Feature/use default aws credentials

.env-issuer.sample

@@ -28,11 +28,11 @@ ISSUER_KMS_ETH_PROVIDER=localstorage
 ISSUER_KMS_SOL_PROVIDER=localstorage
 
 # If the provider is aws-sm for BJJ, ed25519 and ETH keys you need to specify AWS credentials.
-# For localstack, you can use the ISSUER_KMS_AWS_REGION=local and ISSUER_KMS_AWS_URL=http://localhost:4566
-ISSUER_KMS_AWS_ACCESS_KEY=<aws-access-key>
-ISSUER_KMS_AWS_SECRET_KEY=<aws-secret-key>
+# For localstack, you can use the AWS_REGION=local and ISSUER_KMS_AWS_URL=http://localhost:4566
+AWS_ACCESS_KEY_ID=<aws-access-key>
+AWS_SECRET_ACCESS_KEY=<aws-secret-key>
 # If you want to use localstack region have to be local and the url should be http://localhost:4566
-ISSUER_KMS_AWS_REGION=<aws-region>
+AWS_REGION=<aws-region>
 # Uncomment the following line if you want to use localstack:
 #ISSUER_KMS_AWS_URL=http://localstack:4566
 

Makefile

@@ -21,9 +21,9 @@ ISSUER_KMS_ETH_PROVIDER := ${ISSUER_KMS_ETH_PROVIDER}
 ISSUER_KMS_BJJ_PROVIDER := ${ISSUER_KMS_BJJ_PROVIDER}
 ISSUER_KMS_SOL_PROVIDER := ${ISSUER_KMS_SOL_PROVIDER}
 
-aws_access_key := ${ISSUER_KMS_AWS_ACCESS_KEY}
-aws_secret_key := ${ISSUER_KMS_AWS_SECRET_KEY}
-aws_region := ${ISSUER_KMS_AWS_REGION}
+aws_access_key := ${AWS_ACCESS_KEY_ID}
+aws_secret_key := ${AWS_SECRET_ACCESS_KEY}
+aws_region := ${AWS_REGION}
 aws_endpoint := ${ISSUER_KMS_AWS_URL}
 
 ISSUER_RESOLVER_FILE := ${ISSUER_RESOLVER_FILE}
@@ -89,16 +89,16 @@ endif
 ifeq ($(ISSUER_KMS_BJJ_PROVIDER), vault)
 	$(DOCKER_COMPOSE_INFRA_CMD) up -d vault
 endif
-ifeq ($(ISSUER_KMS_ETH_PROVIDER)$(ISSUER_KMS_AWS_REGION), aws-smlocal)
+ifeq ($(ISSUER_KMS_ETH_PROVIDER)$(AWS_REGION), aws-smlocal)
 	$(DOCKER_COMPOSE_INFRA_CMD) up -d localstack
 endif
-ifeq ($(ISSUER_KMS_ETH_PROVIDER)$(ISSUER_KMS_AWS_REGION), aws-kmslocal)
+ifeq ($(ISSUER_KMS_ETH_PROVIDER)$(AWS_REGION), aws-kmslocal)
 	$(DOCKER_COMPOSE_INFRA_CMD) up -d localstack
 endif
-ifeq ($(ISSUER_KMS_BJJ_PROVIDER)$(ISSUER_KMS_AWS_REGION), aws-smlocal)
+ifeq ($(ISSUER_KMS_BJJ_PROVIDER)$(AWS_REGION), aws-smlocal)
 	$(DOCKER_COMPOSE_INFRA_CMD) up -d localstack
 endif
-ifeq ($(ISSUER_KMS_SOL_PROVIDER)$(ISSUER_KMS_AWS_REGION), aws-smlocal)
+ifeq ($(ISSUER_KMS_SOL_PROVIDER)$(AWS_REGION), aws-smlocal)
 	$(DOCKER_COMPOSE_INFRA_CMD) up -d localstack
 endif
 

