-
Notifications
You must be signed in to change notification settings - Fork 12
AWS KMS signer for the Dispatcher #6
Comments
Hey all, I'm testing rollups-dispatcher based on 2e388b7 that support AWS KMS for signing transactions. In my environment, I'm getting this error :
When investigating the environment for the rollups-dispatcher container, I see:
Since we use OpenID Connect at our Kubernets cluster, to give access to IAM Roles via an OIDC Provider, we have to support the As you can see at https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
Should I open a new issue, or reopen this one? |
The AWS rust SDK should already automatically support all sorts of authentication, including AWS_WEB_IDENTITY_TOKEN_FILE. https://docs.aws.amazon.com/sdk-for-rust/latest/dg/environment-variables.html |
I don’t think we are instantiating the AWS client the way it’s described in the documentation. |
https://github.com/rusoto/rusoto/blob/master/AWS-CREDENTIALS.md
Em sex., 9 de jun. de 2023 19:06, Danilo Tuler ***@***.***>
escreveu:
… I don’t think we are instantiating the AWS client the way it’s described
in the documentation
<https://docs.aws.amazon.com/sdk-for-rust/latest/dg/client.html>.
—
Reply to this email directly, view it on GitHub
<#6 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAC4WRRP2ZJQTA4JXA2TDXKOM5FANCNFSM6AAAAAAWRRCPMY>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
ethers_signers is using rusoto, not the official SDK. So ignore some links above that point to the official SDK. It’s not looking like rusoto supports the authentication method of AWS_WEB_IDENTITY_TOKEN_FILE https://docs.rs/rusoto_credential/0.48.0/rusoto_credential/struct.ChainProvider.html |
There is an open issue to move from rusoto to the official SDK |
It actually does. In this implementation class. |
@tuler @endersonmaia I didn't quite understand the issue. Do you need another authentication method? |
The official AWS SDKs supports several authentication methods, including the one used by AWS EKS Service accounts. |
Ok, now I get it. We will work on it. |
The rusoto library currently accepts these methods of authentication in case you want to test with a different config:
As Danilo mentioned, there is already an implementation for the web identity token, so this should not be difficult to change. Also, we are using rusoto instead of the official SDK because ethers-rs is still using rusoto and the official SDK is not production ready according to its github page. |
I don't see WebIdentity as an option in that list. Is sending a patch upstream to enable WebIdentity a viable option? Otherwise, we'd need to craft a |
We will need an additional flag and implement that option. |
Context
Currently the dispatcher signs transactions by instantiating a local wallet.
It creates the wallet through a mnemonic read from a ENV variable or the configuration file.
This is not secure at all.
Solution
It should be possible to use a signing API like AWS KMS.
Subtasks
The text was updated successfully, but these errors were encountered: