safe-signer: creating an ethers.Signer from the third party secret storages

#ethereum #web3 #wallet #security

If you need a wallet or singer in your backend server, this project is for you.

It aims to create an ethers.Signer from the third party secret storages. Currently, it supports:

Private key
- This is only for testing purposes, not recommend in production environments.
Environment variables
AWS Secrets Manager
AWS Key Management Service (KMS)
Hashicorp Vault

NOTE:

Currently it supports ethers@^5 only.

How to use

Install

Node >= 16.

npm i @dteam/safe-signer

Import

Javascript:

const SafeSigner = require('@dteam/safe-signer');

Typescript:

import SafeSigner from '@dteam/safe-signer';

Examples

fromPrivateKey will return a Wallet.

const privateKeyWallet = await SafeSigner.fromPrivateKey('YOUR_PRIVATE_KEY');

fromEnv will return a Wallet.

const envWallet = await SafeSigner.fromEnv('ENV_VAR_FOR_PRIVATE_KEY');

fromAwsSecretsManager will return a Wallet.

const awsSecretsManagerWallet = await SafeSigner.fromAwsSecretsManager( { SecretId: 'FULL_ARN_FOR_SECRET', SecretKeyName: 'KEY_NAME_STORED_PRIVATE_KEY', }, { credentials: { accessKeyId: 'YOUR_AWS_ACCESS_KEY_ID', secretAccessKey: 'YOUR_AWS_SECRET_ACCESS_KEY', }, region: 'YOUR_REGION', } );

fromHashicorpVault will return a Wallet.

const hashicorpVaultWallet = await SafeSigner.fromHashicorpVault( { // you can set to your own vault server // baseUrl: 'http://127.0.0.1:8200/v1', rootPath: 'secret', timeout: 6000, secretName: 'wallet-secret', secretKey: 'privateKey', }, // login method can be any of the following: // {token: 'plaintext-token'} // {appRole: {roleId: 'roleId', secretId: 'secretId'}} // {cert: {certName: 'certName'}} // {k8s: {role: 'role', jwt: 'jwt'}} // {ldap: {username: 'user', password: 'password'}} // {userpass: {username: 'user', password: 'password'}} {token: 'vault-plaintext-token'}, {secretName: 'wallet-secret', secretKey: 'privateKey'} );

fromAwsKms will return a Signer because you can't get the raw private key from AWS KMS.

const awsKmsSigner = await SafeSigner.fromAwsKms('YOUR_AWS_KMS_KEY_ARN', { credentials: { accessKeyId: 'YOUR_AWS_ACCESS_KEY_ID', secretAccessKey: 'YOUR_AWS_SECRET_ACCESS_KEY', }, region: 'YOUR_REGION', });