Merge pull request #687 from 0xPolygonID/PID-2179-add-support-aws-kms…

…-for-key-management

Pid 2179 add support aws kms for key management

.env-issuer.sample

@@ -4,6 +4,7 @@ ISSUER_SERVER_URL=http://localhost:3001
 ISSUER_SERVER_PORT=3001
 ISSUER_NATIVE_PROOF_GENERATION_ENABLED=true
 ISSUER_PUBLISH_KEY_PATH=pbkey
+ISSUER_ETHEREUM_TRANSFER_ACCOUNT_KEY_PATH=pbkey
 ISSUER_ONCHAIN_PUBLISH_STATE_FREQUENCY=1m
 ISSUER_ONCHAIN_CHECK_STATUS_FREQUENCY=1m
 ISSUER_DATABASE_URL=postgres://polygonid:polygonid@postgres:5432/platformid?sslmode=disable
@@ -12,12 +13,40 @@ ISSUER_LOG_LEVEL=-4
 ISSUER_LOG_MODE=2
 ISSUER_API_AUTH_USER=user-issuer
 ISSUER_API_AUTH_PASSWORD=password-issuer
-ISSUER_KEY_STORE_ADDRESS=http://vault:8200
-ISSUER_KEY_STORE_PLUGIN_IDEN3_MOUNT_PATH=iden3
-# Could be either localstorage or vault
-ISSUER_KMS_PLUGIN=localstorage
+
+# --------------------------------------------------------------------------------
+# KMS configuration
+# --------------------------------------------------------------------------------
+# Could be either [localstorage | vault] (BJJ) and [localstorage | vault | aws ] (ETH)
+ISSUER_KMS_BJJ_PROVIDER=vault
+ISSUER_KMS_ETH_PROVIDER=vault
+
 # if the plugin is localstorage, you can specify the file path (default path is current directory)
-ISSUER_KMS_PLUGIN_LOCAL_STORAGE_FILE_PATH=
+ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH=./localstoragekeys
+
+# If the plugin is AWS for ETH keys you need to specify the key id and secret key
+ISSUER_KMS_ETH_PLUGIN_AWS_ACCESS_KEY=XXX
+ISSUER_KMS_ETH_PLUGIN_AWS_SECRET_KEY=YYY
+ISSUER_KMS_ETH_PLUGIN_AWS_REGION=eu-west-1
+
+# if one of the plugins is vault, you have to specify the vault address and token
+ISSUER_KEY_STORE_ADDRESS=http://localhost:8200
+ISSUER_KEY_STORE_PLUGIN_IDEN3_MOUNT_PATH=iden3
+
+# if one of the plugins is vault, you can specify the authentication method
+ISSUER_VAULT_USERPASS_AUTH_ENABLED=false
+ISSUER_VAULT_USERPASS_AUTH_PASSWORD=issuernodepwd
+
+# if one of the plugins is vault, you can specify the TLS configuration
+# if you want to use TLS, set ISSUER_VAULT_TLS_ENABLED=true
+# if you are running the issuer node with docker-compose, you have to bind the volume with the certificate to the container
+# for example:
+# volumes:
+#   - <path to cert>:/certs
+# ```
+ISSUER_VAULT_TLS_ENABLED=false
+ISSUER_VAULT_TLS_CERT_PATH=<path to cert>
+# -------------------------------------------------------------------------------
 
 ISSUER_PROVER_SERVER_URL=http://localhost:8002
 ISSUER_PROVER_TIMEOUT=600s
@@ -26,8 +55,5 @@ ISSUER_REDIS_URL=redis://@redis:6379/1
 ISSUER_KEY_STORE_TOKEN=<Key Store Vault Token>
 ISSUER_SCHEMA_CACHE=false
 
-ISSUER_VAULT_USERPASS_AUTH_ENABLED=false
-ISSUER_VAULT_USERPASS_AUTH_PASSWORD=password
-
 ISSUER_MEDIA_TYPE_MANAGER_ENABLED=true
 ISSUER_RESOLVER_PATH=./resolvers_settings.yaml

Dockerfile-kms-importer

@@ -0,0 +1,58 @@
+FROM golang:1.21 as base
+ARG VERSION
+
+ARG ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY
+ARG ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY
+ARG ISSUER_KMS_ETH_PROVIDER_AWS_REGION
+
+WORKDIR /service
+ENV GOBIN /service/bin
+
+COPY go.mod .
+COPY go.sum .
+COPY ./cmd/kms_priv_key_importer/ ./cmd/kms_priv_key_importer/
+COPY ./internal ./internal
+COPY ./pkg ./pkg
+
+
+
+RUN go install -buildvcs=false -ldflags "-X main.build=${VERSION}" ./cmd/...
+
+FROM alpine:latest
+ARG ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY
+ARG ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY
+ARG ISSUER_KMS_ETH_PROVIDER_AWS_REGION
+
+RUN apk add --no-cache libstdc++ gcompat libgomp
+RUN apk add --update busybox>1.3.1-r0
+RUN apk add --update openssl>3.1.4-r1
+RUN ln -sfv ld-linux-x86-64.so.2 /lib/libresolv.so.2
+RUN apk add --no-cache aws-cli
+
+
+RUN apk add doas; \
+    adduser -S issuer -D -G wheel; \
+    echo 'permit nopass :wheel as root' >> /etc/doas.d/doas.conf;
+RUN chmod g+rx,o+rx /
+
+COPY --from=base ./service/bin/* ./
+COPY --from=base ./service/cmd/kms_priv_key_importer/aws_kms_material_key_importer.sh ./aws_kms_material_key_importer.sh
+RUN chmod +x ./aws_kms_material_key_importer.sh
+
+RUN if [ -n "$ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY" ]; then \
+      aws configure set aws_access_key_id ${ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY} --profile privadoid; \
+    else \
+      echo "ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY is not set"; \
+    fi
+RUN if [ -n "$ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY" ]; then \
+      aws configure set aws_secret_access_key ${ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY} --profile privadoid; \
+    else \
+      echo "ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY is not set"; \
+    fi
+RUN if [ -n "$ISSUER_KMS_ETH_PROVIDER_AWS_REGION" ]; then \
+      aws configure set region ${ISSUER_KMS_ETH_PROVIDER_AWS_REGION} --profile privadoid; \
+    else \
+      echo "ISSUER_KMS_ETH_PROVIDER_AWS_REGION is not set"; \
+    fi
+
+

Makefile

@@ -1,4 +1,5 @@
 include .env-api
+include .env-issuer
 BIN := $(shell pwd)/bin
 VERSION ?= $(shell git rev-parse --short HEAD)
 GO?=$(shell which go)
@@ -14,6 +15,8 @@ DOCKER_COMPOSE_CMD := docker compose -p issuer -f $(DOCKER_COMPOSE_FILE)
 DOCKER_COMPOSE_INFRA_CMD := docker compose -p issuer -f $(DOCKER_COMPOSE_FILE_INFRA)
 ENVIRONMENT := ${ISSUER_API_ENVIRONMENT}
 
+ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH := ${ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH}
+ISSUER_KMS_ETH_PROVIDER := ${ISSUER_KMS_ETH_PROVIDER}
 
 # Local environment overrides via godotenv
 DOTENV_CMD = $(BIN)/godotenv
@@ -159,16 +162,46 @@ add-private-key:
 	docker exec issuer-vault-1 \
 	vault write iden3/import/pbkey key_type=ethereum private_key=$(private_key)
 
