ethers-gcp-kms-signer

Installation

Cargo

shell cargo add ethers-gcp-kms-signer

Usage

Signer

```rust use ethers::prelude::*; use ethersgcpkms_signer::{GcpKeyRingRef, GcpKmsProvider, GcpKmsSigner};

let projectid = std::env::var("GOOGLEPROJECTID").expect("GOOGLEPROJECTID"); let location = std::env::var("GOOGLELOCATION").expect("GOOGLELOCATION"); let keyring = std::env::var("GOOGLEKEYRING").expect("GOOGLEKEYRING"); let keyname = std::env::var("GOOGLEKEYNAME").expect("GOOGLEKEYNAME");

let keyring = GcpKeyRingRef::new(&projectid, &location, &keyring); let provider = GcpKmsProvider::new(keyring) .await .expect("Failed to create GCP KMS provider"); let signer = GcpKmsSigner::new(provider, keyname.to_string(), 1, 1) .await .expect("get key"); ```

You can then use it as regular ethers signer:

rust let provider = Provider::<Http>::try_from(RPC_URL).unwrap().with_signer(signer);

Credentials

The library will attempt to load credentials in the typical fashion for GCP-

• If the application is running in a k8s cluster, it should automatically pick up credentials
• If the GOOGLE_APPLICATION_CREDENTIALS environment is set, attempt to load a service account JSON from this path

Demo

An example app is included in the repo, with terraform manifests to provision a HSM-based key, create a service account with permission to sign using the key, and export a json key with the credentials of this service account.

First, init and apply the terraform:

$ cd example/terraform
$ terraform init
$ terraform apply

Output the service account credentials:

$ terraform output service_account_key > service_account_key.json

To export the service account key in a usable format:

$ cat service_account_key.json | jq -r | base64 -d > ../demo-app/service_account_key.json

To run the example:

shell ❯ export GOOGLE_PROJECT_ID=<project_id> ❯ export GOOGLE_LOCATION=<location> ❯ export GOOGLE_KEYRING=<keyring-name> ❯ export GOOGLE_KEY_NAME=<key-name> ❯ export GOOGLE_APPLICATION_CREDENTIALS=service_account_key.json ❯ cargo run Compiling demo-app v0.1.0 (/home/grw/src/ethers-gcp-kms-signer/example/demo-app) Finished dev [unoptimized + debuginfo] target(s) in 6.14s Running `target/debug/demo-app` Created signer: GcpKmsSigner { ... } Signer address: 0xa2e83c0ecc9ffeddb34e027bf3c44971c45fca12 Anvil running at `http://localhost:40023` Sent 1 ETH to the signer Sent 1 Wei from the signer Signer balance: 999960621324999999

License

Licensed under either of

• Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

See CONTRIBUTING.md.