README.md

@@ -267,9 +267,9 @@ change the following variables in the .env-issuer file:
 ISSUER_KMS_BJJ_PROVIDER=aws-sm
 ISSUER_KMS_ETH_PROVIDER=aws-sm
 ISSUER_KMS_SOL_PROVIDER=aws-sm
-ISSUER_KMS_AWS_ACCESS_KEY=<your-aws-access-key>
-ISSUER_KMS_AWS_SECRET_KEY=<your-aws-secret-key>
-ISSUER_KMS_AWS_REGION=<your-aws-region>
+AWS_ACCESS_KEY_ID=<your-aws-access-key>
+AWS_SECRET_ACCESS_KEY=<your-aws-secret-key>
+AWS_REGION=<your-aws-region>
 ```
 
 After configuring the variables, run the following commands:
@@ -296,9 +296,9 @@ Another alternative is to configure the issuer node to store the private keys of
 ```shell
 ISSUER_KMS_BJJ_PROVIDER= [localstorage | vault | aws-sm] 
 ISSUER_KMS_ETH_PROVIDER=aws-kms
-ISSUER_KMS_AWS_ACCESS_KEY=<your-aws-access-key>
-ISSUER_KMS_AWS_SECRET_KEY=<your-aws-secret-key>
-ISSUER_KMS_AWS_REGION=<your-aws-region>
+AWS_ACCESS_KEY_ID=<your-aws-access-key>
+AWS_SECRET_ACCESS_KEY=<your-aws-secret-key>
+AWS_REGION=<your-aws-region>
 ```
 After configuring the variables, run the following commands:
 ```shell

cmd/kms_priv_key_importer/main.go

@@ -38,10 +38,6 @@ const (
 	issuerKeyStorePluginIden3MountPath  = "ISSUER_KEY_STORE_PLUGIN_IDEN3_MOUNT_PATH"
 	issuerVaultUserPassAuthEnabled      = "ISSUER_VAULT_USERPASS_AUTH_ENABLED"
 	issuerVaultUserPassAuthPasword      = "ISSUER_VAULT_USERPASS_AUTH_PASSWORD"
-	awsAccessKey                        = "ISSUER_KMS_AWS_ACCESS_KEY"
-	awsSecretKey                        = "ISSUER_KMS_AWS_SECRET_KEY"
-	awsRegion                           = "ISSUER_KMS_AWS_REGION"
-	awsURL                              = "ISSUER_KMS_AWS_URL"
 
 	jsonKeyPath      = "key_path"
 	jsonKeyType      = "key_type"
@@ -153,32 +149,26 @@ func main() {
 	}
 
 	if issuerKMSETHProviderToUse == config.AWSSM {
-		awsAccessKey := os.Getenv(awsAccessKey)
-		awsSecretKey := os.Getenv(awsSecretKey)
-		awsRegion := os.Getenv(awsRegion)
+		cfg, err := LoadAWSConfig(ctx)
 
-		if awsAccessKey == "" || awsSecretKey == "" || awsRegion == "" {
-			log.Error(ctx, "aws access key, aws secret key, or aws region is not set")
-			return
-		}
-
-		cfg, err := awsconfig.LoadDefaultConfig(ctx,
-			awsconfig.WithRegion(awsRegion),
-			awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(awsAccessKey, awsSecretKey, "")),
-		)
 		if err != nil {
 			log.Error(ctx, "error loading AWSSM config", "err", err)
 			return
 		}
 
+		// LocalStack/OpenStack mode
+		// https://docs.localstack.cloud/aws/integrations/aws-sdks/go/
+		// Region is provided from AWS_REGION env variable
+		url := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_URL"))
 		var options []func(*secretsmanager.Options)
-		if strings.ToLower(awsRegion) == "local" {
-			awsURLEndpoint := os.Getenv(awsURL)
+
+		if url != "" {
 			options = make([]func(*secretsmanager.Options), 1)
 			options[0] = func(o *secretsmanager.Options) {
-				o.BaseEndpoint = aws.String(awsURLEndpoint)
+				o.BaseEndpoint = aws.String(url)
 			}
 		}
+
 		secretManager := secretsmanager.NewFromConfig(cfg, options...)
 		secretName := base64.StdEncoding.EncodeToString([]byte(issuerPublishKeyPathVar))
 
@@ -203,17 +193,7 @@ func main() {
 	}
 
 	if issuerKMSETHProviderToUse == config.AWSKMS {
-		awsAccessKey := os.Getenv(awsAccessKey)
-		awsSecretKey := os.Getenv(awsSecretKey)
-		awsRegion := os.Getenv(awsRegion)
-		awsURLEndpoint := os.Getenv(awsURL)
-
-		if awsAccessKey == "" || awsSecretKey == "" || awsRegion == "" {
-			log.Error(ctx, "aws access key, aws secret key, or aws region is not set")
-			return
-		}
-
-		keyId, err := createEmptyKey(ctx, awsAccessKey, awsSecretKey, awsRegion, awsURLEndpoint, issuerPublishKeyPathVar)
+		keyId, err := createEmptyKey(ctx, issuerPublishKeyPathVar)
 		if err != nil {
 			log.Error(ctx, "cannot create empty key", "err", err)
 			return
@@ -253,24 +233,48 @@ func validate(issuerKMSETHProviderToUse string, fPrivateKey *string, ctx context
 	return nil
 }
 
