From 15432d8a09aed7d1835f185ce08a6a2252de70df Mon Sep 17 00:00:00 2001
From: martinsaporiti <martinsaporiti@gmail.com>
Date: Mon, 20 Jan 2025 07:04:33 -0300
Subject: [PATCH] chore: update readme and makefile

---
 .env-issuer.sample                            |  2 +-
 Makefile                                      |  8 ++-
 README.md                                     | 62 ++++++++++++++++++-
 .../aws_kms_material_key_importer.sh          |  6 +-
 4 files changed, 73 insertions(+), 5 deletions(-)

diff --git a/.env-issuer.sample b/.env-issuer.sample
index be391482f..409026fcb 100644
--- a/.env-issuer.sample
+++ b/.env-issuer.sample
@@ -33,7 +33,7 @@ ISSUER_KMS_AWS_SECRET_KEY=<aws-secret-key>
 # If you want to use localstack region have to be local and the url should be http://localhost:4566
 ISSUER_KMS_AWS_REGION=<aws-region>
 # Uncomment the following line if you want to use localstack:
-#ISSUER_KMS_AWS_URL=http://localhost:4566
+#ISSUER_KMS_AWS_URL=http://localstack:4566
 
 # if the plugin is localstorage, you can specify the folder path
 ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH=./localstoragekeys
diff --git a/Makefile b/Makefile
index cfd98d355..d7ff52238 100644
--- a/Makefile
+++ b/Makefile
@@ -20,6 +20,11 @@ ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH := ${ISSUER_KMS_PROVIDER_LOCAL_STORA
 ISSUER_KMS_ETH_PROVIDER := ${ISSUER_KMS_ETH_PROVIDER}
 ISSUER_KMS_BJJ_PROVIDER := ${ISSUER_KMS_BJJ_PROVIDER}
 
+aws_access_key := ${ISSUER_KMS_AWS_ACCESS_KEY}
+aws_secret_key := ${ISSUER_KMS_AWS_SECRET_KEY}
+aws_region := ${ISSUER_KMS_AWS_REGION}
+aws_endpoint := ${ISSUER_KMS_AWS_URL}
+
 ISSUER_RESOLVER_FILE := ${ISSUER_RESOLVER_FILE}
 REQUIRED_FILE := ${ISSUER_RESOLVER_PATH}
 
@@ -197,8 +202,7 @@ lint-fix: $(BIN)/golangci-lint
 		  $(BIN)/golangci-lint run --fix
 
 ## Usage:
-## AWS: make private_key=XXX aws_access_key=YYY aws_secret_key=ZZZ aws_region=your-region [aws_endpoint=custom-aws-endpoint] import-private-key-to-kms
-## localstorage and vault: make private_key=XXX import-private-key-to-kms
+## make private_key=XXX import-private-key-to-kms
 .PHONY: import-private-key-to-kms
 import-private-key-to-kms:
 ifeq ($(ISSUER_KMS_ETH_PROVIDER), aws-kms)
diff --git a/README.md b/README.md
index 35ed86fb5..00fa01fc6 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,9 @@ Streamline the **Verifiable Credentials issuance** process with the user-friendl
     - [Install and run Issuer Node API and UI (docker compose and build from source)](#install-and-run-issuer-node-api-and-ui---docker-compose-and-build-from-source)
     - [Running only Issuer Node API (docker compose and build from source)](#running-only-issuer-node-api-docker-compose-and-build-from-source)
   - [KMS Providers Configuration](#kms-providers-configuration)
+    - [Vault](#Running-issuer-node-with-vault-instead-of-local-storage-file)
+    - [AWS Secret Manager](#Running-issuer-node-with-AWS-Secret-Manager)
+    - [AWS KMS](#Running-issuer-node-with-AWS-KMS)
   - [Quick Start Demo](#quick-start-demo)
   - [Documentation](#documentation)
   - [Tools](#tools)
@@ -247,12 +250,69 @@ make up
 ``` 
 In this case, the docker container for vault will be created.
 
-To import the private key (if you have changed the kms provider you have to import the private key again) necessary to 
+To import the ethereum private key (if you have changed the kms provider you have to import the private key again) necessary to 
 transition issuer node states onchain, the command is the same as explained before:
 
