED, and an invitation is not extended to the AWS account.

Example – Proposal rejected with partial member vote

For the following proposal, not all members cast a vote before the duration expired. However, enough
No votes were cast to reject the proposal according to the voting policy. The proposal is REJECTED, and
an invitation is extended to the AWS account.

49
Amazon Managed Blockchain Management Guide
View Proposals

Example – Proposal expires and is not approved

For the following proposal, not all members cast a vote before the duration expired, and neither the
number of Yes nor No votes were cast to determine the outcome of the proposal. The proposal is
EXPIRED, and an invitation is not extended to the AWS account.

View Proposals
All proposals made on a network are shown on the Proposals page for a network. Both Active proposals
and Completed proposals are listed. Active proposals are still open for voting. You can also list proposals
from the AWS CLI using the list-proposals command, or using the ListProposals action with the
Managed Blockchain API.

50
Amazon Managed Blockchain Management Guide
View Proposals

The Proposals page for a Network shows both Active and Completed proposals, listing the Proposal ID,
the name of the member that created the proposal, and the Expiration Date (UTC), which is the creation
time plus the proposal duration specified in the network's voting policy. You can choose a Proposal ID to
vote on active proposals and to see more detail about any proposal, including the actions proposed and
a voting summary by member.

Proposals have one of the following statuses:

• IN_PROGRESS - The proposal is active and open for member voting.


• APPROVED - The proposal was approved with sufficient YES votes among members according to the
VotingPolicy specified for the Network. The specified proposal actions are carried out.
• REJECTED - The proposal was rejected with insufficient YES votes among members according to the
VotingPolicy specified for the Network. The specified ProposalActions are not carried out.
• EXPIRED - Members did not cast the number of votes required to determine the proposal outcome
before the proposal expired. The specified ProposalActions are not carried out.
• ACTION_FAILED - One or more of the specified ProposalActions in a proposal that was approved
could not be completed because of an error. The ACTION_FAILED status occurs even if only one
proposal action fails and other actions are successful.

To view proposals for a network using the AWS Management Console

1. Open the Managed Blockchain console at [Link]


2. Choose Networks, choose a network Name, and then choose Proposals.
3. Choose a Proposal ID from the list to view more detailed information, such as the description, a
summary of Actions, and a Voting Summary.
4. Under Voting Summary, expand Votes to see individual member's votes on the proposal to date.

To view proposals for a network using the AWS CLI

• Enter a command similar to the following example. Replace n-MWY63ZJZU5HGNCMBQER7IN6OIU


with the network ID for which you want to list proposals.

aws managedblockchain list-proposals --network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU

The command returns output similar to the following:

{
"Proposals": [
{
"CreationDate": 2019-04-08T[Link].628Z,
"Description": "Proposal to add Example Corp. member",
"ExpirationDate": 2019-04-09T[Link].628Z,
"ProposalId": "p-ZR7KUD2YYNESLNG6RQ33X3FUFE",
"ProposedByMemberId": "m-J46DNSFRTVCCLONS9DT5TTLS2A",
"ProposedByMemberName": "org1",
"Status": "IN_PROGRESS"

}
]
}

51
Amazon Managed Blockchain Management Guide
Vote on a Proposal

To view the details of a proposal using the AWS CLI

• Enter a command similar to the following. Replace n-MWY63ZJZU5HGNCMBQER7IN6OIU with the


network ID and p-ZR7KUD2YYNESLNG6RQ33X3FUFE with the proposal ID to view.

aws managedblockchain get-proposal --network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU --


proposal-id p-ZR7KUD2YYNESLNG6RQ33X3FUFE

The command returns output similar to the following:

{
"Proposal": {
"Actions": {
"Invitations": [
{
"Principal": "0123456789012"
}
],
"CreationDate": 2019-04-08T[Link].628Z,
"Description": "Proposal to invite AWS Acct 0123456789012",
"ExpirationDate": 2019-04-08T[Link].628Z,
"NetworkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU",
"NoVoteCount": 1,
"OutstandingVoteCount": 3,
"ProposalId": "p-ZR7KUD2YYNESLNG6RQ33X3FUFE",
"ProposedByMemberId": "m-J46DNSFRTVCCLONS9DT5TTLS2A",
"ProposedByMemberName": "org1",
"Status": "IN_PROGRESS",
"YesVoteCount": 2
}
}

Vote on a Proposal
You can use the AWS Management Console, the AWS CLI vote-on-proposal command, or the
VoteOnProposal action of the Managed Blockchain API to vote Yes or No on an active proposal. You
cannot change a vote after you make it.

To vote on a proposal using the AWS Management Console


1. Open the Managed Blockchain console at [Link]
2. Choose Networks, choose a network Name, and then choose Proposals.
3. From the list of Active proposals, choose a Proposal ID.
4. Under Vote on proposal, choose the member to vote as from the list, and then choose Yes or No.
5. When prompted, choose Confirm.

To vote on a proposal using the AWS CLI


• Use the vote-on-proposal command as shown in the following example. Replace the values of --
network-id, --member-id, and --vote as appropriate.

aws managedblockchain vote-on-proposal --network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU --


member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A --vote YES

52
Amazon Managed Blockchain Management Guide
Create an Invitation Proposal

Create an Invitation Proposal


You can use the AWS Management Console, the AWS CLI, or the Managed Blockchain API to create an
invitation proposal.

To create an invitation proposal using the AWS Management


Console
1. Open the Managed Blockchain console at [Link]
2. From the navigation pane, choose Networks, and then choose the network to which you want to
invite an AWS account.
3. Choose Proposals and then choose Propose invitation.
4. For Submit proposal as, choose the member in your account that submits the proposal.
Note
The member who submits the proposal must also vote on it. A Yes vote is not automatically
assumed.
5. Enter an optional Description . The description appears to other members. It's a good way to
communicate key points or a reminder about the proposal before they vote.
6. For each AWS account that you want to invite, enter the account number in the space provided.
Choose Add to enter additional accounts.

To create an invitation proposal using the AWS CLI


• Type a command similar to the following. Replace the value of Principal with the AWS account ID
that you want to invite. Replace the value of --member-id with the value for the member in your
account that submits the proposal.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-proposal \


--actions Invitations=[{Principal=123456789012}] \
--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-K46ICRRXJRCGRNNS4ES4XUUS5A

The command returns the proposal ID, as shown in the following example:

{
"ProposalId": "p-ZR7KUD2YYNESLNG6RQ33X3FUFE"
}

Create a Proposal to Remove a Network Member


To create a proposal to remove a member using the AWS
Management Console
1. Open the Managed Blockchain console at [Link]
2. From the navigation pane, choose Networks, and then choose the network.
3. Choose Proposals and then choose Propose removal.
4. For Submit proposal as, choose the member in your account that submits the proposal.

53
Amazon Managed Blockchain Management Guide
Automating with CloudWatch Events

Note
The member who submits the proposal must also vote on it. A Yes vote is not automatically
assumed.
5. Enter an optional Description . The description appears to other members. It's a good way to
communicate key points or a reminder about the proposal before they vote.
6. For each member that you want to remove, enter the member ID in the space provided. Choose Add
to enter additional members.

To create a removal proposal using the AWS CLI


• Type a command similar to the following. Replace the value of Principal with the AWS account ID
that you want to invite. Replace the value of --member-id with the value for the member in your
account that submits the proposal.

