ethers-gcp-kms-signer

Crates.ioethers-gcp-kms-signer
lib.rsethers-gcp-kms-signer
version0.1.5
sourcesrc
created_at2023-04-13 15:54:39.135106
updated_at2023-12-20 08:20:14.929466
description ethers-rs signer using GCP KMS
homepage
repositoryhttps://github.com/georgewhewell/ethers-gcp-kms-signer
max_upload_size
id838445
size16,408
(georgewhewell)

documentation

README

ethers-gcp-kms-signer

Crates.io Docs.rs CI

Installation

Cargo

cargo add ethers-gcp-kms-signer

Usage

Signer

use ethers::prelude::*;
use ethers_gcp_kms_signer::{GcpKeyRingRef, GcpKmsProvider, GcpKmsSigner};

let project_id = std::env::var("GOOGLE_PROJECT_ID").expect("GOOGLE_PROJECT_ID");
let location = std::env::var("GOOGLE_LOCATION").expect("GOOGLE_LOCATION");
let keyring = std::env::var("GOOGLE_KEYRING").expect("GOOGLE_KEYRING");
let key_name = std::env::var("GOOGLE_KEY_NAME").expect("GOOGLE_KEY_NAME");

let keyring = GcpKeyRingRef::new(&project_id, &location, &keyring);
let provider = GcpKmsProvider::new(keyring)
    .await
    .expect("Failed to create GCP KMS provider");
let signer = GcpKmsSigner::new(provider, key_name.to_string(), 1, 1)
    .await
    .expect("get key");

You can then use it as regular ethers signer:

let provider = Provider::<Http>::try_from(RPC_URL).unwrap().with_signer(signer);

Credentials

The library will attempt to load credentials in the typical fashion for GCP-

  • If the application is running in a k8s cluster, it should automatically pick up credentials
  • If the GOOGLE_APPLICATION_CREDENTIALS environment is set, attempt to load a service account JSON from this path

Demo

An example app is included in the repo, with terraform manifests to provision a HSM-based key, create a service account with permission to sign using the key, and export a json key with the credentials of this service account.

First, init and apply the terraform:

$ cd example/terraform
$ terraform init
$ terraform apply

Output the service account credentials:

$ terraform output service_account_key > service_account_key.json

To export the service account key in a usable format:

$ cat service_account_key.json | jq -r | base64 -d > ../demo-app/service_account_key.json

To run the example:

❯ export GOOGLE_PROJECT_ID=<project_id>
❯ export GOOGLE_LOCATION=<location>
❯ export GOOGLE_KEYRING=<keyring-name>
❯ export GOOGLE_KEY_NAME=<key-name>
❯ export GOOGLE_APPLICATION_CREDENTIALS=service_account_key.json
❯ cargo run
   Compiling demo-app v0.1.0 (/home/grw/src/ethers-gcp-kms-signer/example/demo-app)
    Finished dev [unoptimized + debuginfo] target(s) in 6.14s
     Running `target/debug/demo-app`
Created signer: GcpKmsSigner { ... }
Signer address: 0xa2e83c0ecc9ffeddb34e027bf3c44971c45fca12
Anvil running at `http://localhost:40023`
Sent 1 ETH to the signer
Sent 1 Wei from the signer
Signer balance: 999960621324999999

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

See CONTRIBUTING.md.

Commit count: 25

cargo fmt