-# usage: make private_key=xxx add-private-key-localstorage
-.PHONY: add-private-key-localstorage
-add-private-key-localstorage:
-	docker exec issuer-api-1 \
-	./kms_local_storage_priv_key_importer --privateKey=$(private_key)
+## Usage:
+## AWS: make private_key=XXX aws_access_key=YYY aws_secret_key=ZZZ aws_region=your-region import-private-key-to-kms
+## localstorage and vault: make private_key=XXX import-private-key-to-kms
+.PHONY: import-private-key-to-kms
+import-private-key-to-kms:
+ifeq ($(ISSUER_KMS_ETH_PROVIDER), aws)
+	@echo "AWS"
+	docker build --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_ACCESS_KEY=$(aws_access_key) \
+    		  --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_SECRET_KEY=$(aws_secret_key) \
+    		  --build-arg ISSUER_KMS_ETH_PROVIDER_AWS_REGION=$(aws_region) -t privadoid-kms-importer -f ./Dockerfile-kms-importer .
+	$(eval result = $(shell docker run -it -v ./.env-issuer:/.env-issuer  \
+		--network issuer-network \
+		privadoid-kms-importer ./kms_priv_key_importer --privateKey=$(private_key)))
+	@echo "result: $(result)"
+	$(eval keyID = $(shell echo $(result) | grep "key created keyId=" | sed 's/.*keyId=//'))
+	@if [ -n "$(keyID)" ]; then \
+		docker run -it --rm -v ./.env-issuer:/.env-issuer --network issuer-network \
+			privadoid-kms-importer sh ./aws_kms_material_key_importer.sh $(private_key) $(keyID) privadoid; \
+	else \
+		echo "something went wrong because keyID is empty"; \
+	fi
+else ifeq ($(ISSUER_KMS_ETH_PROVIDER), localstorage)
+	@echo "LOCALSTORAGE"
+	docker build -t privadoid-kms-importer -f ./Dockerfile-kms-importer .
+	docker run --rm -it -v ./.env-issuer:/.env-issuer -v $(ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH)/kms_localstorage_keys.json:/localstoragekeys/kms_localstorage_keys.json \
+		--network issuer-network \
+		privadoid-kms-importer ./kms_priv_key_importer --privateKey=$(private_key)
+else ifeq ($(ISSUER_KMS_ETH_PROVIDER), vault)
+	@echo "VAULT"
+	docker build -t privadoid-kms-importer -f ./Dockerfile-kms-importer .
+	docker run --rm -it -v ./.env-issuer:/.env-issuer --network issuer-network \
+		privadoid-kms-importer ./kms_priv_key_importer --privateKey=$(private_key)
+else
+	@echo "ISSUER_KMS_ETH_PROVIDER is not set"
+endif
 
 .PHONY: print-vault-token
 print-vault-token:
 	$(eval TOKEN = $(shell docker logs issuer-vault-1 2>&1 | grep " .hvs" | awk  '{print $$2}' | tail -1 ))
-	@echo $(TOKEN)
+	echo $(TOKEN)
 
 .PHONY: add-vault-token
 add-vault-token:

README.md

@@ -217,15 +217,16 @@ make restart-ui
 Setup environment variables in `.env-issuer` file:
 
 ```bash
-ISSUER_KMS_PLUGIN=localstorage 
+ISSUER_KMS_BJJ_PLUGIN=localstorage
+ISSUER_KMS_ETH_PLUGIN=localstorage
 ```
 
 When the issuer-api-1 container is running (after execute make run), you have to add your metamask private key with the following command 
 
 ```bash
 make private_key=4b3XXX add-private-key-localstorage
 ```
-If you want to use Vault just change the `ISSUER_KMS_PLUGIN` to `vault` and follow the steps in the [Deploy Issuer Node Infrastructure](#Deploy-Issuer-Node-Infrastructure) section. 
+If you want to use Vault just change the `ISSUER_KMS_BJJ_PLUGIN` and `ISSUER_KMS_ETH_PLUGIN` to `vault` and follow the steps in the [Deploy Issuer Node Infrastructure](#Deploy-Issuer-Node-Infrastructure) section. 
 
 
 ## Quick Start Demo

cmd/issuer_initializer/main.go

@@ -61,10 +61,10 @@ func main() {
 	connected := false
 
 	vaultCfg := providers.Config{
-		UserPassAuthEnabled: cfg.VaultUserPassAuthEnabled,
+		UserPassAuthEnabled: cfg.KeyStore.VaultUserPassAuthEnabled,
 		Address:             cfg.KeyStore.Address,
 		Token:               cfg.KeyStore.Token,
-		Pass:                cfg.VaultUserPassAuthPassword,
+		Pass:                cfg.KeyStore.VaultUserPassAuthPassword,
 	}
 	for i := 0; i < vaultAttempts; i++ {
 		vaultCli, vaultErr = providers.VaultClient(ctx, vaultCfg)