Merge pull request #897 from 0xPolygonID/update_kms_readme_file

chore: update readme and makefile

.env-issuer.sample

@@ -33,7 +33,7 @@ ISSUER_KMS_AWS_SECRET_KEY=<aws-secret-key>
 # If you want to use localstack region have to be local and the url should be http://localhost:4566
 ISSUER_KMS_AWS_REGION=<aws-region>
 # Uncomment the following line if you want to use localstack:
-#ISSUER_KMS_AWS_URL=http://localhost:4566
+#ISSUER_KMS_AWS_URL=http://localstack:4566
 
 # if the plugin is localstorage, you can specify the folder path
 ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH=./localstoragekeys

Makefile

@@ -20,6 +20,11 @@ ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH := ${ISSUER_KMS_PROVIDER_LOCAL_STORA
 ISSUER_KMS_ETH_PROVIDER := ${ISSUER_KMS_ETH_PROVIDER}
 ISSUER_KMS_BJJ_PROVIDER := ${ISSUER_KMS_BJJ_PROVIDER}
 
+aws_access_key := ${ISSUER_KMS_AWS_ACCESS_KEY}
+aws_secret_key := ${ISSUER_KMS_AWS_SECRET_KEY}
+aws_region := ${ISSUER_KMS_AWS_REGION}
+aws_endpoint := ${ISSUER_KMS_AWS_URL}
+
 ISSUER_RESOLVER_FILE := ${ISSUER_RESOLVER_FILE}
 REQUIRED_FILE := ${ISSUER_RESOLVER_PATH}
 
@@ -197,8 +202,7 @@ lint-fix: $(BIN)/golangci-lint
 		  $(BIN)/golangci-lint run --fix
 
 ## Usage:
-## AWS: make private_key=XXX aws_access_key=YYY aws_secret_key=ZZZ aws_region=your-region [aws_endpoint=custom-aws-endpoint] import-private-key-to-kms
-## localstorage and vault: make private_key=XXX import-private-key-to-kms
+## make private_key=XXX import-private-key-to-kms
 .PHONY: import-private-key-to-kms
 import-private-key-to-kms:
 ifeq ($(ISSUER_KMS_ETH_PROVIDER), aws-kms)

README.md

@@ -28,6 +28,9 @@ Streamline the **Verifiable Credentials issuance** process with the user-friendl
     - [Install and run Issuer Node API and UI (docker compose and build from source)](#install-and-run-issuer-node-api-and-ui---docker-compose-and-build-from-source)
     - [Running only Issuer Node API (docker compose and build from source)](#running-only-issuer-node-api-docker-compose-and-build-from-source)
   - [KMS Providers Configuration](#kms-providers-configuration)
+    - [Vault](#Running-issuer-node-with-vault-instead-of-local-storage-file)
+    - [AWS Secret Manager](#Running-issuer-node-with-AWS-Secret-Manager)
+    - [AWS KMS](#Running-issuer-node-with-AWS-KMS)
   - [Quick Start Demo](#quick-start-demo)
   - [Documentation](#documentation)
   - [Tools](#tools)
@@ -247,12 +250,69 @@ make up
 ``` 
 In this case, the docker container for vault will be created.
 
-To import the private key (if you have changed the kms provider you have to import the private key again) necessary to 
+To import the ethereum private key (if you have changed the kms provider you have to import the private key again) necessary to 
 transition issuer node states onchain, the command is the same as explained before:
 
 ```shell
 make private_key <private-key> import-private-key-to-kms
 ```
+You should get something like this:
+
+```shell
+ ... private key saved to vault: path:=pbkey
+```
+
+#### Running issuer node with AWS Secret Manager
+Another alternative is to configure the issuer node to store the private keys of the identities in the AWS Secret Manager service. 
+Both babyjubjub type keys and ethereum keys can be stored using this service. To configure the issuer node, you must 
+change the following variables in the .env-issuer file:
+
+```shell
+ISSUER_KMS_BJJ_PROVIDER=aws-sm
+ISSUER_KMS_ETH_PROVIDER=aws-sm
+ISSUER_KMS_AWS_ACCESS_KEY=<your-aws-access-key>
+ISSUER_KMS_AWS_SECRET_KEY=<your-aws-secret-key>
+ISSUER_KMS_AWS_REGION=<your-aws-region>
+```
+
+After configuring the variables, run the following commands:
+```shell
+make up
+```
+
+Then you must run the command to import the ethereum private key to the kms.:
+
+```shell
+make private_key <private-key> import-private-key-to-kms`
+ ```
+If all went well, you should see something like this:
+```shell
+ ... private key saved to aws: path:=pbkey
+```
+
+#### Running issuer node with AWS KMS
+Another alternative is to configure the issuer node to store the private keys of the identities in the AWS KMS service.
+**Only ethereum keys** can be stored using this service. To configure the issuer node, you must change the following variables in the .env-issuer file:
+
+```shell
+
+```shell
+ISSUER_KMS_BJJ_PROVIDER= [localstorage | vault | aws-sm] 
+ISSUER_KMS_ETH_PROVIDER=aws-kms
+ISSUER_KMS_AWS_ACCESS_KEY=<your-aws-access-key>
+ISSUER_KMS_AWS_SECRET_KEY=<your-aws-secret-key>
+ISSUER_KMS_AWS_REGION=<your-aws-region>
+```
+After configuring the variables, run the following commands:
+```shell
+make up
+```
+then you must run the command `make private_key <private-key> import-private-key-to-kms` to import the ethereum private key to the kms.
+If all went well, you should see something like this:
+
+```bash
+ ... Key material successfully imported!!!
+```
 
 ## Quick Start Demo
 

cmd/kms_priv_key_importer/aws_kms_material_key_importer.sh

@@ -21,13 +21,15 @@ openssl pkcs8 -topk8 -outform DER -nocrypt -inform DER -in <(echo "${ASN1_PRIV_K
 printf "private key successfully written to: %s\n" "${OUT_FILE}"
 
 if [[ -n "${aws_endpoint}" ]]; then
+  echo "Using endpoint: ${aws_endpoint}"
   export KEY=`aws kms get-parameters-for-import --profile ${aws_profile} --endpoint-url ${aws_endpoint}\
   --key-id ${key_id} \
   --wrapping-algorithm RSAES_OAEP_SHA_256 \
   --wrapping-key-spec RSA_2048 \
   --query '{Key:PublicKey,Token:ImportToken}' \
   --output text`
 else
+  echo "non endpoint"
   export KEY=`aws kms get-parameters-for-import --profile ${aws_profile} \
   --key-id ${key_id} \
   --wrapping-algorithm RSAES_OAEP_SHA_256 \
@@ -50,14 +52,16 @@ openssl pkeyutl \
 -keyform DER \
 -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
 
-if [[ -z "${aws_endpoint}" ]]; then
+if [[ -n "${aws_endpoint}" ]]; then
+  echo "Using endpoint: ${aws_endpoint}"
   aws kms import-key-material --profile ${aws_profile} \
   --key-id ${key_id} \
   --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
   --import-token fileb://ImportToken.bin \
   --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE \
   --endpoint-url ${aws_endpoint}
 else
+  echo "non endpoint"
   aws kms import-key-material --profile ${aws_profile} \
   --key-id ${key_id} \
   --encrypted-key-material fileb://EncryptedKeyMaterial.bin \