Is it possible to unload HashiCorp Vault keys from Web3Signer?
Closed this issue · 3 comments
Issue
Using v23.8.1, it seems that once a key has been loaded via the HashiCorp Vault method, it is not possible to unload a key without a hard-restart.
Repro
-
Enable the Keymanager API.
-
Write a key file to disk with a config similar to the following:
keyName: key
keyPath: /v1/secret/data/goerli/12345
keyType: BLS
serverHost: localhost
serverPort: 8200
timeout: 30000
tlsEnabled: false
token: unused_handled_by_vault_proxy
type: hashicorp- Use the
DELETE /eth/v1/keystoresendpoint to attempt to unload the key. Receive an error similar to:
{
"data": [
{
"status": "error",
"message": "Unable to delete readonly key: 0xaffc434cf8138634a4cd0ef6cb815febd3db25760b1b6c522f9b4aa78e599b60336d7dd2e953192e45d4ac91f66f0723"
}
],
"slashing_protection": "<snip>"
}- Delete the key file from disk and hit the
POST /reloadendpoint. The key is still not unloaded.
So, is it possible to unload a key from Web3Signer without deleting the file from disk and doing a hard-restart of the entire process, resulting in downtime?
Currently the key manager api only deals with v4 encrypted BLS keystore files. It doesn't deal with deleting keys loaded from hashicorp and other vaults (Azure, AWS).
Outside of key manager API, we don't unload the keys while web3signer is running, even if its corresponding metadata config is deleted and /reload is called. The operator has to hard restart Web3Signer for removed key config files i.e. simulating "deleted" keys. The /reload only process new or modified metadata configuration files.
Understood. In that case, can we change this issue to a feature request and update the title accordingly? I'm building a key management platform around Web3Signer and being able to unload (inactive/exited) keys on-demand to free up resources is particularly useful at the scale I anticipate I'll be running at in future.
Created #899 to track the requested feature.