search

openlawteam / ethers-gcp-kms-signer

Ethers.js Signer that connects to GCP KMS
https://www.npmjs.com/package/ethers-gcp-kms-signer
MIT License
38 stars 22 forks source link

KeyManagementServiceClient is leaked on each call to sign or getPublicKey #6

Open nedgar opened 2 years ago

nedgar commented 2 years ago

In src/util/gcp-kms-utils.ts it instantiates a new KeyManagementServiceClient each time sign or getPublicKey is called. See: https://github.com/openlawteam/ethers-gcp-kms-signer/blob/45a5186c9b3f27bd2bcf5c53bef138fe3fb43c24/src/util/gcp-kms-utils.ts#L25

https://github.com/openlawteam/ethers-gcp-kms-signer/blob/45a5186c9b3f27bd2bcf5c53bef138fe3fb43c24/src/util/gcp-kms-utils.ts#L43

The client maintains a gRPC channel, plus one in its referenced IAM client. close() should be called on the client when it's no longer needed.

The logical lifetime of the client is that of the GcpKmsSigner. I suggest changing it to instantiate the KeyManagementServiceClient, and pass that to the util methods.

nedgar commented 2 years ago

Alternatively, since GcpKmsSigner doesn't take the Google credentials, the KeyManagementServiceClient could be made a singleton field in the utils for now. At least that would reduce leakage to just that instance and its channels.