Using Web3Signer with Azure Key Vault
Web3Signer supports using Azure Key Vault to sign payloads in the following ways:
- Using Azure Key Vault to perform the signing operation. Supports SECP256K1 signing keys only.
- Fetching the keys from Azure Key Vault and signing locally.
Web3Signer supports the following authentication modes:
- Azure Active Directory managed identity:
- System-assigned identities
- User-assigned identities
- Client secret.
Important
The Azure Active Directory managed identity authentication modes can only be used when fetching keys from Azure Key Vault and signing locally with Web3Signer.
Storing the private key in Azure Key Vault
Register Web3Signer as an application and add a signing key in Azure Key Vault.
Take note of the following to specify when configuring the signing key configuration file or bulk loading Ethereum 2.0 signing keys:
- Vault name, which is part of the URL (for example
https://<vaultname>.vault.azure.net
) -
Client credentials, which can include:
- Client ID
- Client secret
-
Tenant ID
Note
Depending on the authentication mode, not all client credentials will be available.
-
Key name, which is the name of the secret.