Support aws role profile

eth/signer_awskms.go

@@ -5,6 +5,8 @@ import (
 	"encoding/asn1"
 	"encoding/hex"
 	"fmt"
+	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
+	"github.com/aws/aws-sdk-go/aws/ec2metadata"
 	"math/big"
 	"os"
 	"strings"
@@ -41,7 +43,12 @@ func NewKmsSigner(region, keyAlias, awsKey, awsSec string, chainId *big.Int) (*K
 	cfg := &aws.Config{
 		Region: aws.String(region),
 	}
-	if awsKey != "" && awsSec != "" {
+	if awsKey == "profile" {
+		cfg.Credentials = credentials.NewSharedCredentials("", awsSec)
+	} else if awsKey == "iam" {
+		// force use iam role, ignore cre or env
+		cfg.Credentials = ec2rolecreds.NewCredentialsWithClient(ec2metadata.New(session.Must(session.NewSession())))
+	} else if awsKey != "" && awsSec != "" {
 		cfg.Credentials = credentials.NewStaticCredentials(awsKey, awsSec, "")
 	}
 	sess, err := session.NewSession(cfg)
@@ -183,8 +190,10 @@ func padBigInt(i *big.Int) []byte {
 // passphrase will be awsKey:awsSec or if empty, will use aws auto search env variable etc
 // otherwise normal ks json file based signer
 const awskmsPre = "awskms:"
+const awsCreProfilePre = "profile"
 
 // return signer, address
+// if use profile, passphrase should be "profile:default" or "profile:xxx"
 func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.Address, error) {
 	if strings.HasPrefix(ksfile, awskmsPre) {
 		kmskeyinfo := strings.SplitN(ksfile, ":", 3)
@@ -195,7 +204,7 @@ func CreateSigner(ksfile, passphrase string, chainid *big.Int) (Signer, common.A
 		if passphrase != "" {
 			awskeysec = strings.SplitN(passphrase, ":", 2)
 			if len(awskeysec) != 2 {
-				return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected '<awsKey>:<awsSecret>'", passphrase)
+				return nil, common.Address{}, fmt.Errorf("%s has wrong format, expected '<awsKey>:<awsSecret>' or 'profile:<profile-name>'", passphrase)
 			}
 		}
 		kmsSigner, err := NewKmsSigner(kmskeyinfo[1], kmskeyinfo[2], awskeysec[0], awskeysec[1], chainid)