From eb896c2acf4bb481b27a0671d28b7342ea70e994 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Strna=CC=81dek?= <jan.strnadek@gmail.com>
Date: Wed, 26 Nov 2025 19:22:30 +0100
Subject: [PATCH 1/2] Tag created resources for permission filters

---
 internal/kms/aws_kms_eth_key_provider.go    | 6 ++++++
 internal/kms/aws_secret_storage_provider.go | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/internal/kms/aws_kms_eth_key_provider.go b/internal/kms/aws_kms_eth_key_provider.go
index 39972e235..c68d02560 100644
--- a/internal/kms/aws_kms_eth_key_provider.go
+++ b/internal/kms/aws_kms_eth_key_provider.go
@@ -78,6 +78,12 @@ func (awsKeyProv *awsKmsEthKeyProvider) New(identity *w3c.DID) (KeyID, error) {
 		KeyUsage:    types.KeyUsageTypeSignVerify,
 		Origin:      types.OriginTypeAwsKms,
 		Description: aws.String("Key from issuer node"),
+		Tags: []types.Tag{
+			{
+				Key:   aws.String("source"),
+				Value: aws.String("polygon-issuer-node"),
+			}
+		},
 	}
 
 	keyArn, err := awsKeyProv.kmsClient.CreateKey(ctx, input)
diff --git a/internal/kms/aws_secret_storage_provider.go b/internal/kms/aws_secret_storage_provider.go
index 9cb6cbecd..dd6d67090 100644
--- a/internal/kms/aws_secret_storage_provider.go
+++ b/internal/kms/aws_secret_storage_provider.go
@@ -91,6 +91,10 @@ func (a *awsSecretStorageProvider) SaveKeyMaterial(ctx context.Context, keyMater
 				Key:   aws.String("did"),
 				Value: aws.String(keyTypesParts[0]),
 			},
+			{
+				Key:   aws.String("source"),
+				Value: aws.String("polygon-issuer-node"),
+			}
 		},
 	}
 	_, err = a.secretManager.CreateSecret(ctx, input)

From 3d2b2c1c705b68fd28f38e4efaed54ff913e146c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Strna=CC=81dek?= <jan.strnadek@gmail.com>
Date: Thu, 27 Nov 2025 08:57:36 +0100
Subject: [PATCH 2/2] Modify secrets fetcher

---
 internal/kms/aws_secret_storage_provider.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/kms/aws_secret_storage_provider.go b/internal/kms/aws_secret_storage_provider.go
index dd6d67090..cf55c7731 100644
--- a/internal/kms/aws_secret_storage_provider.go
+++ b/internal/kms/aws_secret_storage_provider.go
@@ -120,7 +120,7 @@ func (a *awsSecretStorageProvider) searchByIdentity(ctx context.Context, identit
 
 	keyIDs := make([]KeyID, 0)
 	for _, secret := range result.SecretList {
-		if secret.Tags == nil || len(secret.Tags) != 2 {
+		if secret.Tags == nil {
 			continue
 		}
 		if aws.ToString(secret.Tags[0].Value) != keyTypeToRead {