AWS KMS and HashiCorp Vault adapter implementation

.dockerignore

@@ -0,0 +1,24 @@
+# Rust build artifacts
+target/
+**/target/
+
+# Git
+.git/
+.gitignore
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Documentation
+*.md
+!README.md
+
+# CI/CD
+.github/
+
+# Local env files
+.env
+.env.local

.env.example

@@ -0,0 +1,159 @@
+# =================================================================
+# IOTA Secret Storage - Configuration for Supported Adapters
+# =================================================================
+# This configuration supports AWS KMS and HashiCorp Vault adapters
+
+# =================================================================
+# AWS KMS CONFIGURATION
+# =================================================================
+
+# AWS Profile to use (matches your ~/.aws/config profile) - RECOMMENDED
+AWS_PROFILE=your-profile-name
+
+# AWS Region (must match your profile configuration)
+AWS_REGION=eu-west-1
+
+# Optional: Specific KMS key ID (if using existing keys)
+# KMS_KEY_ID=arn:aws:kms:eu-west-1:YOUR-ACCOUNT-ID:key/12345678-1234-1234-1234-123456789012
+
+# =================================================================
+# AWS ALTERNATIVE AUTHENTICATION METHODS
+# =================================================================
+
+# Alternative 1: Direct credentials (NOT RECOMMENDED for production)
+# AWS_ACCESS_KEY_ID=your_access_key_here
+# AWS_SECRET_ACCESS_KEY=your_secret_access_key_here
+# AWS_REGION=eu-west-1
+
+# Alternative 2: Session token for temporary credentials
+# AWS_ACCESS_KEY_ID=your_temp_access_key
+# AWS_SECRET_ACCESS_KEY=your_temp_secret_key
+# AWS_SESSION_TOKEN=your_session_token
+# AWS_REGION=eu-west-1
+
+# Alternative 3: LocalStack for development/testing (no real AWS charges)
+# AWS_ENDPOINT_URL=http://localhost:4566
+# AWS_ACCESS_KEY_ID=test
+# AWS_SECRET_ACCESS_KEY=test
+# AWS_REGION=us-east-1
+
+# =================================================================
+# HASHICORP VAULT CONFIGURATION
+# =================================================================
+
+# Vault server address (required)
+VAULT_ADDR=http://localhost:8200
+
+# Vault authentication token (required for standard mode)
+VAULT_TOKEN=dev-token
+
+# Vault Transit secrets engine mount path (optional, defaults to "transit")
+VAULT_MOUNT_PATH=transit
+
+# Vault Agent sidecar mode for Kubernetes (optional, defaults to "false")
+# When enabled, VAULT_TOKEN is not required - injected automatically by agent
+# VAULT_AGENT_MODE=true
+
+# =================================================================
+# KUBERNETES VAULT AGENT CONFIGURATION (PRODUCTION)
+# =================================================================
+# For Kubernetes deployments with Vault Agent sidecar:
+# VAULT_ADDR=http://127.0.0.1:8100
+# VAULT_AGENT_MODE=true
+# VAULT_MOUNT_PATH=transit
+# No VAULT_TOKEN needed - injected by agent automatically!
+
+# =================================================================
+# GENERAL CONFIGURATION
+# =================================================================
+
+# Environment type for IOTA operations
+ENVIRONMENT=development  # development | testing | production
+
+# Optional: IOTA network configuration
+# IOTA_NETWORK=testnet  # mainnet | testnet
+
+# Development: Enable debug logging
+# RUST_LOG=debug
+
+# =================================================================
+# QUICK START GUIDE
+# =================================================================
+
+# FOR AWS KMS:
+# 1. Setup AWS credentials in ~/.aws/config:
+#    [default]
+#    region = eu-west-1
+#    
+#    [profile your-profile-name]
+#    role_arn = arn:aws:iam::YOUR-ACCOUNT-ID:role/YourRole
+#    source_profile = default
+#    region = eu-west-1
+# 
+# 2. Add your credentials to ~/.aws/credentials:
+#    [default]
+#    aws_access_key_id = YOUR_ACCESS_KEY
+#    aws_secret_access_key = YOUR_SECRET_KEY
+#
+# 3. Copy this file: cp .env.example .env
+# 4. Run AWS examples:
+#    cargo run --package storage-factory --example iota_kms_demo
+
+# FOR HASHICORP VAULT:
+# 1. Start Vault development server:
+#    docker-compose -f docker-compose.vault.yml up -d
+#
+# 2. Copy this file: cp .env.example .env
+# 3. Run Vault examples:
+#    cargo run --package storage-factory --example iota_vault_demo
+
+# =================================================================
+# USAGE EXAMPLES
+# =================================================================
+
+# AWS KMS Examples:
+# cargo run --package aws-kms-adapter --example basic_usage
+# cargo run --package aws-kms-adapter --example signing_demo  
+# cargo run --package storage-factory --example iota_kms_demo
+
+# HashiCorp Vault Examples:
+# cargo run --package vault-adapter --example basic_usage
+# cargo run --package vault-adapter --example signing_demo
+# cargo run --package vault-adapter --example vault_agent_mode  # Kubernetes Agent mode
+# cargo run --package storage-factory --example iota_vault_demo
+
+# =================================================================
+# REQUIRED PERMISSIONS
+# =================================================================
+
+# AWS KMS IAM Policy Requirements:
+# {
+#     "Version": "2012-10-17",
+#     "Statement": [
+#         {
+#             "Effect": "Allow",
+#             "Action": [
+#                 "kms:CreateKey",
+#                 "kms:DescribeKey", 
+#                 "kms:GetPublicKey",
+#                 "kms:Sign",
+#                 "kms:ScheduleKeyDeletion",
+#                 "kms:ListKeys",
+#                 "kms:CreateAlias",
+#                 "kms:ListAliases"
+#             ],
+#             "Resource": "arn:aws:kms:eu-west-1:YOUR-ACCOUNT-ID:key/*"
+#         }
+#     ]
+# }
+
+# HashiCorp Vault Policy Requirements:
+# path "transit/keys/*" {
+#   capabilities = ["create", "read", "update", "delete", "list"]
+# }
+# path "transit/sign/*" {
+#   capabilities = ["update"]
+# }
+# path "transit/verify/*" {
+#   capabilities = ["update"]
+# }

