Cloud Wallets
When building a blockchain application, it is often useful to have an operations or user wallet that can perform actions on the blockchain without direct human intervention. MultiBaas' Cloud Wallet feature integrates smart contract function calls with externally owned accounts (EOAs) managed by Microsoft Azure Key Vault.
When setting up Azure Key Vault, your Azure account's billing details must be configured with a valid credit card, or have credits that have not yet expired.
Requirements:
- Microsoft Azure account
- (For the quickstart script ) Powershell
Add a new provider
To access your Cloud Wallet, in the Navigation bar go to Cloud Wallets, then click on Configuration. To add a new provider, click on the plus icon at the top of the left sidebar.
Fill in the required inputs:
- Label : A label to help you identify your cloud wallet
- Client ID : The Application ID that will be accessing the Key Vault. Found in: Azure Portal > Sidebar > Azure Active Directory > App Registrations > Application ID column
- Client Secret : The application’s secret key that you generate when you first register the application in Azure
- Tenant ID : Also known as Directory ID. Found in: Azure Portal > Sidebar > Azure Active Directory > Properties > Directory ID
- Subscription ID : The ID linked to your subscription to Azure services. Found in: Azure Portal > Sidebar > All Services > Subscriptions > Subscription ID column
- Resource Group : The Resource Group Name for the resource being accessed. Found in: Azure Portal > Sidebar > All Resources > Resource Group column
Finally, click on Add Provider. You can now create or import wallets.
Create wallet
Click on the Add Wallet button, and select the Create Wallet tab.
Fill in the required details:
- Vault Name : The Azure Key Vault name in which the key is going to be created. The Key Vault must exist and will not be created automatically. Found in: Azure Portal > Key Vaults
- Key Name : The name of key to create
- HSM-protected key : Create a "HSM-protected key" instead of a "software-protected key". ⚠️ Note that this option only works on Premium SKU (Pricing tier) Key Vaults and come at an additional cost.
Click on Create Wallet.
Import wallet
If you want to import an existing wallet that has previously been setup in Key Vault, click on the Add Wallet button, then select the Import Wallet tab.
Fill in the required inputs:
- Vault Name : The Azure Key Vault name where the key resides. Found in: Azure Portal > Key Vaults
- Key Name : The name of the key to import
- Key Version : The version of key to import
Click on Import Wallet.
Powershell quickstart
Although Azure Key Vault can be configured through the web-based Azure portal, the initial process can be somewhat time consuming. We have developed a Powershell script to automate and streamline the process.
Setup
Open a Terminal window, and begin a Powershell session.
~ % pwsh
PowerShell 7.3.3
PS /Users/admin>
If you have not already done so, install the Az module.
Install-Module Az
Otherwise, ensure your Az module is up to date.
Update-Module -Name Az
If you see a message about trusting the module's repository, accept it to continue.
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy
value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A
Next, import the module.
Import-Module Az
Finally, login with your Azure account.
Connect-AzAccount
This command will redirect you to the Azure login in your browser. If the login was successful, in the Powershell terminal, you should see output like this.
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
[email protected] Azure subscription 1 ece31744-f3c9-4f17-affa-924189392509 AzureCloud
If you see a warning or an error, please confirm that Azure account is properly configured with valid billing details.
You may also confirm that you logged in successfully by checking your context
Get-AzContext
If you are properly logged in, you should see output like this.
Name Account SubscriptionName Environment TenantId
---- ------- ---------------- ----------- --------
Azure subscription 1 (55422a49-5111-485… [email protected] Azure subscription 1 AzureCloud ece31744-f3c9-4f17-affa-924189392509
If the subscription name or Tenant ID is missing, it is very likely that login failed. Please confirm that your Azure account's billing has been setup with a valid payment method or free trial.
Creating a Key Vault
Now that everything has been setup, run the following commands in Powershell to create the cloud resources required to use HSM in MultiBaas.
Please copy the code line-by-line to ensure each step is successful before continuing onto the next.
# Pick a display name for the relevant cloud resources
$hsmIdentifier= "<PICK-SOMETHING-UNIQUE>”
# Any valid Azure availability zone should be fine
$location = "japaneast"
# Store IDs that are needed for later
$tenantId = (Get-AzContext).Tenant.Id
$subscriptionId = (Get-AzSubscription).Id
# Create an App Registration that will have permission to use the Key Vault
$sp = New-AzADServicePrincipal -DisplayName $hsmIdentifier -EndDate '2299-12-31' -Role Reader
$clientId = $sp.AppId
$clientSecret = $sp.PasswordCredentials.SecretText
# Create a resource group for the vault
New-AzResourceGroup -Name $hsmIdentifier -Location $location
# Create a new Key Vault
$keyVault = New-AzKeyVault -VaultName $hsmIdentifier -ResourceGroupName $hsmIdentifier -Location $location -Sku Standard
# Give the App Registration permission to use the vault
Set-AzKeyVaultAccessPolicy -VaultName $hsmIdentifier -ObjectId $sp.Id -PermissionsToKeys get, sign, create
# Finally, print the IDs that are required to configure MultiBaas
$clientId
$clientSecret
$tenantId
$subscriptionId
$hsmIdentifier