 ```shell
 make private_key <private-key> import-private-key-to-kms
 ```
+You should get something like this:
+
+```shell
+ ... private key saved to vault: path:=pbkey
+```
+
+#### Running issuer node with AWS Secret Manager
+Another alternative is to configure the issuer node to store the private keys of the identities in the AWS Secret Manager service. 
+Both babyjubjub type keys and ethereum keys can be stored using this service. To configure the issuer node, you must 
+change the following variables in the .env-issuer file:
+
+```shell
+ISSUER_KMS_BJJ_PROVIDER=aws-sm
+ISSUER_KMS_ETH_PROVIDER=aws-sm
+ISSUER_KMS_AWS_ACCESS_KEY=<your-aws-access-key>
+ISSUER_KMS_AWS_SECRET_KEY=<your-aws-secret-key>
+ISSUER_KMS_AWS_REGION=<your-aws-region>
+```
+
+After configuring the variables, run the following commands:
+```shell
+make up
+```
+
+Then you must run the command to import the ethereum private key to the kms.:
+
+```shell
+make private_key <private-key> import-private-key-to-kms`
+ ```
+If all went well, you should see something like this:
+```shell
+ ... private key saved to aws: path:=pbkey
+```
+
+#### Running issuer node with AWS KMS
+Another alternative is to configure the issuer node to store the private keys of the identities in the AWS KMS service.
+**Only ethereum keys** can be stored using this service. To configure the issuer node, you must change the following variables in the .env-issuer file:
+
+```shell
+
+```shell
+ISSUER_KMS_BJJ_PROVIDER= [localstorage | vault | aws-sm] 
+ISSUER_KMS_ETH_PROVIDER=aws-kms
+ISSUER_KMS_AWS_ACCESS_KEY=<your-aws-access-key>
+ISSUER_KMS_AWS_SECRET_KEY=<your-aws-secret-key>
+ISSUER_KMS_AWS_REGION=<your-aws-region>
+```
+After configuring the variables, run the following commands:
+```shell
+make up
+```
+then you must run the command `make private_key <private-key> import-private-key-to-kms` to import the ethereum private key to the kms.
+If all went well, you should see something like this:
+
+```bash
+ ... Key material successfully imported!!!
+```
 
 ## Quick Start Demo
 
diff --git a/cmd/kms_priv_key_importer/aws_kms_material_key_importer.sh b/cmd/kms_priv_key_importer/aws_kms_material_key_importer.sh
index c8df46aa5..46a586f33 100755
--- a/cmd/kms_priv_key_importer/aws_kms_material_key_importer.sh
+++ b/cmd/kms_priv_key_importer/aws_kms_material_key_importer.sh
@@ -21,6 +21,7 @@ openssl pkcs8 -topk8 -outform DER -nocrypt -inform DER -in <(echo "${ASN1_PRIV_K
 printf "private key successfully written to: %s\n" "${OUT_FILE}"
 
 if [[ -n "${aws_endpoint}" ]]; then
+  echo "Using endpoint: ${aws_endpoint}"
   export KEY=`aws kms get-parameters-for-import --profile ${aws_profile} --endpoint-url ${aws_endpoint}\
   --key-id ${key_id} \
   --wrapping-algorithm RSAES_OAEP_SHA_256 \
@@ -28,6 +29,7 @@ if [[ -n "${aws_endpoint}" ]]; then
   --query '{Key:PublicKey,Token:ImportToken}' \
   --output text`
 else
+  echo "non endpoint"
   export KEY=`aws kms get-parameters-for-import --profile ${aws_profile} \
   --key-id ${key_id} \
   --wrapping-algorithm RSAES_OAEP_SHA_256 \
@@ -50,7 +52,8 @@ openssl pkeyutl \
 -keyform DER \
 -pubin -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
 
-if [[ -z "${aws_endpoint}" ]]; then
+if [[ -n "${aws_endpoint}" ]]; then
+  echo "Using endpoint: ${aws_endpoint}"
   aws kms import-key-material --profile ${aws_profile} \
   --key-id ${key_id} \
   --encrypted-key-material fileb://EncryptedKeyMaterial.bin \
@@ -58,6 +61,7 @@ if [[ -z "${aws_endpoint}" ]]; then
   --expiration-model KEY_MATERIAL_DOES_NOT_EXPIRE \
   --endpoint-url ${aws_endpoint}
 else
+  echo "non endpoint"
   aws kms import-key-material --profile ${aws_profile} \
   --key-id ${key_id} \
   --encrypted-key-material fileb://EncryptedKeyMaterial.bin \