Can't inject my fireblocks keys on the fly to hardhat config

[yagozz]

Hello, I'm trying to set my apiKey and privateKey to hardhat config after I fetch them from a key management system on the fly (after I run some commands with npx hardhat run <script_path>). The problem is, I can't do await calls in the hardhat config script before module.exports statement. Hence, I can't fetch my keys and make the process wait until that happens. I tried several workarounds like immediately invoked function expressions, but even if I can run a logic to fetch keys asynchronously, config is exported way before fetch process ends hence I can't set these fields properly.

Maybe I'm missing a trick that I can handle this with node.js, but I thought this can be achieved if you can let apiKey and privateKey fields to be assigned async functions that return string values for these fields, so that I can assign async functions to these fields which will fetch the keys and return those to config fields. If this sounds weird and you know another way of doing this, I appreciate any suggestion!

[dsahni]

Hi @yagozz , we're looking into options on supporting this..will get back to you.

However, have you already tried using env vars - eg. you could setup a script to fetch the secrets from your KMS asynchronously and assign those as env vars for apikey/privatekey?

[yagozz]

Hello @dsahni, I tried several ways of running an async script / function and fetch the keys and inject them into hardhat config which didn't work, but didn't try to fill them into .env file and read from there. I will try that tomorrow and let you know.

[yagozz]

hi again @dsahni sorry for the delayed message. On Friday I tried to fetch keys and set them to env variables using an async function, but the result is the same. Whenever I run a script using npx hardhat run ... it just doesn't wait for any async call and exports the hardhat config with undefined keys right away. Did you mean creating a shell script that is going to run a separate script to fetch keys, store them on env files, then runs npx hardhat run ... and then remove the keys with another script? If so, is this secure as I will be storing the keys on my local momentarily? I mean, how less secure would this be compared to storing keys in the memory while my script is running?

[orenyomtov]

@yagozz you can write a script in bash, or in javascript/typescript (run by node.js), that fetches the secrets and sets them as environment variables, then executes the hardhat script (npx hardhat run) with them.

That way the secrets are kept in memory and never saved to disk.

[yagozz]

hi @orenyomtov, thanks for the tip, will give it a shot and let you know

[yagozz]

Hi again @orenyomtov, sorry for the delay I wanted to hold on until we sort out issues I had with TAP. Your suggestion does the trick, and I believe we can use it, thanks for the help!

However it comes with its own down sides. One example is I can't run npx hardhat compile when I add new contracts as it is not running in a bash script like you suggested since I need to read fireblocks keys from process.env. When I create bash script for compile task, it runs into out of memory error due to some reason I still couldn't figure out.

This latest issue with compiling is not a huge deal and I'm looking for a solution on this thing, but it would be great to have the functionality to set async functions to fireblocks field in hardhat config that would fetch keys as the main solution

[yagozz]

However it comes with its own down sides. One example is I can't run npx hardhat compile when I add new contracts as it is not running in a bash script like you suggested since I need to read fireblocks keys from process.env. When I create bash script for compile task, it runs into out of memory error due to some reason I still couldn't figure out.

Just found the issue and fixed it, fyi.