.gitignore

@@ -1,2 +1,6 @@
 /target
 Cargo.lock
+
+.env
+CLAUDE.md
+.DS_Store

AWS_INTEGRATION.md

@@ -0,0 +1,166 @@
+# 🔐 IOTA Secret Storage - AWS KMS Setup
+
+Quick setup guide for AWS KMS with profile and assume role configuration.
+
+## 🚀 Quick Start
+
+### 1. Environment Configuration
+```bash
+# Copy the example environment file
+cp .env.example .env
+```
+
+### 2. AWS Profile Setup
+
+Create `~/.aws/config`:
+```ini
+[default]
+region = eu-west-1
+
+[profile your-profile-name]
+role_arn = arn:aws:iam::YOUR-ACCOUNT-ID:role/YourRole
+source_profile = default
+region = eu-west-1
+```
+
+Create `~/.aws/credentials`:
+```ini
+[default]
+aws_access_key_id = YOUR_ACCESS_KEY
+aws_secret_access_key = YOUR_SECRET_KEY
+```
+
+### 3. Test Your Setup
+```bash
+# Test AWS profile works
+aws sts get-caller-identity --profile your-profile-name
+
+# Run IOTA examples
+AWS_REGION=eu-west-1 cargo run --package storage-factory --example iota_kms_demo
+AWS_PROFILE=your-profile-name AWS_REGION=eu-west-1 cargo run --package aws-kms-adapter --example profile_usage
+```
+
+## 🎯 Key Features
+
+- ✅ **AWS Profile Authentication** with assume role
+- ✅ **IOTA Transaction Signing** with KMS
+- ✅ **Enterprise-Ready** authentication patterns
+- ✅ **Comprehensive Logging** for all operations
+- ✅ **Multiple Authentication Methods** (profiles, direct, containers)
+
+## 📋 Examples Available
+
+| Example | Description | Command |
+|---------|-------------|---------|
+| **IOTA Transaction Signing** | Full transaction workflow with logging | `cargo run --package storage-factory --example iota_transaction_signing` |
+| **Profile Authentication** | AWS profile with assume role | `cargo run --package aws-kms-adapter --example profile_usage` |
+| **Enterprise Service** | Container/ECS/EKS patterns | `cargo run --package aws-kms-adapter --example enterprise_service` |
+| **Auto Detection** | Automatic adapter selection | `cargo run --package storage-factory --example auto_detect_test` |
+| **Key Storage Test** | Basic KMS operations | `cargo run --package aws-kms-adapter --example key_storage_test` |
+
+## 🔧 Configuration Details
+
+### Environment Variables (.env)
+```bash
+# Primary configuration
+AWS_PROFILE=your-profile-name
+AWS_REGION=eu-west-1
+
+# Optional for specific use cases
+# KMS_KEY_ID=arn:aws:kms:eu-west-1:YOUR-ACCOUNT-ID:key/your-key-id
+# TARGET_ROLE_ARN=arn:aws:iam::YOUR-ACCOUNT-ID:role/YourRole
+```
+
+### Required IAM Permissions
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:CreateKey",
+                "kms:DescribeKey",
+                "kms:GetPublicKey",
+                "kms:Sign",
+                "kms:ScheduleKeyDeletion"
+            ],
+            "Resource": "arn:aws:kms:eu-west-1:YOUR-ACCOUNT-ID:key/*"
+        }
+    ]
+}
+```
+
+## 🏢 Enterprise Deployment
+