+func LoadAWSConfig(ctx context.Context) (aws.Config, error) {
+	// Backward-compatible behaviour for AWS SDK configuration
+	// env variables (DEPRECATED)
+	// "ISSUER_KMS_AWS_ACCESS_KEY"
+	// "ISSUER_KMS_AWS_SECRET_KEY"
+	// "ISSUER_KMS_AWS_REGION"
+	accessKey := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_ACCESS_KEY"))
+	secretKey := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_SECRET_KEY"))
+	region := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_REGION"))
+
+	if accessKey != "" && secretKey != "" && region != "" {
+		return awsconfig.LoadDefaultConfig(
+			ctx,
+			awsconfig.WithCredentialsProvider(
+				credentials.NewStaticCredentialsProvider(accessKey, secretKey, ""),
+			),
+			awsconfig.WithRegion(region),
+		)
+	}
+
+	return awsconfig.LoadDefaultConfig(ctx)
+}
+
 //
 //nolint:unused
-func createEmptyKey(ctx context.Context, awsAccessKey, awsSecretKey, awsRegion string, awsURL string, privateKeyAlias string) (*string, error) {
-	cfg, err := awsconfig.LoadDefaultConfig(
-		ctx,
-		awsconfig.WithRegion(awsRegion),
-		awsconfig.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(awsAccessKey, awsSecretKey, "")),
-	)
+func createEmptyKey(ctx context.Context, privateKeyAlias string) (*string, error) {
+	cfg, err := LoadAWSConfig(ctx)
+
 	if err != nil {
-		log.Error(ctx, "cannot load aws config", "err", err)
+		log.Error(ctx, "error loading AWSKMS config", "err", err)
 		return nil, err
 	}
 
-	var options []func(*awskms.Options)
-	if strings.ToLower(awsRegion) == "local" {
-		options = make([]func(*awskms.Options), 1)
+	options := make([]func(*awskms.Options), 1)
+
+	// LocalStack/OpenStack mode
+	// https://docs.localstack.cloud/aws/integrations/aws-sdks/go/
+	// Region is provided from AWS_REGION env variable
+	url := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_URL"))
+	if url != "" {
 		options[0] = func(o *awskms.Options) {
-			o.BaseEndpoint = aws.String(awsURL)
+			o.BaseEndpoint = aws.String(url)
 		}
 	}
 

internal/config/config.go

@@ -146,9 +146,7 @@ type KeyStore struct {
 	ETHProvider                  string `env:"ISSUER_KMS_ETH_PROVIDER"`
 	SOLProvider                  string `env:"ISSUER_KMS_SOL_PROVIDER"`
 	ProviderLocalStorageFilePath string `env:"ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH"`
-	AWSAccessKey                 string `env:"ISSUER_KMS_AWS_ACCESS_KEY"`
-	AWSSecretKey                 string `env:"ISSUER_KMS_AWS_SECRET_KEY"`
-	AWSRegion                    string `env:"ISSUER_KMS_AWS_REGION"`
+	AWSRegion                    string `env:"AWS_REGION"`
 	AWSURL                       string `env:"ISSUER_KMS_AWS_URL" envDefault:"http://localstack:4566"`
 	VaultUserPassAuthEnabled     bool   `env:"ISSUER_VAULT_USERPASS_AUTH_ENABLED"`
 	VaultUserPassAuthPassword    string `env:"ISSUER_VAULT_USERPASS_AUTH_PASSWORD"`
@@ -366,21 +364,6 @@ func checkEnvVars(ctx context.Context, cfg *Configuration) error {
 		cfg.KeyStore.ProviderLocalStorageFilePath = "./localstoragekeys"
 	}
 