[ec2-user@ip-192-0-2-17 ~]$ aws managedblockchain create-proposal \


--actions Removals=[{MemberID=m-K46ICRRXJRCGRNNS4ES4XUUS5A}] \
--network-id n-MWY63ZJZU5HGNCMBQER7IN6OIU \
--member-id m-J46DNSFRTVCCLONS9DT5TTLS2A

The command returns the proposal ID, as shown in the following example:

{
"ProposalId": "p-ZR7KUD2YYNESLNG6RQ33X3FUFE"
}

Automating Managed Blockchain Proposal


Notifications with CloudWatch Events
Amazon CloudWatch Events enables you to automate your AWS services and respond automatically to
system events. Events from AWS services are delivered to CloudWatch Events in near real time. You can
write simple rules to indicate which events are of interest to you, and what automated actions to take
when an event matches a rule. With Managed Blockchain, you can monitor CloudWatch Events events to
respond to proposals, including invitations sent to your AWS account to join a network, and notification
that proposals are APPROVED or REJECTED. Some examples include notifying an Amazon SNS topic or
an AWS SMS queue when an invitation is sent or when a proposal made by a member in your account
changes status.

For more information, see the Amazon CloudWatch Events User Guide.

Example Managed Blockchain Events


AWS Account Received an Invitation Event
The detail-type of these messages is Managed Blockchain Invitation State Change.

{
"version": "0",
"id": "abcd1234-eeee-4321-a1a2-123456789012",
"detail-type": "Managed Blockchain Invitation State Change",
"source": "[Link]",
"account": "123456789012",

54
Amazon Managed Blockchain Management Guide
Example Managed Blockchain Events

"time": "2019-04-08T[Link].628Z",
"region": "us-east-1",
"resources": [],
"detail": {
"invitationId": "i-XL9MDD6LVWWDNA9FF94Y4TFTE",
"networkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU",
"networkName": "ExampleCorpNetwork",
"status": "PENDING",
"expirationDate": "2019-04-09T[Link].628Z",
"message": "You have received invitation i-XL9MDD6LVWWDNA9FF94Y4TFTE for Amazon
Managed Blockchain Network n-MWY63ZJZU5HGNCMBQER7IN6OIU and it will expire at 2016-12-16
20:42 UTC."
}
}

Proposal State Change Event


The detail-type of these messages is Managed Blockchain Proposal State Change. The
following example shows an event for a proposal that changed state to APPROVED.

{
"version": "0",
"id": "abcd1234-eeee-4321-a1a2-123456789012",
"detail-type": "Managed Blockchain Proposal State Change",
"source": "[Link]",
"account": "123456789012",
"time": "2019-04-08T[Link].628Z",
"region": "us-east-1",
"resources": [],
"detail": {
"proposalId": "p-ZR7KUD2YYNESLNG6RQ33X3FUFE",
"networkId": "n-MWY63ZJZU5HGNCMBQER7IN6OIU",
"status": "APPROVED",
"proposedByMemberId": "m-K46ICRRXJRCGRNNS4ES4XUUS5A",
"proposedByMemberName": "NetworkMember1",
"expirationDate": "2019-04-09T[Link].628Z",
"description": "Proposal to remove AnyCompany from supply chain blockchain
network.",
"message": "Voting on proposal p-ZR7KUD2YYNESLNG6RQ33X3FUFE in Amazon Managed
Blockchain Network n-MWY63ZJZU5HGNCMBQER7IN6OIU completed at 2016-19-16T[Link]Z UTC and
the proposal was approved."
}
}

55
Amazon Managed Blockchain Management Guide
Create an Admin User

Work with Hyperledger Fabric


You access services and applications in the Managed Blockchain network from a blockchain framework
client. The framework client runs tools and applications that you install for the blockchain framework
version that you run on the Managed Blockchain network.

The client accesses Managed Blockchain network resource endpoints using an interface VPC endpoint
that you set up in your account. For more information, see Create an Interface VPC Endpoint to Connect
to Managed Blockchain Network Resources (p. 46). The client must have access to the interface VPC
endpoint.

You can get the endpoints that networks, members, and clients make available using the AWS
Management Console, or using get commands and actions with the AWS CLI or Managed Blockchain
SDK. The available endpoints depend on the blockchain framework and may vary from client to client.

