Feature/aws kms adapter

.env.example

@@ -0,0 +1,163 @@
+# =================================================================
+# IOTA Secret Storage - AWS KMS Configuration
+# =================================================================
+# This configuration supports multiple AWS authentication methods
+
+# =================================================================
+# PRIMARY CONFIGURATION - AWS Profile (RECOMMENDED)
+# =================================================================
+# AWS Profile to use (matches your ~/.aws/config profile)
+AWS_PROFILE=your-profile-name
+
+# AWS Region (must match your profile configuration)
+AWS_REGION=eu-west-1
+
+# =================================================================
+# ~/.aws/config SETUP REQUIRED
+# =================================================================
+# Ensure your ~/.aws/config contains:
+#
+# [default]
+# region = eu-west-1
+#
+# [profile your-profile-name]
+# role_arn = arn:aws:iam::YOUR-ACCOUNT-ID:role/YourRole
+# source_profile = default
+# region = eu-west-1
+#
+# And ~/.aws/credentials contains your base credentials:
+# [default]
+# aws_access_key_id = YOUR_ACCESS_KEY
+# aws_secret_access_key = YOUR_SECRET_KEY
+
+# =================================================================
+# OPTIONAL: IOTA-SPECIFIC CONFIGURATION
+# =================================================================
+# Environment type for IOTA operations
+ENVIRONMENT=development  # development | testing | production
+
+# Optional: Specific KMS key ID (if using existing keys for IOTA)
+# KMS_KEY_ID=arn:aws:kms:eu-west-1:YOUR-ACCOUNT-ID:key/12345678-1234-1234-1234-123456789012
+
+# Optional: IOTA network configuration
+# IOTA_NETWORK=testnet  # mainnet | testnet
+
+# =================================================================
+# CROSS-ACCOUNT ROLE ASSUMPTION (Alternative method)
+# =================================================================
+# If you prefer explicit role assumption instead of AWS profiles:
+# TARGET_ROLE_ARN=arn:aws:iam::YOUR-ACCOUNT-ID:role/YourRole
+# SERVICE_NAME=iota-secret-storage-service
+# AWS_REGION=eu-west-1
+
+# =================================================================
+# ALTERNATIVE CONFIGURATIONS (use if profile method not available)
+# =================================================================
+
+# Alternative 1: Direct credentials (NOT RECOMMENDED for production)
+# AWS_ACCESS_KEY_ID=your_access_key_here
+# AWS_SECRET_ACCESS_KEY=your_secret_access_key_here
+# AWS_REGION=eu-west-1
+
+# Alternative 2: Session token for temporary credentials
+# AWS_ACCESS_KEY_ID=your_temp_access_key
+# AWS_SECRET_ACCESS_KEY=your_temp_secret_key
+# AWS_SESSION_TOKEN=your_session_token
+# AWS_REGION=eu-west-1
+
+# =================================================================
+# DEVELOPMENT & TESTING OPTIONS
+# =================================================================
+
+# Development: Use LocalStack for testing (no real AWS charges)
+# AWS_ENDPOINT_URL=http://localhost:4566
+# AWS_ACCESS_KEY_ID=test
+# AWS_SECRET_ACCESS_KEY=test
+# AWS_REGION=us-east-1
+
+# Development: Fallback filesystem storage path
+# STORAGE_PATH=~/.iota/keys
+
+# Development: Enable debug logging
+# RUST_LOG=debug
+
+# =================================================================
+# ENTERPRISE DEPLOYMENT SCENARIOS
+# =================================================================
+
+# Scenario 1: ECS Task Role (no credentials needed in .env)
+# Just set AWS_REGION=eu-west-1 and configure Task Role in ECS
+
+# Scenario 2: EKS with IRSA (no credentials needed in .env)
+# Just set AWS_REGION=eu-west-1 and configure Service Account
+
+# Scenario 3: EC2 with Instance Profile (no credentials needed in .env)
+# Just set AWS_REGION=eu-west-1 and configure Instance Profile
+
+# =================================================================
+# QUICK START GUIDE
+# =================================================================
+# 
+# 1. Copy this file to .env:
+#    cp .env.example .env
+# 
+# 2. Setup AWS credentials in ~/.aws/config:
+#    [default]
+#    region = eu-west-1
+#    
+#    [profile your-profile-name]
+#    role_arn = arn:aws:iam::YOUR-ACCOUNT-ID:role/YourRole
+#    source_profile = default
+#    region = eu-west-1
+# 
+# 3. Add your credentials to ~/.aws/credentials:
+#    [default]
+#    aws_access_key_id = YOUR_ACCESS_KEY
+#    aws_secret_access_key = YOUR_SECRET_KEY
+# 
+# 4. Run examples:
+#    cargo run --package storage-factory --example iota_transaction_signing
+#    cargo run --package aws-kms-adapter --example profile_usage
+
+# =================================================================
+# USAGE EXAMPLES
+# =================================================================
+# 
+# Basic IOTA transaction signing:
+# cargo run --package storage-factory --example iota_transaction_signing
+# 
+# AWS Profile authentication test:
+# cargo run --package aws-kms-adapter --example profile_usage
+# 
+# Enterprise service scenarios:
+# cargo run --package aws-kms-adapter --example enterprise_service
+# 
+# Auto-detection test:
+# cargo run --package storage-factory --example auto_detect_test
+# 
+# Key storage basic test:
+# cargo run --package aws-kms-adapter --example key_storage_test
+
+# =================================================================
+# IAM POLICY REQUIREMENTS
+# =================================================================
+# Your AWS role needs these KMS permissions:
+# {
+#     "Version": "2012-10-17",
+#     "Statement": [
+#         {
+#             "Effect": "Allow",
+#             "Action": [
+#                 "kms:CreateKey",
+#                 "kms:DescribeKey",
+#                 "kms:GetPublicKey",
+#                 "kms:Sign",
+#                 "kms:ScheduleKeyDeletion",
+#                 "kms:ListKeys",
+#                 "kms:CreateAlias",
+#                 "kms:ListAliases"
+#             ],
+#             "Resource": "arn:aws:kms:eu-west-1:YOUR-ACCOUNT-ID:key/*"
+#         }
+#     ]
+# }

