diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index 6ff42d1..aec2653 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -5,6 +5,8 @@ import ( "encoding/asn1" "encoding/hex" "fmt" + "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" + "github.com/aws/aws-sdk-go/aws/ec2metadata" "math/big" "os" "strings" @@ -41,7 +43,12 @@ func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*K cfg := &aws.Config{ Region: aws.String(region), } - if awsKey != "" && awsSec != "" { + if awsKey == "profile" { + cfg.Credentials = credentials.NewSharedCredentials("", awsSec) + } else if awsKey == "iam" { + // force use iam role, ignore cre or env + cfg.Credentials = ec2rolecreds.NewCredentialsWithClient(ec2metadata.New(session.Must(session.NewSession()))) + } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") } sess, err := session.NewSession(cfg) @@ -183,8 +190,10 @@ func padBigInt(i *big.Int) []byte { // passphrase will be awsKey:awsSec or if empty, will use aws auto search env variable etc // otherwise normal ks json file based signer const awskmsPre = "awskms:" +const awsCreProfilePre = "profile" // return signer, address +// if use profile, passphrase should be "profile:default" or "profile:xxx" func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.Address, error) { if strings.HasPrefix(ksfile, awskmsPre) { kmskeyinfo := strings.SplitN(ksfile, ":", 3) @@ -195,7 +204,7 @@ func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.A if passphrase != "" { awskeysec = strings.SplitN(passphrase, ":", 2) if len(awskeysec) != 2 { - return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected ':'", passphrase) + return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected ':' or 'profile:'", passphrase) } } kmsSigner, err := NewKmsSigner(kmskeyinfo[1], kmskeyinfo[2], awskeysec[0], awskeysec[1], chainid)