Merge pull request #10 from zama-ai/darwin/feat/copy-eth-pk

feat: copy eth private key between secrets manager in two aws accounts

Author: piizama

scripts/README.md

@@ -45,7 +45,6 @@ chmod +x create-age-keypair.sh create-and-backup-eth-kms-key.sh create-and-uploa
 ## Usage
 
 To generate an Age keypair and upload it to 1Password:
-
 ```
 export OP_SERVICE_ACCOUNT_TOKEN= # 1Password Service Account token
 export OP_VAULT=                 # Name of the 1Password Vault where Age private key will be saved
@@ -66,3 +65,33 @@ export SECRET_NAME=          # Name of the AWS Secrets Manager secret to store t
 export AGE_PUBLIC_KEY=       # Age public key to encrypt the Ethereum private key at rest
 ./create-and-backup-eth-kms-key.sh
 ```
+
+To copy an Ethereum private key from AWS secret manager in a first AWS account to a second AWS account:
+```
+export SOURCE_SECRET_NAME= # Name of the AWS secret manager secret in the first AWS account
+export DEST_SECRET_NAME=   # Name of the AWS secret manager secret in the second AWS account
+export DEST_REGION=        # Region in the second AWS account where the secret should be stored
+
+# AWS IAM credentials for the second AWS account. These should be tightly scoped and least permissive.
+# The following is all that is required:
+# {
+#    "Version": "2012-10-17",
+#    "Statement": [
+#        {
+#           "Sid": "AllowSecretsManagerWrite",
+#            "Effect": "Allow",
+#            "Action": [
+#                "secretsmanager:CreateSecret",
+#                "secretsmanager:PutSecretValue",
+#                "secretsmanager:TagResource"
+#            ],
+#            "Resource": "*"
+#        }
+#    ]
+# }
+export ENV_AWS_ACCESS_KEY_ID=     
+export ENV_AWS_SECRET_ACCESS_KEY=
+export ENV_AWS_SESSION_TOKEN=
+
+./copy-eth-private-key.sh
+```

scripts/copy-eth-private-key.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+set -e  # Exit on error
+set -u  # Exit on undefined variable
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Function to print colored output
+print_status() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Configuration
+SOURCE_SECRET_NAME="${SOURCE_SECRET_NAME}"
+DEST_SECRET_NAME="${DEST_SECRET_NAME}"
+DEST_REGION="${DEST_REGION}"
+
+print_status "Copying secret: $SOURCE_SECRET_NAME -> $DEST_SECRET_NAME"
+
+# Step 1: Pull secret from first account
+print_status "Step 1: Pulling secret from source (e.g., current) AWS account..."
+SOURCE_SECRET_VALUE=$(aws secretsmanager get-secret-value \
+    --secret-id "$SOURCE_SECRET_NAME" \
+    --query 'SecretString' \
+    --output text)
+
+if [ -z "$SOURCE_SECRET_VALUE" ]; then
+    print_error "Failed to retrieve source secret"
+    exit 1
+fi
+
+print_status "Secret retrieved successfully"
+
+# Step 2: Switch to second account credentials
+print_status "Step 2: Switching to destination account credentials..."
+
+if [ -z "${ENV_AWS_ACCESS_KEY_ID:-}" ] || [ -z "${ENV_AWS_SECRET_ACCESS_KEY:-}" ]; then
+    print_error "ENV_AWS_ACCESS_KEY_ID and ENV_AWS_SECRET_ACCESS_KEY must be set"
+    exit 1
+fi
+
+export AWS_ACCESS_KEY_ID=$ENV_AWS_ACCESS_KEY_ID
+export AWS_SECRET_ACCESS_KEY=$ENV_AWS_SECRET_ACCESS_KEY
+export AWS_SESSION_TOKEN=${ENV_AWS_SESSION_TOKEN:-}
+
+print_status "Credentials switched"
+
+# Step 3: Create secret in second account
+print_status "Step 3: Creating secret in destination AWS account..."
+
+aws secretsmanager create-secret \
+    --name "$DEST_SECRET_NAME" \
+    --secret-string "$SOURCE_SECRET_VALUE" \
+    --region "$DEST_REGION"
+
+print_status "Secret created successfully in $DEST_REGION"
+print_status "Done!"