.gitignore

@@ -1,2 +1,6 @@
 /target
 Cargo.lock
+
+.env
+CLAUDE.md
+.DS_Store

Cargo.toml

@@ -1,21 +1,12 @@
-[package]
-name = "secret-storage"
-version = "0.3.0"
-edition = "2021"
-authors = ["IOTA Stiftung"]
-homepage = "https://www.iota.org"
-license = "Apache-2.0"
-repository = "https://github.com/iotaledger/secret-storage"
-rust-version = "1.65"
-readme = "./README.md"
-description = "A flexible and secure key storage interface for working with cryptographic keys and signatures with modular traits for key generation, signing, and management."
-keywords = ["crypto", "storage", "keys", "signatures", "security"]
+[workspace]
+resolver = "2"
+members = [
+    "core/secret-storage",
+    "adapters/aws-kms-adapter",
+    "applications/storage-factory",
+]
 
-[dependencies]
+[workspace.dependencies]
 anyhow = "1"
 thiserror = "2"
-async-trait = "0.1"
-
-[features]
-default = ["send-sync-storage"]
-send-sync-storage = []
+async-trait = "0.1"

README-AWS.md

@@ -0,0 +1,166 @@
+# 🔐 IOTA Secret Storage - AWS KMS Setup
+
+Quick setup guide for AWS KMS with profile and assume role configuration.
+
+## 🚀 Quick Start
+
+### 1. Environment Configuration
+```bash
+# Copy the example environment file
+cp .env.example .env
+```
+
+### 2. AWS Profile Setup
+
+Create `~/.aws/config`:
+```ini
+[default]
+region = eu-west-1
+
+[profile your-profile-name]
+role_arn = arn:aws:iam::YOUR-ACCOUNT-ID:role/YourRole
+source_profile = default
+region = eu-west-1
+```
+
+Create `~/.aws/credentials`:
+```ini
+[default]
+aws_access_key_id = YOUR_ACCESS_KEY
+aws_secret_access_key = YOUR_SECRET_KEY
+```
+
+### 3. Test Your Setup
+```bash
+# Test AWS profile works
+aws sts get-caller-identity --profile your-profile-name
+
+# Run IOTA examples
+AWS_REGION=eu-west-1 cargo run --package storage-factory --example iota_kms_demo
+AWS_PROFILE=your-profile-name AWS_REGION=eu-west-1 cargo run --package aws-kms-adapter --example profile_usage
+```
+
+## 🎯 Key Features
+
+- ✅ **AWS Profile Authentication** with assume role
+- ✅ **IOTA Transaction Signing** with KMS
+- ✅ **Enterprise-Ready** authentication patterns
+- ✅ **Comprehensive Logging** for all operations
+- ✅ **Multiple Authentication Methods** (profiles, direct, containers)
+
+## 📋 Examples Available
+
+| Example | Description | Command |
+|---------|-------------|---------|
+| **IOTA Transaction Signing** | Full transaction workflow with logging | `cargo run --package storage-factory --example iota_transaction_signing` |
+| **Profile Authentication** | AWS profile with assume role | `cargo run --package aws-kms-adapter --example profile_usage` |
+| **Enterprise Service** | Container/ECS/EKS patterns | `cargo run --package aws-kms-adapter --example enterprise_service` |
