Document bulk loading AWS keys (#127)

* Document bulk loading AWS keys * typos * integrate reviewer suggestions * format "and" Signed-off-by: Alexandra Tran <[email protected]>
Consensys · Jun 27, 2022 · 61747ff · 61747ff
1 parent b150539
commit 61747ff
Show file tree

Hide file tree

Showing 2 changed files with 271 additions and 12 deletions.
diff --git a/docs/HowTo/Use-Signing-Keys.md b/docs/HowTo/Use-Signing-Keys.md
@@ -20,13 +20,14 @@ You can configure access to the signing key by:
 
 * [Creating a separate key configuration file] for each signing key.
 * Using the [`eth2` subcommand options](../Reference/CLI/CLI-Subcommands.md#eth2) to bulk load
-    consensus layer signing keys stored in [Azure Key Vault](#azure-key-vault) or
-    [keystore files](#keystore-files).
+  consensus layer signing keys stored in [Azure Key Vault](#azure-key-vault), [AWS Secrets
+  Manager](#aws-secrets-manager), or [keystore files](#keystore-files).
 
     !!! note
 
-        Bulk-loading is only available when using the consensus layer platform with keys stored in
-        Azure Key Vault or keystore files, and can be used in combination with key configuration files.
+        Bulk loading is only available when using the consensus layer platform with keys stored in
+        Azure Key Vault, AWS Secrets Manager, or keystore files, and can be used in combination with
+        key configuration files.
 
 ## Use key configuration files
 
@@ -49,8 +50,8 @@ to specify the location of the key configuration files.
 
 ### Azure Key Vault
 
-You can bulk load consensus layer keys that are stored in Azure Key Vault. To do this use the
-Web3Signer [`eth2` subcommand options](../Reference/CLI/CLI-Subcommands.md#eth2).
+You can bulk load consensus layer keys that are stored in Azure Key Vault using the Web3Signer
+[`eth2` subcommand options](../Reference/CLI/CLI-Subcommands.md#eth2).
 
 !!! example
 
@@ -61,10 +62,23 @@ Web3Signer [`eth2` subcommand options](../Reference/CLI/CLI-Subcommands.md#eth2)
     --azure-vault-name=AzureKeyVault
     ```
 
+### AWS Secrets Manager
+
+You can bulk load consensus layer keys that are stored in AWS Secrets Manager using the Web3Signer
+[`eth2` subcommand options](../Reference/CLI/CLI-Subcommands.md#eth2).
+
+!!! example
+
+    ```bash
+    web3signer eth2 --aws-secrets-enabled=true --aws-secrets-access-key-id=AKIAIOSFODNN7EXAMPLE \
+    --aws-secrets-secret-access-key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY \
+    --aws-secrets-region=us-east-2
+    ```
+
 ### Keystore files
 
-You can bulk load consensus layer keys that are stored as keystore files. To do this use the
-Web3Signer [`eth2` subcommand options](../Reference/CLI/CLI-Subcommands.md#eth2).
+You can bulk load consensus layer keys that are stored as keystore files using the Web3Signer
+[`eth2` subcommand options](../Reference/CLI/CLI-Subcommands.md#eth2).
 
 !!! example
 

diff --git a/docs/Reference/CLI/CLI-Subcommands.md b/docs/Reference/CLI/CLI-Subcommands.md
@@ -84,6 +84,250 @@ When
 set to the maximum number of connections to cache.
 The default is 1.
 
