The Sui KMS Signers package provides a set of tools for securely signing transactions using Key Management Services (KMS) like AWS KMS and GCP KMS.
The AWS KMS Signer allows you to leverage AWS's Key Management Service to sign Sui transactions.
import { AwsKmsSigner } from '@mysten/signers/aws';
const prepareSigner = async () => {
const { AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_KMS_KEY_ID } = process.env;
return AwsKmsSigner.fromKeyId(AWS_KMS_KEY_ID, {
region: AWS_REGION,
accessKeyId: AWS_ACCESS_KEY_ID,
secretAccessKey: AWS_SECRET_ACCESS_KEY,
});
};
Create an AWS KMS signer from AWS Key ID and AWS credentials. This method initializes the signer with the necessary AWS credentials and region information, allowing it to interact with AWS KMS to perform cryptographic operations.
const signer = await AwsKmsSigner.fromKeyId('your-kms-key-id', {
region: 'us-west-2',
accessKeyId: 'your-access-key-id',
secretAccessKey: 'your-secret-access-key',
});
Returns Promise<AwsKmsSigner> An instance of AwsKmsSigner.
Notice: AWS Signer requires Node >=20 due to dependency on crypto
The GCP KMS Signer allows you to leverage Google Cloud's Key Management Service to sign Sui transactions.
Create a GCP KMS signer from the provided options. This method initializes the signer with the necessary GCP credentials and configuration, allowing it to interact with GCP KMS to perform cryptographic operations.
options
object An
object containing GCP credentials and configuration.
const signer = await GcpKmsSigner.fromOptions({
projectId: 'your-google-project-id',
location: 'your-google-location',
keyRing: 'your-google-keyring',
cryptoKey: 'your-google-key-name',
cryptoKeyVersion: 'your-google-key-name-version',
});
// Retrieve the public key and get the Sui address
const publicKey = signer.getPublicKey();
console.log(publicKey.toSuiAddress());
// Define a test message
const testMessage = 'Hello, GCP KMS Signer!';
const messageBytes = new TextEncoder().encode(testMessage);
// Sign the test message
const { signature } = await signer.signPersonalMessage(messageBytes);
// Verify the signature against the public key
const isValid = await publicKey.verifyPersonalMessage(messageBytes, signature);
console.log(isValid); // Should print true if the signature is valid
The Ledger Signer allows you to leverage a Ledger hardware wallet to sign Sui transactions.
Creates a Ledger signer from the provided options. This method initializes the signer with the necessary configuration, allowing it to interact with a Ledger hardare wallet to perform cryptographic operations.
options
object An
object containing GCP credentials and configuration.
projectId
string
The GCP project ID.import Transport from '@ledgerhq/hw-transport-node-hid';
import SuiLedgerClient from '@mysten/ledgerjs-hw-app-sui';
import { LedgerSigner } from '@mysten/signers/ledger';
import { SuiClient } from '@mysten/sui/client';
import { Transaction } from '@mysten/sui/transactions';
const transport = await Transport.open(undefined);
const ledgerClient = new SuiLedgerClient(transport);
const suiClient = new SuiClient({ url: getNetworkUrl('testnet') });
const signer = await LedgerSigner.fromDerivationPath({
derivationPath: "m/44'/784'/0'/0'/0'",
ledgerClient,
suiClient,
});
// Log the Sui address:
console.log(signer.toSuiAddress());
// Define a test transaction:
const testTransaction = new Transaction();
const transactionBytes = await testTransaction.build();
// Sign a test transaction:
const { signature } = await signer.signTransaction(transactionBytes);
console.log(signature);