poanetwork
/
quorum
mirror of https://github.com/poanetwork/quorum.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added documentation for Tessera AWS Secrets Manager integration

This commit is contained in:
Ionut E. Mihailescu 2019-12-13 13:40:58 +02:00
parent 877f85208e
commit 1b6eeb9588
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
docs/Privacy/Tessera/Configuration/Keys.md
View File

@ -159,6 +159,27 @@ Passwords must be provided so that Tessera can decrypt and use the private keys.
| Direct | `"passwords": ["pwd1", "pwd2", ...]`<br/>Empty strings should be used for unlocked keys. Passwords must be provided in the order that key pairs are defined in the config. Not recommended for production use. |
| CLI | Tessera will prompt on the CLI for the passwords of any encrypted keys that have not had passwords provided in the config. This process only needs to be performed once, when starting the node. |
### AWS Secrets Manager key pairs
The keys in the pair are stored as secrets in the _AWS Secrets Manager_. This requires providing the secret IDs for both keys, while the endpoint is optional as the _AWS SDK_ can choose the right one based on _AWS_REGION_ environment variable value:
```json
"keys": {
"awsKeyVaultConfig":{
"endpoint": "https://secretsmanager.us-west-2.amazonaws.com"
},
"keyData": [
{
"awsSecretsManagerPublicKeyId": "secretIdPub",
"awsSecretsManagerPrivateKeyId": "secretIdKey"
}
]
}
```
This example configuration will retrieve the specified versions of the secrets `secretIdPub` and `secretIdKey` from the _AWS Secrets Manager_ using the endpoint `https://secretsmanager.us-west-2.amazonaws.com`.
!!! info
Environment variables must be set if using an _AWS Secrets Manager_, for more information see [Setting up an AWS Secrets Manager](../../Tessera%20Services/Keys/Setting%20up%20an%20AWS%20Secrets%20Manager.md)
### Azure Key Vault key pairs
The keys in the pair are stored as secrets in an Azure Key Vault. This requires providing the vault url and the secret IDs for both keys:
```json

24
docs/Privacy/Tessera/Tessera Services/Keys/Setting up an AWS Secrets Manager.md Normal file
View File

@ -0,0 +1,24 @@
The private/public key pairs used by Tessera can be [stored](../Keys) in and [retrieved](../../../Configuration/Keys) from a key vault, preventing the need to store the keys locally.
This page details how to set up and configure an _AWS Secrets Manager_ for use with Tessera.
The _AWS Secrets Manager_ documentation provides much of the information needed to get started. The information in this section has been taken from the following pages of the _AWS_ documentation:
* [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html)
* [AWS SDK for Java Developer Guide](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/welcome.html)
## Enabling Tessera to use the vault
### Environment Variables
If using an _AWS Secrets Manager_, Tessera requires four environment variables to be set:
1. `AWS_REGION`: region_to_connect_to (i.e. us-west-2)
1. `AWS_ACCESS_KEY_ID`: your_access_key_id
1. `AWS_SECRET_ACCESS_KEY`: your_secret_access_key
1. `AWS_SESSION_TOKEN`: your_session_token
To retrieve the last three values you should log into your [AWS Managemenet Console](https://aws.amazon.com/)
### Dependencies
The AWS Secrets Manager dependencies are included in the `tessera-app-<version>-app.jar`. If using the `tessera-simple-<version>-app.jar` then `aws-key-vault-<version>-all.jar` must be added to the classpath.