在开发以太坊应用时难免会遇到后端服务也需要 wallet 的场景，此时如何安全地创建服务端 wallet 就成了首先要解决的问题。 safe-signer 为这个问题提供了便捷的解决方案，开发者可以通过它方便地从第三方安全存储（即私钥的保存地）创建出 ethers.Signer。当前版本支持：

• 私钥（仅限于测试，不建议用在生产环境中使用）
• AWS Secrets Manager
• AWS Key Management Service (KMS)
• Hashicorp Vault

目前仅支持 ethers@^5。

Node >= 16.

npm i @dteam/safe-signer

Javascript:

const SafeSigner = require("@dteam/safe-signer");

Typescript:

import SafeSigner from "@dteam/safe-signer";

1. fromPrivateKey，返回 Wallet。

const privateKeyWallet = await SafeSigner.fromPrivateKey("YOUR_PRIVATE_KEY");

1. fromEnv，返回 Wallet。

const envWallet = await SafeSigner.fromEnv("ENV_VAR_FOR_PRIVATE_KEY");

1. fromAwsSecretsManager，返回 Wallet。

const awsSecretsManagerWallet = await SafeSigner.fromAwsSecretsManager(
  {
    SecretId: "FULL_ARN_FOR_SECRET",
    SecretKeyName: "KEY_NAME_STORED_PRIVATE_KEY",
  },
  {
    credentials: {
      accessKeyId: "YOUR_AWS_ACCESS_KEY_ID",
      secretAccessKey: "YOUR_AWS_SECRET_ACCESS_KEY",
    },
    region: "YOUR_REGION",
  }
);

1. fromHashicorpVault，返回 Wallet。

const hashicorpVaultWallet = await SafeSigner.fromHashicorpVault(
  {
    // you can set to your own vault server
    // baseUrl: 'http://127.0.0.1:8200/v1',
    rootPath: "secret",
    timeout: 6000,
    secretName: "wallet-secret",
    secretKey: "privateKey",
  },
  // login method can be any of the following:
  // {token: 'plaintext-token'}
  // {appRole: {roleId: 'roleId', secretId: 'secretId'}}
  // {cert: {certName: 'certName'}}
  // {k8s: {role: 'role', jwt: 'jwt'}}
  // {ldap: {username: 'user', password: 'password'}}
  // {userpass: {username: 'user', password: 'password'}}
  { token: "vault-plaintext-token" },
  { secretName: "wallet-secret", secretKey: "privateKey" }
);

1. fromAwsKms，返回 Signer，因为无法直接从 AWS KMS 获得私钥。

const awsKmsSigner = await SafeSigner.fromAwsKms("YOUR_AWS_KMS_KEY_ARN", {
  credentials: {
    accessKeyId: "YOUR_AWS_ACCESS_KEY_ID",
    secretAccessKey: "YOUR_AWS_SECRET_ACCESS_KEY",
  },
  region: "YOUR_REGION",
});