Consensys / tessera

Tessera - Enterprise Implementation of Quorum's transaction manager
https://docs.tessera.consensys.net/
Apache License 2.0
177 stars 108 forks source link

Fetch tessera secrets from AWS KMS using IAM roles #1505

Open techiegk opened 1 year ago

techiegk commented 1 year ago

To enable tessera to use AWS Secrets Manager, we need to configure 3 environment variables namely - AWS_REGION, AWS_SECRET_ACCESS_KEY& AWS_ACCESS_KEY_ID. But if an organisation has restricted to get only AWS_REGION & AWS_ACCESS_KEY_ID from AWS environment. Instead of AWS_SECRET_ACCESS_KEY, we have IAM role. Hope this would be best practice too for security reasons. Now, the question is how to use IAM role instead of AWS_SECRET_ACCESS_KEY to enable tessera to use AWS Secrets Manager?

https://docs.tessera.consensys.net/en/stable/HowTo/Configure/KeyVault/AWS-Secrets-Manager/

macfarla commented 1 year ago

@Krish1979 do you have ideas on this one?

macfarla commented 1 year ago

Suggestion from devops - @techiegk are you able to see if the below suggestion works for you?

It is possible that if the environment variables are not configured and instance role attached to the EC2 instance has correct permissions, AWS api library will do the work to make use of the instance role. Someone would need to test this and confirm to be sure. Update in documentation would also be nice I believe.