The AzureSigningManager implements the Polymesh SDK signing manager interface. This allows Polymesh transactions to be signed with keys in an Microsoft Azure key vault. The keys must be "EC" type and use curve "P-256K". The signing manager will ignore any other type.
import { AzureSigningManager } from '@polymeshassociation/azure-signing-manager';
import { Polymesh } from '@polymeshassociation/polymesh-sdk';
// defaults to constructing `new DefaultAzureCredential()` for credential
const signingManager = new AzureSigningManager({
keyVaultUrl: 'https://somekeyvault.vault.azure.net/',
});
const polymesh = await Polymesh.connect({
nodeUrl,
signingManager,
});
const newKey = await signingManager.createKey('myKey') // keys can be created in the Azure UI or CLI as well
console.log('created key with address: ', newKey.address) // address is the primary way of specifying public keys on PolymeshTo authorize access to the key vault a DefaultAzureCredential will be created. By default it searches for a credential in this order:
EnvironmentCredentialWorkloadIdentityCredentialManagedIdentityCredentialAzureCliCredentialAzurePowerShellCredentialAzureDeveloperCliCredential
More details about authorization can be found on the Azure Docs. Optionally, a credential can be passed instead.
The identity will need permission to read and to sign with the keys. In order for the createKey function to work then create permission will be required as well. At least one of the roles "Key Vault Crypto User" or "Key Vault Crypto Officer" should be assigned. There is more info in the official guide
Storing many HSM keys can be pricy
First 250 keys $5 per key per month
From 251 – 1,500 keys $2.50 per key per month
From 1,501 – 4,000 keys $0.90 per key per month
4,001+ keys $0.40 per key per month
+ $0.15/10,000 transactions
Only actively used HSM protected keys (used in prior 30-day period)
Where as software protected keys are charged only the per transaction fee of $0.15/10,000.
See the pricing page for details.
If you need large amounts of keys for your use case please reach out via support to find the best key storage solution for your use case.