+#### `aws-secrets-enabled`
+
+=== "Syntax"
+
+    ```bash
+    --aws-secrets-enabled=<BOOLEAN>
+    ```
+
+=== "Example"
+
+    ```bash
+    --aws-secrets-enabled=true
+    ```
+
+=== "Environment variable"
+
+    ```bash
+    WEB3SIGNER_ETH2_AWS_SECRETS_ENABLED=true
+    ```
+
+=== "Configuration file"
+
+    ```bash
+    eth2.aws-secrets-enabled: true
+    ```
+
+Enables [bulk loading keys from AWS Secrets Manager](../../HowTo/Use-Signing-Keys.md#aws-secrets-manager).
+The default is `false`.
+
+#### `aws-secrets-auth-mode`
+
+=== "Syntax"
+
+    ```bash
+    --aws-secrets-auth-mode=<STRING>
+    ```
+
+=== "Example"
+
+    ```bash
+    --aws-secrets-auth-mode=ENVIRONMENT
+    ```
+
+=== "Environment variable"
+
+    ```bash
+    WEB3SIGNER_ETH2_AWS_SECRETS_AUTH_MODE=ENVIRONMENT
+    ```
+
+=== "Configuration file"
+
+    ```bash
+    eth2.aws-secrets-auth-mode: "ENVIRONMENT"
+    ```
+
+Authentication mode for AWS Secrets Manager.
+Options are `SPECIFIED` and `ENVIRONMENT`.
+The default is `SPECIFIED`.
+
+Set [`--aws-secrets-access-key-id`](#aws-secrets-access-key-id),
+[`--aws-secrets-secret-access-key`](#aws-secrets-secret-access-key), and
+[`--aws-secrets-region`](#aws-secrets-region) if using `SPECIFIED`.
+
+#### `aws-secrets-access-key-id`
+
+=== "Syntax"
+
+    ```bash
+    --aws-secrets-access-key-id=<STRING>
+    ```
+
+=== "Example"
+
+    ```bash
+    --aws-secrets-access-key-id=AKIAIOSFODNN7EXAMPLE
+    ```
+
+=== "Environment variable"
+
+    ```bash
+    WEB3SIGNER_ETH2_AWS_SECRETS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
+    ```
+
+=== "Configuration file"
+
+    ```bash
+    eth2.aws-secrets-access-key-id: "AKIAIOSFODNN7EXAMPLE"
+    ```
+
+AWS access key ID to authenticate AWS Secrets Manager.
+
+Required when [`--aws-secrets-auth-mode`](#aws-secrets-auth-mode) is `SPECIFIED`.
+
+#### `aws-secrets-secret-access-key`
+
+=== "Syntax"
+
+    ```bash
+    --aws-secrets-secret-access-key=<STRING>
+    ```
+
+=== "Example"
+
+    ```bash
+    --aws-secrets-secret-access-key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+    ```
+
+=== "Environment variable"
+
+    ```bash
+    WEB3SIGNER_ETH2_AWS_SECRETS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+    ```
+
+=== "Configuration file"
+
+    ```bash
+    eth2.aws-secrets-secret-access-key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+    ```
+
+AWS secret access key to authenticate AWS Secrets Manager.
+
+Required when [`--aws-secrets-auth-mode`](#aws-secrets-auth-mode) is `SPECIFIED`.
+
+#### `aws-secrets-region`
+
+=== "Syntax"
+
+    ```bash
+    --aws-secrets-region=<STRING>
+    ```
+
+=== "Example"
+
+    ```bash
+    --aws-secrets-region=us-east-2
+    ```
+
+=== "Environment variable"
+
+    ```bash
+    WEB3SIGNER_ETH2_AWS_SECRETS_REGION=us-east-2
+    ```
+
+=== "Configuration file"
+
+    ```bash
+    eth2.aws-secrets-region: "us-east-2"
+    ```
+
+AWS region where AWS Secrets Manager is available.
+
+Required when [`--aws-secrets-auth-mode`](#aws-secrets-auth-mode) is `SPECIFIED`.
+
+#### `aws-secrets-prefixes-filter`
+
+=== "Syntax"
+
+    ```bash
+    --aws-secrets-prefixes-filter=<STRING>[,<STRING>,...]
+    ```
+
+=== "Example"
