Use Web3Signer with Azure Key Vault
Web3Signer supports using Azure Key Vault to sign payloads in the following ways:
- Using Azure Key Vault to perform the signing operation. Supports SECP256K1 signing keys only.
- Fetching the keys from Azure Key Vault and signing locally.
Web3Signer supports the following authentication modes:
- Azure Active Directory managed identity:
- System-assigned identities
- User-assigned identities
- Client secret.
Important
The Azure Active Directory managed identity authentication modes can only be used when fetching keys from Azure Key Vault and signing locally with Web3Signer.
Store a private key in Azure Key Vault
Register Web3Signer as an application and add a signing key in Azure Key Vault.
Take note of the following to specify when configuring the signing key configuration file or bulk loading signing keys:
- Vault name, which is part of the URL (for example
https://<vaultname>.vault.azure.net
). - Client credentials, which can include:
- Client ID
- Client secret
- Tenant ID
note
Depending on the authentication mode, not all client credentials are available.
- Key name, which is the name of the secret.