# fabric-sdk-kvs-secretsmanager

A pluggable key value store for storing and retrieving secrets generated by fabric-sdk-node onto AWS Secrets Manager. This can be installed via NPM.

The default KeyValStore used by fabric-sdk-node is file-based. If multiple EC2 instances or AWS Lambda is used as Hyperledger Fabric Clients, this pluggable KeyValStore implementation can be used by all clients.

# Resources
https://aws.amazon.com/secrets-manager/
https://fabricdocs.readthedocs.io/en/latest/nodeSDK/node-sdk-indepth.html#pluggability

## Install

```bash
npm i fabric-sdk-kvs-secretsmanager
```

## Config

1. configure your network definition to use AWS Secrets Manager. Note that the parameter called 'profile' below should be used for development purpose only. The AWS credentials should come from IAM role attached to the lambda function or EC2.

```yaml
# your network.yaml
client:
  # node.js SDK supports pluggable KV stores, the properties under "credentialStore"
  # are implementation specific
  credentialStore:
    url: 'https://secretsmanager.us-east-1.amazonaws.com'
    region: 'us-east-1'
    profile: 'test' # This parameter called profile should be used for development purpose only. The AWS credentials should come from IAM role attached to the lambda function or EC2. 

    # Specific to the CryptoSuite implementation. Software-based implementations like
    # CryptoSuite_ECDSA_AES.js requires a key store. PKCS#11 based implementations does
    # not.
    cryptoStore:
      # Specific to the underlying KeyValueStore that backs the crypto key store.
      url: 'https://secretsmanager.us-east-1.amazonaws.com'
      region: 'us-east-1'
      profile: 'test'  # This parameter called profile should be used for development purpose only. The AWS credentials should come from IAM role attached to the lambda function or EC2.
```

2. config fabric-sdk-node to use fabric-ca-kvs-secretsmanager 

```javascript
const Client = require('fabric-client');

//set the key-value-store to use fabric-sdk-kvs-secretsmanager
Client.setConfigSetting('key-value-store', 'fabric-sdk-kvs-secretsmanager');

// load the network.yaml 
const client = Client.loadFromConfig('<path-to-your-network.yaml>');

// initialize credential stores to use AWS Secrets Manager
await client.initCredentialStores();

// then you can set and get secrets from secrets manager via this module

const user = await client.loadUserFromStateStore(username);
await client.setUserContext(user);

// now you can run invoke/query with this identity

```

## Check the credentials from AWS
use AWS Console to see what is in AWS Secrets Manager.

## License
 
This library is licensed under the Apache 2.0 License.