From a6e5b871d8d5c22eceecefaec61fa72e9d2fc098 Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 11:01:34 +0800 Subject: [PATCH 01/11] support role --- eth/signer_awskms.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index 6ff42d1..3dc12b9 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -37,12 +37,17 @@ type KmsSigner struct { // region and keyAlias must be valid, eg. us-west-1 alias/mytestkey // if awsKey, awsSec are empty string, will use aws sdk auto search -func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*KmsSigner, error) { +func NewKmsSigner(region, keyAlias, awsKey, awsSec, profile string, chainId *big.Int) (*KmsSigner, error) { cfg := &aws.Config{ Region: aws.String(region), } - if awsKey != "" && awsSec != "" { + + if profile != "" { + cfg.Credentials = credentials.NewSharedCredentials("", profile) + } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") + } else { + // default use role } sess, err := session.NewSession(cfg) if err != nil { From 7f129a058a187aedd82e23a4d39e8b52010238bf Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 11:04:45 +0800 Subject: [PATCH 02/11] update --- eth/signer_awskms.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index 3dc12b9..d6edf20 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -203,7 +203,7 @@ func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.A return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected ':'", passphrase) } } - kmsSigner, err := NewKmsSigner(kmskeyinfo[1], kmskeyinfo[2], awskeysec[0], awskeysec[1], chainid) + kmsSigner, err := NewKmsSigner(kmskeyinfo[1], kmskeyinfo[2], awskeysec[0], awskeysec[1], "", chainid) if err != nil { return nil, common.Address{}, err } From 28e8da6e60b242a25cd2f8c644db808204212f81 Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 11:28:09 +0800 Subject: [PATCH 03/11] update --- eth/signer_awskms.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index d6edf20..ab69def 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -37,13 +37,13 @@ type KmsSigner struct { // region and keyAlias must be valid, eg. us-west-1 alias/mytestkey // if awsKey, awsSec are empty string, will use aws sdk auto search -func NewKmsSigner(region, keyAlias, awsKey, awsSec, profile string, chainId *big.Int) (*KmsSigner, error) { +func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*KmsSigner, error) { cfg := &aws.Config{ Region: aws.String(region), } - if profile != "" { - cfg.Credentials = credentials.NewSharedCredentials("", profile) + if awsKey == "profile" { + cfg.Credentials = credentials.NewSharedCredentials("", awsSec) } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") } else { @@ -188,8 +188,10 @@ func padBigInt(i *big.Int) []byte { // passphrase will be awsKey:awsSec or if empty, will use aws auto search env variable etc // otherwise normal ks json file based signer const awskmsPre = "awskms:" +const awsCreProfilePre = "profile" // return signer, address +// if use profile, passphrase should be "profile:default" or "profile:xxx" func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.Address, error) { if strings.HasPrefix(ksfile, awskmsPre) { kmskeyinfo := strings.SplitN(ksfile, ":", 3) @@ -203,7 +205,8 @@ func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.A return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected ':'", passphrase) } } - kmsSigner, err := NewKmsSigner(kmskeyinfo[1], kmskeyinfo[2], awskeysec[0], awskeysec[1], "", chainid) + + kmsSigner, err := NewKmsSigner(kmskeyinfo[1], kmskeyinfo[2], awskeysec[0], awskeysec[1], chainid) if err != nil { return nil, common.Address{}, err } From b86d0c6ccda38c4ff4682af1c7bfeffc9e729b9a Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 11:33:33 +0800 Subject: [PATCH 04/11] update --- eth/signer_awskms.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index ab69def..ac0eb29 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -41,13 +41,12 @@ func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*K cfg := &aws.Config{ Region: aws.String(region), } - if awsKey == "profile" { cfg.Credentials = credentials.NewSharedCredentials("", awsSec) } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") } else { - // default use role + // default use aws role } sess, err := session.NewSession(cfg) if err != nil { @@ -205,7 +204,6 @@ func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.A return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected ':'", passphrase) } } - kmsSigner, err := NewKmsSigner(kmskeyinfo[1], kmskeyinfo[2], awskeysec[0], awskeysec[1], chainid) if err != nil { return nil, common.Address{}, err From b9c1df2f3807d3bee4ed5f6dd1d1e77fb0184606 Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 11:49:14 +0800 Subject: [PATCH 05/11] fmt log --- eth/signer_awskms.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index ac0eb29..44ed8a0 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -201,7 +201,7 @@ func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.A if passphrase != "" { awskeysec = strings.SplitN(passphrase, ":", 2) if len(awskeysec) != 2 { - return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected ':'", passphrase) + return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected ':' or 'profile:'", passphrase) } } kmsSigner, err := NewKmsSigner(kmskeyinfo[1], kmskeyinfo[2], awskeysec[0], awskeysec[1], chainid) From 22630a8f88da50b1e5c8b21496c22e2b6b2a61f0 Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 12:19:19 +0800 Subject: [PATCH 06/11] update --- eth/signer_awskms.