Skip to main content

Use Web3Signer with Azure Key Vault

Web3Signer supports using Azure Key Vault to sign payloads in the following ways:

  • Using Azure Key Vault to perform the signing operation. Supports SECP256K1 signing keys only.
  • Fetching the keys from Azure Key Vault and signing locally.

Web3Signer supports the following authentication modes:

Important

The Azure Active Directory managed identity authentication modes can only be used when fetching keys from Azure Key Vault and signing locally with Web3Signer.

Store a private key in Azure Key Vault

Register Web3Signer as an application and add a signing key in Azure Key Vault.

Take note of the following to specify when configuring the signing key configuration file or bulk loading signing keys:

  • Vault name, which is part of the URL (for example https://<vaultname>.vault.azure.net).
  • Client credentials, which can include:
    • Client ID
    • Client secret
    • Tenant ID
note

Depending on the authentication mode, not all client credentials are available.

  • Key name, which is the name of the secret.

After storing keys, load keys into Web3Signer using a key configuration file, or bulk loading keys.