Cloud HSM to sign Web3.py Ethereum transactions
Project description
๐ web3-google-hsm
| Feature | Value |
|---|---|
| Technology |     |
| Type Checking |   |
| CI/CD |      |
| Docs |  |
| Package |    |
| Meta |     |
๐ฏ Description
A Python library for using Google Cloud HSM services to sign Ethereum transactions.
โจ Features
- ๐ Cloud HSM integration for secure key management
- ๐ Support for web3-google-hsm (extensible to other providers)
- ๐ก๏ธ Type-safe configuration using Pydantic
๐ฆ Installation
- Install using
pip
pip install web3-google-hsm
๐ ๏ธ Environment Setup
๐ Google Cloud HSM Key
Make sure you have created a key of type ec-sign-secp256k1-sha256
in the Google cloud console. Which will look something like the following
๐ Required Environment Variables
Before using this library, you need to set up the following environment variables:
GOOGLE_CLOUD_PROJECT=your-project-id
GOOGLE_CLOUD_REGION=us-east1
KEY_RING=eth-keyring
KEY_NAME=eth-key
GOOGLE_APPLICATION_CREDENTIALS=path/to/your/service-account.json
๐ป Bash
# Add to ~/.bashrc or ~/.bash_profile
export GOOGLE_CLOUD_PROJECT="your-project-id"
export GOOGLE_CLOUD_REGION="us-east1"
export KEY_RING="eth-keyring"
export KEY_NAME="eth-key"
export GOOGLE_APPLICATION_CREDENTIALS="path/to/your/service-account.json"
# Apply changes
source ~/.bashrc # or source ~/.bash_profile
๐ Zsh
# Add to ~/.zshrc
export GOOGLE_CLOUD_PROJECT="your-project-id"
export GOOGLE_CLOUD_REGION="us-east1"
export KEY_RING="eth-keyring"
export KEY_NAME="eth-key"
export GOOGLE_APPLICATION_CREDENTIALS="path/to/your/service-account.json"
# Apply changes
source ~/.zshrc
๐ Fish
# Add to ~/.config/fish/config.fish
set -x GOOGLE_CLOUD_PROJECT "your-project-id"
set -x GOOGLE_CLOUD_REGION "us-east1"
set -x KEY_RING "eth-keyring"
set -x KEY_NAME "eth-key"
set -x GOOGLE_APPLICATION_CREDENTIALS "path/to/your/service-account.json"
set -x INFURA_KEY "your-infura-key"
set -x WEB3_PROVIDER_URI "https://mainnet.infura.io/v3/$INFURA_KEY"
# Apply changes
source ~/.config/fish/config.fish
๐ Using .env File
You can also create a .env file in your project root:
# .env
GOOGLE_CLOUD_PROJECT=your-project-id
GOOGLE_CLOUD_REGION=us-east1
KEY_RING=eth-keyring
KEY_NAME=eth-key
GOOGLE_APPLICATION_CREDENTIALS=path/to/your/service-account.json
Then load it in your Python code:
from dotenv import load_dotenv
load_dotenv()
๐ Prerequisites
Before you begin, ensure you have:
- ๐ง Set up your environment variables (see README.md)
- ๐ Python
3.10or higher installed - ๐ Access to a
Web3provider (local or remote) (Optional)
๐ Environment Variable Descriptions
- ๐
GOOGLE_CLOUD_PROJECT: Your Google Cloud project ID - ๐
GOOGLE_CLOUD_REGION: The region where your KMS resources are located (e.g., us-east1, europe-west1) - ๐
KEY_RING: The name of your KMS key ring - ๐๏ธ
KEY_NAME: The name of your KMS key - ๐
GOOGLE_APPLICATION_CREDENTIALS: Path to your Google Cloud service account JSON key file
โ Verifying Setup
You can verify your environment setup with:
from web3_google_hsm.config import BaseConfig
try:
config = BaseConfig()
print("Environment configured successfully!")
print(f"Project ID: {config.project_id}")
print(f"Region: {config.location_id}")
except ValueError as e:
print(f"Configuration error: {e}")
๐ Usage Guide
๐ As A CLI Tool
๐ Key Generation
Generate a new Ethereum signing key in Google Cloud HSM:
# Specify explicitly
web3-google-hsm generate \
--project-id my-project \
--location us-east1 \
--keyring eth-keyring \
--key-id eth-key-1 \
--retention-days 365
web3-google-hsm generate --project-id hsm-testing-445507 --location nam10 --keyring eth-keyring --key-id cli_key
Options:
--project-id: Google Cloud project ID (env: GOOGLE_CLOUD_PROJECT)--location: Cloud KMS location (env: GOOGLE_CLOUD_REGION)--keyring: Name of the key ring (env: KEY_RING)--key-id: ID for the new key (env: KEY_NAME)--retention-days: Days to retain key versions (default: 365)
Example output:
โ
Created Ethereum signing key: projects/my-project/locations/us-east1/keyRings/eth-keyring/cryptoKeys/eth-key-1
๐ Ethereum address: 0x742d35Cc6634C0532925a3b844Bc454e4438f44e
๐ Message Signing
Sign a message using your HSM key:
# Sign a simple message
web3-google-hsm sign "Hello Ethereum!" --account 0x742d35Cc6634C0532925a3b844Bc454e4438f44e
# Sign a hex message
web3-google-hsm sign "0x4d7920686578206d657373616765" --account 0x742d35Cc6634C0532925a3b844Bc454e4438f44e
Arguments:
message: The message to sign (text or hex)--account, -a: Ethereum address of the signing account
Example output:
โ
Message signed successfully!
