Merge pull request #232 from 0xPolygonID/issuer-node-kms

update KMS config docs

Author: 0xpulkit

docs/issuer/issuer-configuration.md

@@ -95,7 +95,88 @@ then:
 * OnChain - `Iden3commRevocationStatusV1.0` and `Iden3OnchainSparseMerkleTreeProof2023` credential status type
 * All - All the statuses.
 
+## KMS Configuration
 
+Credentials issued by the issuer node are signed using a private key tied to the identity responsible for issuing them. Each identity can have one or more BabyJubJub (BJJ) type private keys. Additionally, the issuer node supports creating Ethereum-controlled identities, where both a BJJ key and an Ethereum (ETH) key are associated with the identity.
+
+#### Identity Types and State Transitions
+- BJJ-Based Identity:
+  - A BJJ type key is generated for the identity to sign credentials and generate zk-proofs for state transitions.
+  - A shared ETH type key (imported during setup) is used to publish zk-proofs on-chain.
+
+- ETH-Based Identity:
+  - Both a BJJ type key and an ETH type key are generated for the identity.
+  - The BJJ type key is used to signs the credentials.
+  - Only the ETH type key is involved in state transition.
+  
+The issuer node integrates with various key management solutions to create, sign, and store these keys securely. Depending on your setup, here’s an overview of the available options:
+
+| **KMS Service**       | **Supported Key Types** | **Purpose**                              | **Recommended For**      |
+|------------------------|-------------------------|------------------------------------------|--------------------------|
+| HashiCorp Vault        | BJJ, ETH               | Secure key creation and storage          | Production               |
+| AWS Secrets Manager    | BJJ, ETH               | Secure key storage                       | Production               |
+| AWS KMS                | ETH (only)             | Secure ETH key creation and signing      | Production (ETH only)    |
+| Localstorage           | BJJ, ETH               | Local storage for testing                | Testing Only             |
+
+
+### HashiCorp Vault
+The issuer node integrates with HashiCorp Vault, delegating the creation, signing, and secure storage of both BJJ and ETH keys via a Vault plugin. To configure the issuer node to use Vault as a Key Management Service (KMS), update the .env-issuer file as follows:
+
+```bash
+ISSUER_KMS_BJJ_PROVIDER=vault
+ISSUER_KMS_ETH_PROVIDER=vault
+
+ISSUER_VAULT_USERPASS_AUTH_ENABLED=true
+ISSUER_VAULT_USERPASS_AUTH_PASSWORD=<your-vault-issuernode-password>
+ISSUER_KEY_STORE_ADDRESS=<your-vault-url>
+```
+For detailed steps to configure the Vault plugin, refer to the Docker-based setup in the following repository: [HashiCorp Vault Setup](https://github.com/0xPolygonID/issuer-node/blob/main/infrastructure/local/.vault/scripts/init.sh).
+
+### AWS Secrets Manager
+In this configuration, the issuer node handles the creation of private keys, which are securely stored in AWS Secrets Manager.
+
+Update the .env-issuer file as follows:
+
+```bash
+ISSUER_KMS_BJJ_PROVIDER=aws-sm
+ISSUER_KMS_ETH_PROVIDER=aws-sm
+
+ISSUER_KMS_AWS_ACCESS_KEY=<your-aws-access-key>
+ISSUER_KMS_AWS_SECRET_KEY=<your-aws-secret-key>
+ISSUER_KMS_AWS_REGION=<your-aws-region>
+```
+:::note
+ Ensure the credentials you use have the necessary permissions to access AWS Secrets Manager.
+:::
+Learn more about AWS Secrets Manager here: [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/.)
+
+### AWS KMS Service (Only for ETH Keys)
+Alternatively, AWS KMS can be used exclusively for managing and signing ETH keys, delegating their creation and secure storage to the AWS KMS service.
+
+To configure this setup, update the .env-issuer file as follows:
+
+```bash
+ISSUER_KMS_BJJ_PROVIDER=<localstorage | vault | aws-sm>
+ISSUER_KMS_ETH_PROVIDER=aws-kms
+
+ISSUER_KMS_AWS_ACCESS_KEY=<your-aws-access-key>
+ISSUER_KMS_AWS_SECRET_KEY=<your-aws-secret-key>
+ISSUER_KMS_AWS_REGION=<your-aws-region>
+```
+:::note
+Ensure your credentials have the necessary permissions for AWS KMS.
+:::
+Learn more about AWS KMS service: [AWS KMS](https://aws.amazon.com/kms/?nc1=h_ls)
+
+### Localstorage (For Testing Only)
+For testing purposes, both BJJ and ETH keys can be stored locally as flat files. This option is not recommended for production environments due to its lack of security.
+
+To enable this setup, update the .env-issuer file as follows:
+
+```bash
+ISSUER_KMS_BJJ_PROVIDER=localstorage
+ISSUER_KMS_ETH_PROVIDER=localstorage
+```
 
 
 

docs/issuer/setup-issuer-core.md

@@ -68,44 +68,14 @@ cp .env-issuer.sample .env-issuer
 
 3. Key Management System (KMS) Setup
 
-  Please Look at the [KMS configuration](https://github.com/0xPolygonID/issuer-node/blob/main/.env-issuer.sample#L21) in the sample file and file your .env-issuer config file accordingly.
-
-  The Issuer Node allows you to choose between two key management systems for managing private keys: local storage (default) or [Vault](https://www.vaultproject.io/). It is recommended to use Vault for production environments for enhanced security.
-
-  - Local Storage:
-    - If you opt for local storage, set the following in your .env-issuer file:
-
-    ```bash
-    ISSUER_KMS_BJJ_PROVIDER=localstorage
-    ISSUER_KMS_ETH_PROVIDER=localstorage
-    ```
-
-    - Specify the path for local storage:
-
-    ```bash
-    ISSUER_KMS_PROVIDER_LOCAL_STORAGE_FILE_PATH=./localstoragekeys
-    ```
-  
-  - Vault:
-    - For Vault configuration, ensure that you set the Vault address, plugin, and authentication method properly:
-
-    ```bash
-    ISSUER_KMS_BJJ_PROVIDER=vault
-    ISSUER_KMS_ETH_PROVIDER=vault
-    ISSUER_KEY_STORE_ADDRESS=http://vault:8200
-    ISSUER_KEY_STORE_PLUGIN_IDEN3_MOUNT_PATH=iden3
-    ```
-
-    - Optionally, configure authentication and TLS if necessary:
-
-    ```bash
-    ISSUER_VAULT_USERPASS_AUTH_ENABLED=true
-    ISSUER_VAULT_USERPASS_AUTH_PASSWORD=<your_password>
-    ISSUER_VAULT_TLS_ENABLED=false  # Set to true if TLS is needed
-    ISSUER_VAULT_TLS_CERT_PATH=<path_to_certificate>
-    ```
+ The Issuer Node supports multiple Key Management System (KMS) options for securely creating, signing, and managing private keys. Depending on your setup, you can choose one or more of the following options:
 
+    - HashiCorp Vault
+    - AWS Secrets Manager
+    - AWS KMS (for ETH keys only)
+    - Local Storage (for testing only)
 
+ To configure your KMS, refer to the [sample .env-issuer file](https://github.com/0xPolygonID/issuer-node/blob/main/.env-issuer.sample#L21) and update your .env-issuer config file accordingly to your selected KMS. Detailed instructions and guidance on how to choose the right option for your use case can be found on the [KMS Configuration section](./issuer-configuration.md/#kms-configuration).
 
 3. Import Ethereum Private Key