-	if cfg.KeyStore.ETHProvider == AWSSM || cfg.KeyStore.ETHProvider == AWSKMS || cfg.KeyStore.BJJProvider == AWSSM || cfg.KeyStore.SOLProvider == AWSSM {
-		if cfg.KeyStore.AWSAccessKey == "" {
-			log.Error(ctx, "ISSUER_AWS_KEY_ID value is missing")
-			return errors.New("ISSUER_AWS_KEY_ID value is missing")
-		}
-		if cfg.KeyStore.AWSSecretKey == "" {
-			log.Error(ctx, "ISSUER_AWS_SECRET_KEY value is missing")
-			return errors.New("ISSUER_AWS_SECRET_KEY value is missing")
-		}
-		if cfg.KeyStore.AWSRegion == "" {
-			log.Error(ctx, "ISSUER_AWS_REGION value is missing")
-			return errors.New("ISSUER_AWS_REGION value is missing")
-		}
-	}
-
 	if cfg.KeyStore.BJJProvider == LocalStorage || cfg.KeyStore.ETHProvider == LocalStorage || cfg.KeyStore.SOLProvider == LocalStorage {
 		log.Info(ctx, `
 			=====================================================================================================================================================
@@ -415,10 +398,6 @@ func KeyStoreConfig(ctx context.Context, cfg *Configuration, vaultCfg providers.
 		BJJKeyProvider:           kms.ConfigProvider(cfg.KeyStore.BJJProvider),
 		ETHKeyProvider:           kms.ConfigProvider(cfg.KeyStore.ETHProvider),
 		SOLKeyProvider:           kms.ConfigProvider(cfg.KeyStore.SOLProvider),
-		AWSAccessKey:             cfg.KeyStore.AWSAccessKey,
-		AWSSecretKey:             cfg.KeyStore.AWSSecretKey,
-		AWSRegion:                cfg.KeyStore.AWSRegion,
-		AWSURL:                   cfg.KeyStore.AWSURL,
 		LocalStoragePath:         cfg.KeyStore.ProviderLocalStorageFilePath,
 		Vault:                    vaultCli,
 		PluginIden3MountPath:     cfg.KeyStore.PluginIden3MountPath,

internal/config/config_test.go

@@ -137,9 +137,6 @@ func TestLoad(t *testing.T) {
 	assert.Equal(t, "issuernodepwd", cfg.KeyStore.VaultUserPassAuthPassword)
 	assert.Equal(t, "localstorage", cfg.KeyStore.BJJProvider)
 	assert.Equal(t, "localstorage", cfg.KeyStore.ETHProvider)
-	assert.Equal(t, "XYZ", cfg.KeyStore.AWSAccessKey)
-	assert.Equal(t, "123HHUBUuO5", cfg.KeyStore.AWSSecretKey)
-	assert.Equal(t, "eu-west-1", cfg.KeyStore.AWSRegion)
 	assert.Equal(t, "./resolvers_settings.yaml", cfg.NetworkResolverPath)
 	assert.Equal(t, "./payment_settings.yaml", cfg.Payments.SettingsPath)
 	assert.Equal(t, "hvs.NK8jrOU4XNY", cfg.KeyStore.Token)

internal/kms/aws.go

@@ -0,0 +1,81 @@
+package kms
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+)
+
+func LoadAWSConfig(ctx context.Context) (aws.Config, error) {
+	// Backward-compatible behaviour for AWS SDK configuration
+	// env variables (DEPRECATED)
+	// "ISSUER_KMS_AWS_ACCESS_KEY"
+	// "ISSUER_KMS_AWS_SECRET_KEY"
+	// "ISSUER_KMS_AWS_REGION"
+	accessKey := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_ACCESS_KEY"))
+	secretKey := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_SECRET_KEY"))
+	region := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_REGION"))
+
+	if accessKey != "" && secretKey != "" && region != "" {
+		return config.LoadDefaultConfig(
+			ctx,
+			config.WithCredentialsProvider(
+				credentials.NewStaticCredentialsProvider(accessKey, secretKey, ""),
+			),
+			config.WithRegion(region),
+		)
+	}
+
+	return config.LoadDefaultConfig(ctx)
+}
+
+func AwsSecretsManager(ctx context.Context) (*secretsmanager.Client, error) {
+	cfg, err := LoadAWSConfig(ctx)
+
+	if err != nil {
+		return nil, fmt.Errorf("unable to load SDK config, %v", err)
+	}
+
+	var options = make([]func(*secretsmanager.Options), 1)
+
+	// LocalStack/OpenStack mode
+	// https://docs.localstack.cloud/aws/integrations/aws-sdks/go/
+	// Region is provided from AWS_REGION env variable
+	url := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_URL"))
+	if url != "" {
+		options[0] = func(o *secretsmanager.Options) {
+			o.BaseEndpoint = aws.String(url)
+		}
+	}
+
+	return secretsmanager.NewFromConfig(cfg, options...), nil
+}
+
+func AwsKms(ctx context.Context) (*kms.Client, error) {
+	cfg, err := LoadAWSConfig(ctx)
+
+	if err != nil {
+		return nil, fmt.Errorf("unable to load SDK config, %v", err)
+	}
+
+	options := make([]func(*kms.Options), 1)
+
+	// LocalStack/OpenStack mode
+	// https://docs.localstack.cloud/aws/integrations/aws-sdks/go/
+	// Region is provided from AWS_REGION env variable
+	url := strings.TrimSpace(os.Getenv("ISSUER_KMS_AWS_URL"))
+	if url != "" {
+		options[0] = func(o *kms.Options) {
+			o.BaseEndpoint = aws.String(url)
+		}
+	}
+
+	return kms.NewFromConfig(cfg, options...), nil
+}