An AWS CloudFormation template to create a Hyperledger Fabric client is available in amazon-managed-


blockchain-client-templates repository on Github. For more information, see the [Link] in that
repository. For more information about using AWS CloudFormation, see Getting Started in the AWS
CloudFormation User Guide.

Topics
• Register and Enroll a User as an Administrator (p. 56)
• Develop Chaincode (p. 57)

Register and Enroll a User as an Administrator


When you create a member in a Managed Blockchain network, you specify the first user as an
administrator. Managed Blockchain registers this user automatically with the Hyperledger Fabric CA
as a bootstrap identity. You can then use this bootstrap identity to enroll the identity. Enrolling an
identity sends the CA a Certificate Signing Request (CSR) so that the CA can validate that the identity is
registered and otherwise valid. The CA then returns a signed certificate if the identity is valid. For more
information, see the Fabric CA User's Guide.

To register an identity, you must have the following:

• The member CA endpoint


• The user name and password of an identity with permission to register identities with the member CA
• A valid certificate file and the path to the MSP directory of the identity that will register the new
administrator

The following example command uses an existing user admin with a user name of AdminUser and
a password of Password123 in a member named org1 to register a new admin with a user name of
AdminUser2 and a password of Password456. The certificate file is saved to /home/ec2-user/
[Link] and the MSP directory for the AdminUser identity is /home/
ec2-user/admin-msp.

The command specifies the --[Link] ‘[Link]=true’ option to register the user identity as an
admin for the member.

fabric-ca-client register –-url [Link]


[Link]-
[Link] \

56
Amazon Managed Blockchain Management Guide
Develop Chaincode

--[Link] AdminUser2 --[Link] Password456 \


–-id-type user --[Link] org1 \
--[Link] ‘[Link]=true’ --[Link] /home/ec2-user/[Link] \
--mspdir /home/ec2-user/admin-msp

After the user identity is registered as an admin, use the fabric-ca-client enroll command to
enroll the new administrator as shown in the following example:

fabric-ca-client enroll \
-u [Link]
[Link] \
--[Link] /home/ec2-user/[Link] \
-M /home/ec2-user/admin-msp

Develop Chaincode
Smart contracts in Hyperledger Fabric are known as chaincode

• For a conceptual overview of chaincode, see Smart Contracts and Developing Applications in the
Hyperledger Fabric documentation.
• For links to Hyperledger Fabric SDKs, see Getting Started in the Hyperledger Fabric documentation.

Important
Managed Blockchain peer nodes use version 1.2 of the fabric-shim library to provide the low-
level chaincode interface between applications, peers, and the Hyperledger Fabric system
for chaincode applications using [Link]. All chaincode has a dependency on this library.
Dependencies on other versions or other library packages are not supported because peer nodes
currently do not have access to the NPM repository.

57
Amazon Managed Blockchain Management Guide
Data Protection

Amazon Managed Blockchain


Security
To provide data protection as well as authentication and access control, Amazon Managed Blockchain
benefits from AWS features and the features of the open-source framework running on Managed
Blockchain.

Topics
• Data Protection for Amazon Managed Blockchain (p. 58)
• Authentication and Access Control (p. 58)

Data Protection for Amazon Managed Blockchain


Data encryption helps prevent unauthorized users from reading data from a blockchain network and the
associated data storage systems. This includes data saved to persistent media, known as data at-rest, and
data that may be intercepted as it travels the network, known as data in-transit.

Encryption at Rest
Amazon Managed Blockchain offers fully managed encryption at rest. Managed Blockchain encryption at
rest provides enhanced security by encrypting all data at rest on peer nodes using Managed Blockchain
owned encryption keys in AWS Key Management Service (AWS KMS). This functionality helps reduce the
operational burden and complexity involved in protecting sensitive data. With encryption at rest, you can
build security-sensitive blockchain applications that meet strict encryption compliance and regulatory
requirements.