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index 44ed8a0..92df9c3 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -11,6 +11,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" + "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/kms" "github.com/ethereum/go-ethereum/accounts/abi/bind" @@ -46,7 +47,8 @@ func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*K } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") } else { - // default use aws role + // use EC2 role only (not .aws/credentials file) + cfg.Credentials = credentials.NewCredentials(&ec2rolecreds.EC2RoleProvider{}) } sess, err := session.NewSession(cfg) if err != nil { From c709781a091d8520ac7b4560cd193a777a65174c Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 12:24:22 +0800 Subject: [PATCH 07/11] update --- eth/signer_awskms.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index 92df9c3..8ae7af5 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -47,8 +47,14 @@ func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*K } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") } else { - // use EC2 role only (not .aws/credentials file) - cfg.Credentials = credentials.NewCredentials(&ec2rolecreds.EC2RoleProvider{}) + // try EC2 role first, fallback to env vars, then .aws/credentials file + cfg.Credentials = credentials.NewChainCredentials( + []credentials.Provider{ + &ec2rolecreds.EC2RoleProvider{}, + &credentials.EnvProvider{}, + &credentials.SharedCredentialsProvider{}, + }, + ) } sess, err := session.NewSession(cfg) if err != nil { From 9b0b793cf568c827700bdd2022c3da219c3e96c7 Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 12:34:54 +0800 Subject: [PATCH 08/11] update --- eth/signer_awskms.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index 8ae7af5..b1c2030 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -5,6 +5,7 @@ import ( "encoding/asn1" "encoding/hex" "fmt" + "github.com/aws/aws-sdk-go/aws/ec2metadata" "math/big" "os" "strings" @@ -47,12 +48,14 @@ func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*K } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") } else { - // try EC2 role first, fallback to env vars, then .aws/credentials file + sess := session.Must(session.NewSession()) + // 2. 创建 EC2 元数据客户端 + ec2m := ec2metadata.New(sess) cfg.Credentials = credentials.NewChainCredentials( []credentials.Provider{ - &ec2rolecreds.EC2RoleProvider{}, - &credentials.EnvProvider{}, - &credentials.SharedCredentialsProvider{}, + &ec2rolecreds.EC2RoleProvider{ + Client: ec2m, + }, }, ) } From d0fb14f661e0e5a63e092516e8545b1dd23e8bb4 Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 12:36:44 +0800 Subject: [PATCH 09/11] fix --- eth/signer_awskms.go | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index b1c2030..58deefb 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -48,16 +48,7 @@ func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*K } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") } else { - sess := session.Must(session.NewSession()) - // 2. 创建 EC2 元数据客户端 - ec2m := ec2metadata.New(sess) - cfg.Credentials = credentials.NewChainCredentials( - []credentials.Provider{ - &ec2rolecreds.EC2RoleProvider{ - Client: ec2m, - }, - }, - ) + cfg.Credentials = ec2rolecreds.NewCredentialsWithClient(ec2metadata.New(session.Must(session.NewSession()))) } sess, err := session.NewSession(cfg) if err != nil { From 771d621da0be79e412e131bfc3429a3453b0833b Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 12:41:15 +0800 Subject: [PATCH 10/11] fmt --- eth/signer_awskms.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index 58deefb..2833d94 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -5,7 +5,6 @@ import ( "encoding/asn1" "encoding/hex" "fmt" - "github.com/aws/aws-sdk-go/aws/ec2metadata" "math/big" "os" "strings" @@ -13,6 +12,7 @@ import ( "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" + "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/kms" "github.com/ethereum/go-ethereum/accounts/abi/bind" From dd85bb4f15b7c6d824c5076e117a47c6686f7a9b Mon Sep 17 00:00:00 2001 From: liuxiaobleach <1241368737@qq.com> Date: Wed, 11 Mar 2026 12:54:43 +0800 Subject: [PATCH 11/11] update --- eth/signer_awskms.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/eth/signer_awskms.go b/eth/signer_awskms.go index 2833d94..aec2653 100644 --- a/eth/signer_awskms.go +++ b/eth/signer_awskms.go @@ -5,14 +5,14 @@ import ( "encoding/asn1" "encoding/hex" "fmt" + "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" + "github.com/aws/aws-sdk-go/aws/ec2metadata" "math/big" "os" "strings" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" - "github.com/aws/aws-sdk-go/aws/ec2metadata" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/kms" "github.com/ethereum/go-ethereum/accounts/abi/bind" @@ -45,10 +45,11 @@ func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*K } if awsKey == "profile" { cfg.Credentials = credentials.NewSharedCredentials("", awsSec) + } else if awsKey == "iam" { + // force use iam role, ignore cre or env + cfg.Credentials = ec2rolecreds.NewCredentialsWithClient(ec2metadata.New(session.Must(session.NewSession()))) } else if awsKey != "" && awsSec != "" { cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "") - } else { - cfg.Credentials = ec2rolecreds.NewCredentialsWithClient(ec2metadata.New(session.Must(session.NewSession()))) } sess, err := session.NewSession(cfg) if err != nil {