๐ Message: Hello Ethereum!
๐ Signature: 0x4d7920686578206d657373616765000000000000000000000000000000000000
๐ Components:
v: 27
r: 0x1b7e9c7c039d8f4688a743b0c5c0e509209e6f200d956bf7f4e89f5ad330c135
s: 0x0d27e9c7c039d8f4688a743b0c5c0e509209e6f200d956bf7f4e89f5ad330c13
This guide demonstrates how to use the Google Cloud KMS Ethereum signer library for message and transaction signing.
๐ Basic Setup
from web3_google_hsm.accounts.gcp_kms_account import GCPKmsAccount
account = GCPKmsAccount()
# Get the Ethereum address derived from your GCP KMS key
print(f"GCP KMS Account address: {account.address}")
๐ Message Signing
โ๏ธ Simple Message Signing
# Sign a message
message = "Hello Ethereum!"
signed_message = account.sign_message(message)
# Access signature components
print(f"R: {signed_message.r.hex()}")
print(f"S: {signed_message.s.hex()}")
print(f"V: {signed_message.v}")
print(f"Full signature: {signed_message.to_hex()}")
โ๏ธ Message Signature Verification
from eth_account.messages import encode_defunct
from web3 import Web3
# Create message hash
message_hash = encode_defunct(text=message)
# Initialize Web3 and GCP KMS account
w3 = Web3(Web3.HTTPProvider("http://localhost:8545"))
# Verify the signature using web3.py
recovered_address = w3.eth.account.recover_message(
message_hash,
vrs=(signed_message.v, signed_message.r, signed_message.s)
)
# Check if signature is valid
is_valid = recovered_address.lower() == account.address.lower()
print(f"Signature valid: {is_valid}")
๐ณ Transaction Signing
๐ค Creating a Transaction
tx = {
"from": account.address,
"chain_id": w3.eth.chain_id,
"nonce": w3.eth.get_transaction_count(account.address),
"value": w3.to_wei(0.000001, "ether"),
"data": "0x00",
"to": "0xa5D3241A1591061F2a4bB69CA0215F66520E67cf",
"type": 0,
"gas_limit": 1000000,
"gas_price": 300000000000,
}
# Convert dict to Transaction object and sign
signed_tx = account.sign_transaction(Transaction.from_dict(tx))
๐ก Sending a Transaction
if signed_tx:
# Send the transaction
tx_hash = w3.eth.send_raw_transaction(signed_tx)
# Wait for transaction receipt
receipt = w3.eth.wait_for_transaction_receipt(tx_hash)
print(f"Transaction hash: {receipt['transactionHash'].hex()}")
print(f"From: {receipt['from']}")
print(f"To: {receipt['to']}")
print(f"Gas used: {receipt['gasUsed']}")
๐ Transaction Signature Verification
# Verify the transaction signature
recovered_address = w3.eth.account.recover_transaction(signed_tx)
is_valid = recovered_address.lower() == account.address.lower()
print(f"Signature valid: {is_valid}")
๐๏ธ Working with Local Test Networks
Funding Your Account (for testing with Anvil/Hardhat)
# Use a test account (Anvil's default funded account)
funded_account = w3.eth.account.from_key(
"0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80"
)
# Create funding transaction
fund_tx = {
"from": funded_account.address,
"to": account.address,
"value": w3.to_wei(0.1, "ether"),
"gas": 21000,
"gasPrice": w3.eth.gas_price,
"nonce": w3.eth.get_transaction_count(funded_account.address),
"chainId": w3.eth.chain_id,
}
# Send funding transaction
signed_fund_tx = w3.eth.account.sign_transaction(fund_tx, funded_account.key)
fund_tx_hash = w3.eth.send_raw_transaction(signed_fund_tx.raw_transaction)
fund_receipt = w3.eth.wait_for_transaction_receipt(fund_tx_hash)
๐ Using with Different Networks
๐ Local Network (Anvil/Hardhat)
w3 = Web3(Web3.HTTPProvider("http://localhost:8545"))
๐ Mainnet (via Infura)
w3 = Web3(Web3.HTTPProvider(f"https://mainnet.infura.io/v3/{INFURA_KEY}"))
๐งช Testnet (sepolia)
w3 = Web3(Web3.HTTPProvider(f"https://sepolia.infura.io/v3/{INFURA_KEY}"))
โ ๏ธ Error Handling
from web3_google_hsm.types.ethereum_types import Transaction
try:
signed_message = account.sign_message("Hello")
except Exception as e:
print(f"Signing error: {e}")
try:
signed_tx = account.sign_transaction(Transaction.from_dict(tx))
if not signed_tx:
print("Failed to sign transaction")
except Exception as e:
print(f"Transaction error: {e}")
๐ CI/CD Pipeline Integration
๐ Using in GitHub Actions or Other CI/CD Pipelines
For CI/CD environments where you can't use traditional environment variables or service account files, you can pass the credentials directly as a JSON string:
from web3_google_hsm.accounts.gcp_kms_account import GCPKmsAccount