+
+    ```bash
+    --aws-secrets-prefixes-filter=prefix1,prefix2
+    ```
+
+=== "Environment variable"
+
+    ```bash
+    WEB3SIGNER_ETH2_AWS_SECRETS_PREFIXES_FILTER=prefix1,prefix2
+    ```
+
+=== "Configuration file"
+
+    ```bash
+    eth2.aws-secrets-prefixes-filter: ["prefix1","prefix2"]
+    ```
+
+Optional comma-separated list of secret name prefixes filter to apply while fetching secrets from
+AWS Secrets Manager.
+Applied as `AND` operation with other filters.
+
+#### `aws-secrets-tag-names-filter`
+
+=== "Syntax"
+
+    ```bash
+    --aws-secrets-tag-names-filter=<STRING>[,<STRING>,...]
+    ```
+
+=== "Example"
+
+    ```bash
+    --aws-secrets-tag-names-filter=tagName1,tagName2
+    ```
+
+=== "Environment variable"
+
+    ```bash
+    WEB3SIGNER_ETH2_AWS_SECRETS_TAG_NAMES_FILTER=tagName1,tagName2
+    ```
+
+=== "Configuration file"
+
+    ```bash
+    eth2.aws-secrets-tag-names-filter: ["tagName1","tagName2"]
+
+    ```
+
+Optional comma-separated list of tag names filter to apply while fetching secrets from AWS Secrets
+Manager.
+Applied as `AND` operation with other filters.
+
+#### `aws-secrets-tag-values-filter`
+
+=== "Syntax"
+
+    ```bash
+    --aws-secrets-tag-values-filter=<STRING>[,<STRING>,...]
+    ```
+
+=== "Example"
+
+    ```bash
+    --aws-secrets-tag-values-filter=tagValue1,tagValue2
+    ```
+
+=== "Environment variable"
+
+    ```bash
+    WEB3SIGNER_ETH2_AWS_SECRETS_TAG_VALUES_FILTER=tagValue1,tagValue2
+    ```
+
+=== "Configuration file"
+
+    ```bash
+    eth2.aws-secrets-tag-values-filter: ["tagValue1","tagValue2"]
+    ```
+
+Optional comma-separated list of tag values filter to apply while fetching secrets from AWS Secrets
+Manager.
+Applied as `AND` operation with other filters.
+
 #### `azure-vault-enabled`
 
 === "Syntax"
@@ -110,7 +354,8 @@ The default is 1.
     eth2.azure-vault-enabled: true
     ```
 
-Allow Web3Signer to bulk load all keys from the specified Azure Vault.
+Enables [bulk loading keys from Azure Key Vault](../../HowTo/Use-Signing-Keys.md#azure-key-vault).
+The default is `false`.
 
 #### `azure-client-id`
 
@@ -226,7 +471,7 @@ The tenant ID of the Azure Portal instance being used.
     ```
 
 Authentication mode for Azure Vault. Options are `CLIENT_SECRET`, `SYSTEM_ASSIGNED_MANAGED_IDENTITY`,
-and `USER_ASSIGNED_MANAGED_IDENTITY`. Defaults to `CLIENT_SECRET`.
+and `USER_ASSIGNED_MANAGED_IDENTITY`. The default is `CLIENT_SECRET`.
 
 Set [`--azure-client-id`](#azure-client-id) if using `CLIENT_SECRET` or
 `USER_ASSIGNED_MANAGED_IDENTITY`.
@@ -285,7 +530,8 @@ Name of the vault to access. Sub-domain of `vault.azure.net`.
     eth2.key-manager-api-enabled: true
     ```
 
-Enables the [key manager API](../../HowTo/Use-Signing-Keys.md#managing-your-keys) when set to `true`. The default is `false`.
+Enables the [key manager API](../../HowTo/Use-Signing-Keys.md#manage-keys).
+The default is `false`.
 
 !!! caution
 
@@ -654,7 +900,6 @@ The default is `true`.
     ```
 
 Enables [slashing protection database pruning](../../HowTo/Configure-Slashing-Protection.md#prune-the-slashing-protection-database).
-
 The default is `false`.
 
 #### `slashing-protection-pruning-epochs-to-keep`