evm-kms-signer 1.1.4 → 1.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +80 -4
- package/dist/kms/client.d.ts +6 -1
- package/dist/kms/client.d.ts.map +1 -1
- package/dist/kms/client.js +6 -1
- package/dist/kms/client.js.map +1 -1
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -138,6 +138,81 @@ async function main() {
|
|
|
138
138
|
main().catch(console.error)
|
|
139
139
|
```
|
|
140
140
|
|
|
141
|
+
#### EKS Pod Identity
|
|
142
|
+
|
|
143
|
+
This library fully supports [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) for secure, credential-free authentication in Kubernetes environments. When running in EKS with Pod Identity configured, no explicit credentials are needed.
|
|
144
|
+
|
|
145
|
+
##### How It Works
|
|
146
|
+
|
|
147
|
+
The AWS SDK for JavaScript v3 automatically detects and uses the default credential provider chain:
|
|
148
|
+
|
|
149
|
+
1. **Environment variables** (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`)
|
|
150
|
+
2. **EKS Pod Identity** (`AWS_CONTAINER_CREDENTIALS_FULL_URI`)
|
|
151
|
+
3. **ECS container credentials**
|
|
152
|
+
4. **EC2 instance metadata (IMDS)**
|
|
153
|
+
5. **Shared credentials file** (`~/.aws/credentials`)
|
|
154
|
+
|
|
155
|
+
When credentials are not explicitly provided, the SDK automatically discovers available credentials in the above order.
|
|
156
|
+
|
|
157
|
+
##### Setup Steps
|
|
158
|
+
|
|
159
|
+
1. **Install the EKS Pod Identity Agent** addon in your cluster:
|
|
160
|
+
```bash
|
|
161
|
+
aws eks create-addon \
|
|
162
|
+
--cluster-name <cluster-name> \
|
|
163
|
+
--addon-name eks-pod-identity-agent
|
|
164
|
+
```
|
|
165
|
+
|
|
166
|
+
2. **Create an IAM role** with the required KMS permissions:
|
|
167
|
+
```json
|
|
168
|
+
{
|
|
169
|
+
"Version": "2012-10-17",
|
|
170
|
+
"Statement": [
|
|
171
|
+
{
|
|
172
|
+
"Effect": "Allow",
|
|
173
|
+
"Action": [
|
|
174
|
+
"kms:GetPublicKey",
|
|
175
|
+
"kms:Sign"
|
|
176
|
+
],
|
|
177
|
+
"Resource": "arn:aws:kms:<region>:<account-id>:key/<key-id>"
|
|
178
|
+
}
|
|
179
|
+
]
|
|
180
|
+
}
|
|
181
|
+
```
|
|
182
|
+
|
|
183
|
+
3. **Create a Pod Identity association**:
|
|
184
|
+
```bash
|
|
185
|
+
aws eks create-pod-identity-association \
|
|
186
|
+
--cluster-name <cluster-name> \
|
|
187
|
+
--namespace <namespace> \
|
|
188
|
+
--service-account <service-account-name> \
|
|
189
|
+
--role-arn arn:aws:iam::<account-id>:role/<role-name>
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
4. **Use the library without explicit credentials**:
|
|
193
|
+
```typescript
|
|
194
|
+
import { KmsSigner, toKmsAccount } from 'evm-kms-signer'
|
|
195
|
+
|
|
196
|
+
// No credentials needed - EKS Pod Identity handles authentication
|
|
197
|
+
const signer = new KmsSigner({
|
|
198
|
+
region: process.env.AWS_REGION!,
|
|
199
|
+
keyId: process.env.KMS_KEY_ID!,
|
|
200
|
+
// credentials are automatically discovered via Pod Identity
|
|
201
|
+
})
|
|
202
|
+
|
|
203
|
+
const account = await toKmsAccount(signer)
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
##### Verification
|
|
207
|
+
|
|
208
|
+
To verify Pod Identity is working, check that these environment variables are set in your pod:
|
|
209
|
+
```bash
|
|
210
|
+
kubectl exec -it <pod-name> -- env | grep AWS_CONTAINER
|
|
211
|
+
# Should show:
|
|
212
|
+
# AWS_CONTAINER_CREDENTIALS_FULL_URI=http://169.254.170.23/v1/credentials
|
|
213
|
+
# AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE=/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token
|
|
214
|
+
```
|
|
215
|
+
|
|
141
216
|
### GCP KMS
|
|
142
217
|
|
|
143
218
|
#### Prerequisites
|
|
@@ -320,10 +395,11 @@ The library provides custom error classes for better error handling:
|
|
|
320
395
|
### Best Practices
|
|
321
396
|
|
|
322
397
|
1. **Use IAM Roles**: Prefer IAM roles over hardcoded credentials in production
|
|
323
|
-
2. **
|
|
324
|
-
3. **
|
|
325
|
-
4. **
|
|
326
|
-
5. **
|
|
398
|
+
2. **Use EKS Pod Identity**: For Kubernetes deployments, use [EKS Pod Identity](#eks-pod-identity) for secure, automatic credential management
|
|
399
|
+
3. **Environment Variables**: Never commit `.env` files with credentials
|
|
400
|
+
4. **Key Policies**: Restrict KMS key usage to specific AWS principals
|
|
401
|
+
5. **Audit Logging**: Enable AWS CloudTrail to monitor KMS key usage
|
|
402
|
+
6. **Network Security**: Use VPC endpoints for KMS in production environments
|
|
327
403
|
|
|
328
404
|
## Development
|
|
329
405
|
|
package/dist/kms/client.d.ts
CHANGED
|
@@ -28,8 +28,13 @@ export declare class KmsClient {
|
|
|
28
28
|
* @remarks
|
|
29
29
|
* If credentials are not provided, the AWS SDK will use the default credential provider chain:
|
|
30
30
|
* - Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
|
|
31
|
+
* - EKS Pod Identity (AWS_CONTAINER_CREDENTIALS_FULL_URI)
|
|
32
|
+
* - ECS container credentials
|
|
33
|
+
* - EC2 instance metadata (IMDS)
|
|
31
34
|
* - Shared credentials file (~/.aws/credentials)
|
|
32
|
-
*
|
|
35
|
+
*
|
|
36
|
+
* For EKS deployments, simply omit the credentials parameter and configure
|
|
37
|
+
* Pod Identity association - the SDK will automatically discover credentials.