from web3_google_hsm.config import BaseConfig
import json
# Create config from environment variables
config = BaseConfig(
project_id="your-project-id",
location_id="your-location",
key_ring_id="your-keyring",
key_id="your-key-id"
)
# Load credentials from CI/CD secret
credentials = json.loads(os.environ["GCP_ADC_CREDENTIALS_STRING"])
# Initialize account with both config and credentials
account = GCPKmsAccount(config=config, credentials=credentials)
# or Let the class read the values from env variables
account = GCPKmsAccount(credentials=credentials)
๐ GitHub Actions Example
name: Deploy with HSM Signing
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: '3.10'
- name: Install dependencies
run: pip install web3-google-hsm
- name: Sign and Deploy
env:
GOOGLE_CLOUD_PROJECT: ${{ secrets.GCP_PROJECT_ID }}
GOOGLE_CLOUD_REGION: ${{ secrets.GCP_REGION }}
KEY_RING: ${{ secrets.GCP_KEYRING }}
KEY_NAME: ${{ secrets.GCP_KEY_NAME }}
GCP_ADC_CREDENTIALS_STRING: ${{ secrets.GCP_ADC_CREDENTIALS_STRING }}
run: |
python your_deployment_script.py
๐ Example Deployment Script
import os
import json
from web3_google_hsm.accounts.gcp_kms_account import GCPKmsAccount
from web3_google_hsm.config import BaseConfig
from web3_google_hsm.types.ethereum_types import Transaction
def deploy_contract():
# Initialize with both config and credentials
config = BaseConfig.from_env() # Uses environment variables
credentials = json.loads(os.environ["GCP_ADC_CREDENTIALS_STRING"])
account = GCPKmsAccount(config=config, credentials=credentials)
# Your deployment logic here
print(f"Deploying from address: {account.address}")
# Example transaction
tx = Transaction(
nonce=0,
gas_price=2000000000,
gas_limit=1000000,
to="0x...",
value=0,
data="0x...",
chain_id=1
)
signed_tx = account.sign_transaction(tx)
# Send transaction...
if __name__ == "__main__":
deploy_contract()
๐ Required Secrets for CI/CD
Set these secrets in your CI/CD environment:
GCP_PROJECT_ID: Your Google Cloud project IDGCP_REGION: The region where your KMS resources are locatedGCP_KEYRING: The name of your KMS key ringGCP_KEY_NAME: The name of your KMS keyGCP_ADC_CREDENTIALS_STRING: Your service account credentials JSON as a string
For more information see the following links.
๐ Documentation: https://ankvik-tech-labs.github.io/web3-google-hsm/
๐ป Source Code: https://github.com/Ankvik-Tech-Labs/web3-google-hsm
Development
๐จโ๐ป Development
๐ง Setup environment
We use Hatch to manage the development environment and production build. Ensure it's installed on your system.
๐งช Run unit tests
You can run all the tests with:
hatch run test
โจ Format the code
Execute the following command to apply linting and check typing:
hatch run lint
๐ฆ Publish a new version
You can bump the version, create a commit and associated tag with one command:
hatch version patch
hatch version minor
hatch version major
Your default Git text editor will open so you can add information about the release.
When you push the tag on GitHub, the workflow will automatically publish it on PyPi and a GitHub release will be created as draft.
๐ Serve the documentation
You can serve the Mkdocs documentation with:
hatch run docs-serve
It'll automatically watch for changes in your code.
๐ Further Reading
๐ License
This project is licensed under the terms of the BSD license.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
web3_google_hsm-0.1.0.tar.gz
(2.1 MB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file web3_google_hsm-0.1.0.tar.gz.
File metadata
- Download URL: web3_google_hsm-0.1.0.tar.gz
- Upload date:
- Size: 2.1 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
37107455b35888537dd20731d78aefc3137800bb6c0dab4b967f3d76b7fe9d42
|
|
| MD5 |
b8d2cb8c0f273a6d8ab83aa43976c910
|
|
| BLAKE2b-256 |
3657a73576ece5435faf28b8e352135b6d89d44424b096182c2dc1026875a04c
|
File details
Details for the file web3_google_hsm-0.1.0-py3-none-any.whl.
File metadata
- Download URL: web3_google_hsm-0.1.0-py3-none-any.whl
- Upload date:
- Size: 19.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
770158608e121cc3caaa51452794f856b3a3ed6d2a740f551c1eab451e7aabb1
|
|
| MD5 |
1f0b267983471a92a2383e9600eeb26f
|
|
| BLAKE2b-256 |
8ad7b6d4fbafb8a812f69a7887f1da7a344590aa8aea64500094b6f461eed34d
|