+### Container Environments
+For ECS, EKS, or EC2, only set:
+```bash
+AWS_REGION=eu-west-1
+# No credentials needed - use IAM roles
+```
+
+### Cross-Account Access
+```bash
+TARGET_ROLE_ARN=arn:aws:iam::304431203043:role/DeveloperFullAccessRole
+SERVICE_NAME=iota-secret-storage
+```
+
+## 📊 Logging Output Example
+
+```
+[1757077118379] 🚀 IOTA Transaction Signing Service - Session: IOTA_SESSION_1757077118379
+[1757077118511] 📝 LOG: Transaction data to sign:
+[1757077118511] 📝   - Transaction Type: IOTA Transfer  
+[1757077118511] 📝   - Data Size: 64 bytes
+[1757077118511] ✅ LOG: IOTA transaction signed successfully!
+[1757077118511] 📊 LOG: Signature metrics:
+[1757077118511] 📊   - Signature Size: 64 bytes
+[1757077118511] 📊   - Algorithm: ECDSA_SHA256
+```
+
+## 🛠️ Troubleshooting
+
+### Common Issues
+
+1. **"No credentials found"**
+   ```bash
+   # Check your AWS credentials
+   aws configure list --profile developer
+   ```
+
+2. **"Unable to assume role"**
+   ```bash
+   # Test role assumption directly
+   aws sts get-caller-identity --profile developer
+   ```
+
+3. **"KMS access denied"**
+   - Check IAM policy on the role
+   - Verify KMS key policy allows the role
+
+### Debug Commands
+```bash
+# Check AWS configuration
+aws configure list --profile developer
+
+# Test KMS access
+aws kms list-keys --region eu-west-1 --profile developer
+
+# Run with debug logging
+RUST_LOG=debug cargo run --package storage-factory --example iota_transaction_signing
+```
+
+## 📚 Documentation
+
+- [Full AWS Setup Guide](doc/aws-setup.md)
+- [Architecture Documentation](doc/refactor.it.md)
+- [Core Traits Documentation](core/secret-storage/README.md)
+
+## 🎉 Ready to Use!
+
+Your IOTA Secret Storage with AWS KMS is ready. Run the examples to see it in action:
+
+```bash
+cargo run --package storage-factory --example iota_transaction_signing
+```

Cargo.toml

@@ -1,21 +1,14 @@
-[package]
-name = "secret-storage"
-version = "0.3.0"
-edition = "2021"
-authors = ["IOTA Stiftung"]
-homepage = "https://www.iota.org"
-license = "Apache-2.0"
-repository = "https://github.com/iotaledger/secret-storage"
-rust-version = "1.65"
-readme = "./README.md"
-description = "A flexible and secure key storage interface for working with cryptographic keys and signatures with modular traits for key generation, signing, and management."
-keywords = ["crypto", "storage", "keys", "signatures", "security"]
+[workspace]
+resolver = "2"
+members = [
+    "core/secret-storage",
+    "adapters/aws-kms-adapter",
+    "adapters/vault-adapter",
+    "applications/storage-factory",
+    "applications/hv-iota-e2e-test",
+]
 
-[dependencies]
+[workspace.dependencies]
 anyhow = "1"
 thiserror = "2"
-async-trait = "0.1"
-
-[features]
-default = ["send-sync-storage"]
-send-sync-storage = []
+async-trait = "0.1"