Cloud Wallets

When building a blockchain application, it is often useful to have an operations or user wallet that can perform actions on the blockchain without direct human intervention. MultiBaas' Cloud Wallet feature integrates smart contract function calls with externally owned accounts (EOAs) managed by Microsoft Azure Key Vault.

When setting up Azure Key Vault, your Azure account's billing details must be configured with a valid credit card, or have credits that have not yet expired.

Requirements:

• Microsoft Azure account
• The output of the quickstart script

Add a new provider

To access your Cloud Wallet, in the Navigation bar go to Cloud Wallets, then click on Configuration. To add a new provider, click on the plus icon at the top of the left sidebar.

Fill in the required inputs:

• Label : A label to help you identify your cloud wallet
• Client ID : The Application ID that will be accessing the Key Vault. Found in: Azure Portal > Sidebar > Azure Active Directory > App Registrations > Application ID column
• Client Secret : The application’s secret key that you generate when you first register the application in Azure
• Tenant ID : Also known as Directory ID. Found in: Azure Portal > Sidebar > Azure Active Directory > Properties > Directory ID
• Subscription ID : The ID linked to your subscription to Azure services. Found in: Azure Portal > Sidebar > All Services > Subscriptions > Subscription ID column
• Resource Group : The Resource Group Name for the resource being accessed. Found in: Azure Portal > Sidebar > All Resources > Resource Group column

Finally, click on Add Provider. You can now create or import wallets.

Create wallet

Click on the Add Wallet button, and select the Create Wallet tab.

Fill in the required details:

• Vault Name : The Azure Key Vault name in which the key is going to be created. The Key Vault must exist and will not be created automatically. Found in: Azure Portal > Key Vaults
• Key Name : The name of key to create
• HSM-protected key : Create a "HSM-protected key" instead of a "software-protected key". ⚠️ Note that this option only works on Premium SKU (Pricing tier) Key Vaults and come at an additional cost.

Click on Create Wallet.

Import wallet

If you want to import an existing wallet that has previously been setup in Key Vault, click on the Add Wallet button, then select the Import Wallet tab.

Fill in the required inputs:

• Vault Name : The Azure Key Vault name where the key resides. Found in: Azure Portal > Key Vaults
• Key Name : The name of the key to import
• Key Version : The version of key to import

Click on Import Wallet.

PowerShell Quickstart

This quickstart will guide you through creating a service principal, resource group, and Key Vault that can be used as a cloud wallet provider in MultiBaas.

For the following steps, use either the Azure Cloud Shell for a preconfigured environment, or PowerShell installed locally if you prefer full control.

⚠️ Note: When using the Azure Cloud shell, if your session idles for too long, it may be terminated and unsaved progress will be lost. We recommend completing the full setup in one go.

1. Set Up Your Azure Context

Begin by listing your subscriptions and selecting the one you want to use.

Get-AzSubscription

Pick the relevant subscription, set the context, and store the subscriptionId and tenantId for later.

# Replace <ID> with one from the output of the list command
Set-AzContext -Subscription <ID>
$subscriptionId = (Get-AzContext).Subscription.Id
$tenantId = (Get-AzContext).Tenant.Id

2. Define Resource Names and Location

Choose a Azure region and define names for your resources. These names should be unique within your Azure environment.

# Select an Azure Region from the output of (Get-AzLocation | select location)
$location = "japaneast"

$keyVaultName = "multibaas-keyvault"
$servicePrincipalName = "multibaas-sp"
$resourceGroupName = "multibaas-app"

# The name of the custom role that will be used to grant the service principal access to the vault
$customRoleName = "Key Vault MultiBaas"

Step 3: Define and Create Custom Role for MultiBaas

Azure’s built-in roles provide more permissions than necessary. For better security, we’ll create a custom role with only the required permissions to create, read, and sign with keys. We only need to do this once per Azure subscription.

$roleExists = Get-AzRoleDefinition -Name $customRoleName -ErrorAction SilentlyContinue
if (-not $roleExists) {
  $role = New-Object -TypeName Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition
  $role.Name = $customRoleName
  $role.Description = "Custom role for MultiBaas cloud wallet integration. Grants data-plane permissions to create, read, and sign with keys in Azure Key Vault, and management-plane permission to read vault metadata."
  $role.IsCustom = $true
  $role.AssignableScopes = @("/subscriptions/$subscriptionId")
  $role.Actions = @(
      "Microsoft.KeyVault/vaults/read"
  )
  $role.DataActions = @(
      "Microsoft.KeyVault/vaults/keys/create/action",
      "Microsoft.KeyVault/vaults/keys/read",
      "Microsoft.KeyVault/vaults/keys/sign/action"
  )

  New-AzRoleDefinition -Role $role
  Write-Output "Custom role '$customRoleName' has been created successfully."
} else {
  Write-Output "Custom role '$customRoleName' already exists. Skipping creation."
}

4. Create the Service Principal and Resource Group

We now create a service principal that will be granted access to the Key Vault. This principal will be used by MultiBaas to create keys and sign transactions.

$servicePrincipal = New-AzADServicePrincipal -DisplayName $servicePrincipalName -EndDate '2299-12-31'
$clientId = $servicePrincipal.AppId
$clientSecret = $servicePrincipal.PasswordCredentials.SecretText

New-AzResourceGroup -Name $resourceGroupName -Location $location

5. Create the Key Vault and Assign Permissions

Next, we create the Key Vault and assign the custom role to the service principal.

If we want to use keys backed by a Hardware Security Module, the Sku should be set to Premium. Please note that this costs extra.

$keyVault = New-AzKeyVault -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -Location $location -Sku Standard

# Assign the role at the resource group level to ensure the service principal has:
# - Management plane access to read vault metadata (Microsoft.KeyVault/vaults/read)
# - Data plane access to perform key operations (create, read, sign) on all vaults in the group
New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName $customRoleName -Scope "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName"

To learn more about the planes that control key vault access, please see the Azure documentation.

6. Output the Values for MultiBaas Configuration

Finally, print out the values required to add this provider in the MultiBaas UI.

$clientId
$clientSecret
$tenantId
$subscriptionId
$resourceGroupName
$keyVaultName

You can now go to the MultiBaas Cloud Wallet configuration screen and input the above values to finish setup.