0.2.3 • Published 3 years ago
fcl-azurevault-authorizer v0.2.3
fcl-azurevault-authorizer
Azure Vault authorizer (signer) for Flow blockchain.
Installation
npm i fcl-azurevault-authorizerUsage
import * as fcl from '@onflow/fcl';
import { AzureVaultAuthorizer } from 'fcl-azurevault-authorizer';
import { DefaultAzureCredential, ClientSecretCredential } from '@azure/identity';
// Key configuration. Store it in env variables or secret manager
const keyId = "https://<vault-name>.vault.azure.net/keys/<key-name>/xxxxxxxxxxxxxxxx";
const keyVaultUrl = 'https://<vault-name>.vault.azure.net';
const keyName = '<key-name>';
// Test transaction
const transaction = `
transaction {
prepare(signer: AuthAccount) {
log("Test transaction signed by fcl-azurevault-authorizer")
}
}
`;
async function main() {
const credential = new DefaultAzureCredential();
// Use ClientSecretCredential if don't want to use DefaultAzureCredential
// const credential = new ClientSecretCredential(
// <tenant-id>,
// <client-id>,
// <client-secret>
// );
// Create an instance of the authorizer
const authorizer = new AzureVaultAuthorizer(
credential, keyId, keyName, keyVaultUrl
);
// address created using public key
const address = '01cf0e2f2f715450';
const keyIndex = 0;
// Sign and send transactions with Azure Vault
const authorization = authorizer.authorize(address, keyIndex);
const response = await fcl.send([
fcl.transaction`${transaction}`,
fcl.args([]),
fcl.proposer(authorization),
fcl.authorizations([authorization]),
fcl.payer(authorization),
fcl.limit(9999),
]);
await fcl.tx(response).onceSealed();
console.log('Transaction Succeeded');
}
main().catch(e => console.error(e));see sign-tx.ts in examples folder for complete example.
Azure Vault setup
Note: In order to use fcl-azurevault-authorizer for remote key management, you'll need a Azure Platform account.
- Open the Azure portal. Select Key Vaults.
- Create a new key vault.
- Select Settings>Keys>Generate
- Select key type -> EC.
- Select Elliptic curve name -> P-256.
- create the key. After creation, select the created key to get more info.
- Copy the Key Identifier, it will be used as
keyIdwhile initializingAzureVaultAuthorizer.
To be able to use it from backend code, use the following steps -
first install azure-cli, az. You can find detailed steps here.
login to authenticate your account using
az login.Create a service principal to enable access to key vault resource -
az ad sp create-for-rbac -n <your-application-name> --skip-assignmentOutput :
{
"appId": "generated-app-ID",
"displayName": "dummy-app-name",
"name": "http://dummy-app-name",
"password": "random-password",
"tenant": "tenant-ID"
}- Use the above returned credentials information to set AZURE_CLIENT_ID(appId), AZURE_CLIENT_SECRET(password) and AZURE_TENANT_ID(tenant) environment variables. The following example shows a way to do this in Bash:
export AZURE_CLIENT_ID="generated-app-ID"
export AZURE_CLIENT_SECRET="random-password"
export AZURE_TENANT_ID="tenant-ID"- Grant the above mentioned application authorization to perform key operations on the keyvault:
az keyvault set-policy --name <your-key-vault-name> --spn $AZURE_CLIENT_ID --key-permissions backup create get import list sign verify- To verify the setup, use the above mentioned Key Vault name to retrieve details of your Vault which also contains your Key Vault URL:
az keyvault show --name <your-key-vault-name>Creating an account on testnet via the faucet:
- Get the public key using
authorizer.getPublicKey() - Go to https://testnet-faucet-v2.onflow.org
- Paste the copied public key in the form
- IMPORTANT: Choose SHA2_256 as the hash algorithm (SHA3_256 won't work with the key setup above)
Store the generated address and use it while creating the authorization -
const authorization = authorizer.authorize(accountAddress, keyIndex);Credits
This fcl compatible Azure Vault authorizer is built taking inspiration from fcl-kms-authorizer