Appearance
AWS Setup Guide for Skuchain Admin
Initial AWS Setup
1. AWS Account Creation
As an Admin:
- Create an AWS Root user account using AWS Management Console.
- Set up an initial AWS Access Key ID and Secret Access Key using the AWS Management Console.
2. Install AWS CLI
In the terminal:
bash
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install3. Configure AWS CLI
bash
aws configureNOTE: Give the Access_key_id and Secret_Access_key as we created through AWS Management console.
Lambda Function Setup
1. Create a Trust Policy JSON File
Trust Policy Creation
A trust policy defines which AWS services or users can assume a specific role. In this case, we are creating a trust policy for AWS Lambda, allowing the Lambda service to assume the role and perform actions as defined in its permissions. This ensures that only authorized services can access sensitive resources, enhancing security.
- Create a file named
trust-policy.jsonwith the following content:
bash
echo '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"},"Action":"sts:AssumeRole"}]}' > trust-policy.json2. Create Lambda Role and Set Permissions
Use the trust policy to create a role that Lambda will assume:
bash
# Create role
aws iam create-role --role-name EthLambdaSigner --assume-role-policy-document file://trust-policy.json --output json3. Create Lambda IAM Policy
This policy defines the AWS resources and actions that the Lambda function can access. Permissions include writing logs, managing secrets, and accessing IAM users.
Create a file named lambda-policy.json with the following content:
bash
echo '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"iam:ListUserPolicies",
"iam:GetUserPolicy"
],
"Resource": "arn:aws:iam::489278327972:user/*"
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:489278327972:secret:*"
}
]
}' > lambda-policy.jsonThen create and attach the policy:
bash
aws iam create-policy --policy-name EthereumLambdaFullPolicy --policy-document file://lambda-policy.json --output json
aws iam attach-role-policy --role-name EthereumLambdaSigner --policy-arn arn:aws:iam::489278327972:policy/EthereumLambdaFullPolicy --output json4. Create a Lambda zip function
Clone the Repository for Signing the transaction inside the lambda function
bash
git clone -b dev git@bitbucket.org:skutrondev/skc-cloud-signer.git
cd skc-cloud-signer
npm install- Create a zip file for signing the transaction in lambda.
bash
zip -r eth-sign.zip .5. Create Lambda Function
Create a lambda function using the zip file created.
bash
aws lambda create-function --function-name EthereumLambdaSigner \
--zip-file fileb://eth-sign.zip --handler index.handler --runtime nodejs20.x \
--role arn:aws:iam::489278327972:role/EthereumLambdaSigner --output jsonUpdate the function's timeout setting:
bash
aws lambda update-function-configuration \
--function-name EthereumLambdaSigner \
--timeout 30 --output jsonAWS API Gateway and Lambda Integration Setup
This guide walks you through the process of setting up an API Gateway integrated with a Lambda function using AWS CLI commands.
1. Create REST API
bash
export API_ID=$(aws apigateway create-rest-api --name "LambdaEthSignerAPI" --region us-east-1 --query 'id' --output text)This creates a new REST API and stores its ID in the API_ID variable.
2. Get Root Resource ID
bash
export ROOT_RESOURCE_ID=$(aws apigateway get-resources --rest-api-id $API_ID --region us-east-1 --query 'items[0].id' --output text)Retrieves the ID of the root resource of the API.
3. Create Resource
bash
export RESOURCE_ID=$(aws apigateway create-resource --rest-api-id $API_ID --parent-id $ROOT_RESOURCE_ID --path-part "sign" --region us-east-1 --query 'id' --output text)Creates a new resource named "sign" under the root resource.
4. Create Method
bash
aws apigateway put-method --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method POST --authorization-type "AWS_IAM" --region us-east-1 --output jsonCreates a POST method on the "sign" resource with no authorization.
5. Set Lambda Function ARN
Update the LAMBDA_ARN of your lambda function.
bash
export LAMBDA_ARN="arn:aws:lambda:us-east-1:<your-account-id>:function:EthSigner"Replace your-account-id with your AWS account ID.
6. Set Up Lambda Integration
bash
aws apigateway put-integration --rest-api-id $API_ID --resource-id $RESOURCE_ID --http-method POST --type AWS_PROXY --integration-http-method POST --uri arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/$LAMBDA_ARN/invocations --region us-east-1 --output jsonIntegrates the Lambda function with the API Gateway.
7. Deploy API
bash
aws apigateway create-deployment --rest-api-id $API_ID --stage-name prod --region us-east-1 --output jsonDeploys the API to a "prod" stage.
8. Add Lambda Permission
bash
aws lambda add-permission --function-name EthSigner --statement-id apigateway-test --action lambda:InvokeFunction --principal apigateway.amazonaws.com --source-arn "arn:aws:execute-api:us-east-1:<your-account-id>:$API_ID/*/POST/sign" --region us-east-1 --output jsonGrants API Gateway permission to invoke the Lambda function. Replace your-account-id with your AWS account ID.
Create IAM Users for Organizations
Creating separate IAM users for each organization enhances security by providing unique access keys, policies and permissions.
Each organization has its own IAM user access and unique secret path ID in AWS Secrets Manager, ensuring that only authorized users can access their mnemonics and preventing unauthorized access by other organizations. This setup allows for secure management, auditing, and control of sensitive information.
Create a bash script named create_org_users.sh with the following content:
bash
#!/bin/bash
# Set your AWS region
export AWS_REGION="us-east-1"
# Function to create organization user and set permissions
create_org_user() {
org_name=$1
lambda_function=$2
secret_name=$3
api_id=$4
echo "Registering $org_name..."
aws iam create-user --user-name "$org_name-user" --output json
ACCESS_KEY=$(aws iam create-access-key --user-name "$org_name-user" --query 'AccessKey.[AccessKeyId,SecretAccessKey]' --output text)
echo 'ACCESS_KEY:' $ACCESS_KEY
# Add Secrets Manager and Lambda permissions to the user
aws iam put-user-policy \
--user-name "$org_name-user" \
--policy-name "$org_name-consolidated-policy" \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:489278327972:secret:'$secret_name'/*"
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:us-east-1:489278327972:function:'$lambda_function'"
},
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:489278327972:'$api_id'/prod/POST/sign"
},
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "*"
}
]
}' \
--region $AWS_REGION --output json
echo "$org_name registered."
}
# Check if all required arguments are provided
if [ "$#" -ne 4 ]; then
echo "Usage: ./create_org_users.sh <org_name> <lambda_function_name> <secret_name> <api_id>"
exit 1
fi
# Call the function with the provided arguments
create_org_user "$1" "$2" "$3" "$4"Run the script to create IAM users for organizations:
bash
chmod +x create_org_users.sh
./create_org_users.sh <org_name> <lambda_function_name> <secret_name> <api_id>This completes the AWS setup process for a Skuchain admin. The script registers the organization's users, attaches necessary permissions for managing secrets and invoking Lambda functions, and generates access keys for each organization.