+| **Auto Detection** | Automatic adapter selection | `cargo run --package storage-factory --example auto_detect_test` |
+| **Key Storage Test** | Basic KMS operations | `cargo run --package aws-kms-adapter --example key_storage_test` |
+
+## 🔧 Configuration Details
+
+### Environment Variables (.env)
+```bash
+# Primary configuration
+AWS_PROFILE=your-profile-name
+AWS_REGION=eu-west-1
+
+# Optional for specific use cases
+# KMS_KEY_ID=arn:aws:kms:eu-west-1:YOUR-ACCOUNT-ID:key/your-key-id
+# TARGET_ROLE_ARN=arn:aws:iam::YOUR-ACCOUNT-ID:role/YourRole
+```
+
+### Required IAM Permissions
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateKey",
+                "kms:DescribeKey",
+                "kms:GetPublicKey",
+                "kms:Sign",
+                "kms:ScheduleKeyDeletion"
+            ],
+            "Resource": "arn:aws:kms:eu-west-1:YOUR-ACCOUNT-ID:key/*"
+        }
+    ]
+}
+```
+
+## 🏢 Enterprise Deployment
+
+### Container Environments
+For ECS, EKS, or EC2, only set:
+```bash
+AWS_REGION=eu-west-1
+# No credentials needed - use IAM roles
+```
+
+### Cross-Account Access
+```bash
+TARGET_ROLE_ARN=arn:aws:iam::304431203043:role/DeveloperFullAccessRole
+SERVICE_NAME=iota-secret-storage
+```
+
+## 📊 Logging Output Example
+
+```
+[1757077118379] 🚀 IOTA Transaction Signing Service - Session: IOTA_SESSION_1757077118379
+[1757077118511] 📝 LOG: Transaction data to sign:
+[1757077118511] 📝   - Transaction Type: IOTA Transfer  
+[1757077118511] 📝   - Data Size: 64 bytes
+[1757077118511] ✅ LOG: IOTA transaction signed successfully!
+[1757077118511] 📊 LOG: Signature metrics:
+[1757077118511] 📊   - Signature Size: 64 bytes
+[1757077118511] 📊   - Algorithm: ECDSA_SHA256
+```
+
+## 🛠️ Troubleshooting
+
+### Common Issues
+
+1. **"No credentials found"**
+   ```bash
+   # Check your AWS credentials
+   aws configure list --profile developer
+   ```
+
+2. **"Unable to assume role"**
+   ```bash
+   # Test role assumption directly
+   aws sts get-caller-identity --profile developer
+   ```
+
+3. **"KMS access denied"**
+   - Check IAM policy on the role
+   - Verify KMS key policy allows the role
+
+### Debug Commands
+```bash
+# Check AWS configuration
+aws configure list --profile developer
+
+# Test KMS access
+aws kms list-keys --region eu-west-1 --profile developer
+
+# Run with debug logging
+RUST_LOG=debug cargo run --package storage-factory --example iota_transaction_signing
+```
+
+## 📚 Documentation
+
+- [Full AWS Setup Guide](doc/aws-setup.md)
+- [Architecture Documentation](doc/refactor.it.md)
+- [Core Traits Documentation](core/secret-storage/README.md)
+
+## 🎉 Ready to Use!
+
+Your IOTA Secret Storage with AWS KMS is ready. Run the examples to see it in action:
+
+```bash
+cargo run --package storage-factory --example iota_transaction_signing
+```