Encryption at rest integrates with AWS KMS for managing the encryption key that is used to encrypt
your tables. A Managed Blockchain-owned key is used to encrypt data at rest by default at no additional
cost. No configuration is required. Using an AWS-managed encryption key is not supported. For more
information, see AWS owned CMKs in the AWS Key Management Service Developer Guide.

Encryption in Transit
The Hyperledger Fabric certificate authority (CA) in each membership provides a TLS certificate authority
to secure Hyperledger Fabric communication channels in the network. For more information, see the
Fabric CA's User Guide in Hyperledger Fabric documentation.

Authentication and Access Control


AWS Identity and Access Management (IAM) permission policies, VPC endpoint services powered by
PrivateLink, and Amazon EC2 security groups provide the primary means for you to control access to
Amazon Managed Blockchain.

IAM permission policies are associated with AWS users in your account and determine who has access
to what. Permission policies specify the actions that each user can perform using Managed Blockchain
and other AWS services. VPC endpoint services allow each Managed Blockchain network member to
connect privately to Managed Blockchain resources. Amazon EC2 security groups act as virtual firewalls

58
Amazon Managed Blockchain Management Guide
IAM Policies

and determine the inbound and outbound network traffic that is allowed between Managed Blockchain
resources and other Amazon EC2 resources. In Managed Blockchain, these security groups are associated
with the VPC endpoint in your account and with any framework clients that run on AWS—for example, a
Hyperledger Fabric client running on an Amazon EC2 instance.

In addition to these AWS services, open-source frameworks that run on Managed Blockchain have
authentication and access control features that you can configure.

Before you configure authentication and access control using AWS services and open-source features, we
recommend that you review the following resources:

• For more information about IAM and IAM permission policies, see What is IAM? and IAM JSON Policy
Reference in the IAM User Guide.
• For more information about VPC endpoints, see VPC Endpoints in the Amazon VPC User Guide.
• For more information about Amazon EC2 security groups, see Amazon EC2 Security Groups for Linux
Instances.
• For more information about the Hyperledger Fabric Certificate Authority (CA), see Certificate Authority
(CA) Setup in the Hyperledger Fabric documentation.
• For more information about Hyperledger Fabric application access control lists, see Application Access
Control Lists in the Hyperledger Fabric documentation.

Topics
• Use IAM Policies to Allow and Deny Permissions (p. 59)
• Configuring Security Groups (p. 60)

Use IAM Policies to Allow and Deny Permissions


Every AWS resource is owned by an AWS account. Permission policies govern the permissions to create
or access a resource. An account administrator can attach permission policies to IAM identities (that
is, users, groups, and roles). AWS creates and administers standalone IAM policies for many common
use cases. These AWS managed policies grant necessary permissions for common use cases. For more
information, see AWS Managed Policies in the IAM User Guide.

This topic provides a reference for the AWS managed policies for Managed Blockchain. You can attach
these policies to IAM identities for common access scenarios. Instead of using the AWS managed policies,
you can specify permissions for actions in the Managed Blockchain API. For a reference of actions,
see Actions in the Amazon Managed Blockchain API Reference. Specify actions in a policy using the
managedblockchain: prefix—for example managedblockchain:CreateNode.

Managed Policy for Full Access to Managed Blockchain


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"managedblockchain:*"
],
"Resource": [
"*"
]
}
]
}

59
Amazon Managed Blockchain Management Guide
Configuring Security Groups

Managed Policy for Managed Blockchain Console Access


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"managedblockchain:*",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:CreateVpcEndpoint",
"kms:ListAliases",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}

Configuring Security Groups


Security groups act as virtual firewalls. They control inbound and outbound traffic between your
Hyperledger Fabric client and Managed Blockchain network resources through the VPC endpoint in your
account. By default, security group rules are restrictive, so you must add rules that allow traffic for any
resources, such as client computers, that must access the Managed Blockchain network. The following
tables list the minimum required security group rules that must be associated with the VPC endpoint and
the Hyperledger Fabric client.