|
|
33
38
|
*/
|
|
34
39
|
constructor(config: KmsConfig);
|
|
35
40
|
/**
|
package/dist/kms/client.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/kms/client.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE1C;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,SAAS;IACrB,OAAO,CAAC,MAAM,CAAY;IAC1B,OAAO,CAAC,KAAK,CAAS;IAEtB
|
|
1
|
+
{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/kms/client.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE1C;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,SAAS;IACrB,OAAO,CAAC,MAAM,CAAY;IAC1B,OAAO,CAAC,KAAK,CAAS;IAEtB;;;;;;;;;;;;;;;OAeG;gBACS,MAAM,EAAE,SAAS;IAQ7B;;;;;;;;;OASG;IACG,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC;IAmBzC;;;;;;;;;;;OAWG;IACG,IAAI,CAAC,WAAW,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;CAuBxD"}
|
package/dist/kms/client.js
CHANGED
|
@@ -27,8 +27,13 @@ export class KmsClient {
|
|
|
27
27
|
* @remarks
|
|
28
28
|
* If credentials are not provided, the AWS SDK will use the default credential provider chain:
|
|
29
29
|
* - Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
|
|
30
|
+
* - EKS Pod Identity (AWS_CONTAINER_CREDENTIALS_FULL_URI)
|
|
31
|
+
* - ECS container credentials
|
|
32
|
+
* - EC2 instance metadata (IMDS)
|
|
30
33
|
* - Shared credentials file (~/.aws/credentials)
|
|
31
|
-
*
|
|
34
|
+
*
|
|
35
|
+
* For EKS deployments, simply omit the credentials parameter and configure
|
|
36
|
+
* Pod Identity association - the SDK will automatically discover credentials.
|
|
32
37
|
*/
|
|
33
38
|
constructor(config) {
|
|
34
39
|
this.client = new KMSClient({
|
package/dist/kms/client.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/kms/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,mBAAmB,EACnB,SAAS,EACT,WAAW,EACX,WAAW,EACX,oBAAoB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAG3C;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,SAAS;IAIrB
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/kms/client.ts"],"names":[],"mappings":"AAAA,OAAO,EACN,mBAAmB,EACnB,SAAS,EACT,WAAW,EACX,WAAW,EACX,oBAAoB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAG3C;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,SAAS;IAIrB;;;;;;;;;;;;;;;OAeG;IACH,YAAY,MAAiB;QAC5B,IAAI,CAAC,MAAM,GAAG,IAAI,SAAS,CAAC;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;SAC9D,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC3B,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY;QACjB,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,IAAI,mBAAmB,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;YAC/D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAI,cAAc,CAAC,iCAAiC,CAAC,CAAC;YAC7D,CAAC;YAED,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,cAAc;gBAAE,MAAM,KAAK,CAAC;YACjD,MAAM,IAAI,cAAc,CACvB,sCAAsC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,EAChG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC1C,CAAC;QACH,CAAC;IACF,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,IAAI,CAAC,WAAuB;QACjC,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC;gBAC/B,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,OAAO,EAAE,WAAW;gBACpB,WAAW,EAAE,WAAW,CAAC,MAAM;gBAC/B,gBAAgB,EAAE,oBAAoB,CAAC,aAAa;aACpD,CAAC,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEjD,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACzB,MAAM,IAAI,cAAc,CAAC,gCAAgC,CAAC,CAAC;YAC5D,CAAC;YAED,OAAO,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,cAAc;gBAAE,MAAM,KAAK,CAAC;YACjD,MAAM,IAAI,cAAc,CACvB,4BAA4B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,EACtF,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAC1C,CAAC;QACH,CAAC;IACF,CAAC;CACD"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "evm-kms-signer",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.6",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "AWS/GCP KMS-based Ethereum signer for viem with enterprise-grade security. Sign transactions and messages using keys stored in AWS or GCP KMS without exposing private keys.",
|
|
6
6
|
"main": "./dist/index.js",
|
|
@@ -53,7 +53,7 @@
|
|
|
53
53
|
"abitype": "^1.1.1"
|
|
54
54
|
},
|
|
55
55
|
"devDependencies": {
|
|
56
|
-
"@biomejs/biome": "2.3.
|
|
56
|
+
"@biomejs/biome": "2.3.11",
|
|
57
57
|
"@types/node": "^24.10.0",
|
|
58
58
|
"@vitest/coverage-v8": "4.0.16",
|
|
59
59
|
"dotenv": "^17.2.3",
|