VPC Endpoint Security Group Minimum Rules

Inbound/Outbound Type Source/Destination Purpose

Outbound All traffic 0.0.0/0 (Anywhere) Default. Allows


unrestricted outbound
traffic from the
interface VPC endpoint
to all recipients.

Inbound Custom TCP, Port The IPv4 address, an Allows the Hyperledger
for Ordering Service address range, or a Fabric ordering service
(ranging between security group that to receive traffic from
30000 and 34000)— includes all members' Hyperledger Fabric
for example, 30001. Hyperledger Fabric clients.
The port is available clients.
within the Ordering
service endpoint on
the network details
page using the console
and returned within the
OrderingServiceEndpoint
property using
the get-network
command from the
AWS CLI or using the

60
Amazon Managed Blockchain Management Guide
Configuring Security Groups

Inbound/Outbound Type Source/Destination Purpose


GetNetwork API
action.

Inbound Custom TCP, Port for The IPv4 address, an Allows the Hyperledger
the CA Service for address range, or a Fabric certificate
a member (ranging security group that authority (CA) for each
between 30000 and includes all members' member to receive
34000)—for example, Hyperledger Fabric traffic from respective
30002. This is unique clients. Hyperledger Fabric
to each member, and clients.
each member only
needs access to their
own CA. The port is
available within the
Fabric certificate
authority endpoint
on the member details
page using the console
and returned within the
CaEndpoint property
using the get-member
command from the
AWS CLI or using the
GetMember API action.

Inbound Custom TCP, Ports, The IPv4 address, an Allows the network
or Range of Ports for address range, or a to receive traffic from
Peer Event Services on security group that peer nodes as required.
Peer Nodes (ranging includes all members' Each node in each
between 30000 and Hyperledger Fabric membership has a
34000). The port is clients. unique port associated
available within the with its peer event
Peer node endpoints service. Any node that
on the member details might be a participant
page using the console in an endorsement
and returned as the policy, regardless
PeerEventPort of membership,
property using the must be allowed
get-node command communications in
from the AWS CLI or order to endorse
using the GetNode API transactions.
action.

Hyperledger Fabric Client Security Group Minimum Rules


Inbound/Outbound Type Source/Destination Purpose

Outbound All traffic 0.0.0/0 (Anywhere) Default. Allows


unrestricted outbound
traffic from the
Hyperledger Fabric
client to all recipients. If
necessary, you can limit
the destination to the
interface VPC endpoint.

61
Amazon Managed Blockchain Management Guide
Configuring Security Groups

Inbound/Outbound Type Source/Destination Purpose

Inbound SSH (Port 22) The IP address, address Allows trusted clients to
range, or security use SSH to connect to
group that includes the Hyperledger Fabric
trusted SSH clients client to interact—for
that connect to the example, to query and
Hyperledger Fabric execute chaincode.
client.

62
Amazon Managed Blockchain Management Guide

Document History for Amazon


Managed Blockchain Management
Guide
The following table describes important additions to the Amazon Managed Blockchain Management
Guide. For notification about updates to this documentation, you can subscribe to the RSS feed.

update-history-change update-history-description update-history-date

Major updates for new proposal Updated Getting Started April 8, 2019
and voting work flow for tutorial, conceptual information,
member invitations and and procedures for new voting
removals proposal design.

Added security group Added prescriptive guidance for February 28, 2019
configuration guidance configuring security groups for
the tutorial. Added references
for minimum inbound and
outbound security group rules
required for Hyperledger
Fabric client and interface VPC
endpoint for reference and
customization.

Updates to getting started steps Removed redundant steps in 3.2. December 3, 2018
The step to update .bash_profile
with path to fabric-ca was
already covered in step 3.1.

Initial release of Amazon Initial documentation for November 28, 2018


Managed Blockchain (Preview) Amazon Managed Blockchain.

63
Amazon Managed Blockchain Management Guide

AWS Glossary
For the latest AWS terminology, see the AWS Glossary in the AWS General Reference.

64

You might also like