{"id":20419326,"url":"https://github.com/bobjac/quorumakswithkeyvault","last_synced_at":"2026-04-19T01:32:26.389Z","repository":{"id":77499788,"uuid":"223630474","full_name":"bobjac/QuorumAKSWithKeyVault","owner":"bobjac","description":"This repository contains sample code of using Azure Kubernetes Service to host Quorum code.  All Blockchain transactions will be signed using keys stored in Azure Key Vault.  All Kubernetes pods will access Azure Key Vault using Managed Service Identity via AAD Pod Identity.","archived":false,"fork":false,"pushed_at":"2020-07-07T22:06:48.000Z","size":3296,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-05T04:19:20.358Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bobjac.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-23T17:53:40.000Z","updated_at":"2022-06-07T23:49:08.000Z","dependencies_parsed_at":null,"dependency_job_id":"b78fd74f-6f30-44ae-9d7d-b6b3bd2eb608","html_url":"https://github.com/bobjac/QuorumAKSWithKeyVault","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/bobjac/QuorumAKSWithKeyVault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bobjac%2FQuorumAKSWithKeyVault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bobjac%2FQuorumAKSWithKeyVault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bobjac%2FQuorumAKSWithKeyVault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bobjac%2FQuorumAKSWithKeyVault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bobjac","download_url":"https://codeload.github.com/bobjac/QuorumAKSWithKeyVault/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bobjac%2FQuorumAKSWithKeyVault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31991633,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T20:23:30.271Z","status":"ssl_error","status_checked_at":"2026-04-18T20:23:29.375Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T06:36:38.489Z","updated_at":"2026-04-19T01:32:26.370Z","avatar_url":"https://github.com/bobjac.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Introduction \nThis project contains a sample for running Quorum microservices on [Azure Kubernetes Service](https://docs.microsoft.com/en-us/azure/aks/intro-kubernetes).\n\nAll microservice code will be written in dotnet core using the Nethereum.Quorum packages and will communicate with endpoints exposed via the [Azure Blockchain Service](https://azure.microsoft.com/en-ca/services/blockchain-service/).\n\nThis sample is not meant for production use, it is a sample.\n\nIt demonstrates the following concepts that are important in Enterprise blockchain deployments:\n1. Private Key being managed by an HSM (Azure Key Vault) with the signing operations being done IN the HSM, and the key not being accessible to the application. This is facilitated through [Nethereum.Signer.AzureKeyVault](https://www.nuget.org/packages/Nethereum.Signer.AzureKeyVault/)\n\n2. Creating and calling smart contracts with Quorum and Nethereum, using the ExternalAccount object with a reference to our private key (or ethereum account) that is held in KeyVault\n\n3. A helper class named \"QuorumTransactionManager\" that handles deployment and calling smart contracts. The class contains methods that do a variety of things asynchronously. The class is meant to be generic in that it works for ANY smart contract, so long as you supply the appropriate parameters.\n\nThis sample is an extension of the project hosted at https://github.com/malirezai/QuorumFunctionWithKeyVault by Mahdi Alirezaie.\n\n## Project references:\n\nThe following nuget packages are referenced: \n\n- [Nethereum.Quorum](https://www.nuget.org/packages/Nethereum.Quorum/)\n- [Nethereum.Accounts](https://www.nuget.org/packages/Nethereum.Accounts/)\n- [Nethereum.Signer.AzureKeyVault](https://www.nuget.org/packages/Nethereum.Signer.AzureKeyVault/)\n- [Polly.NET](https://www.nuget.org/packages/Polly/) for resilient APIs\n\n## Prerequisites\n\nThis readme will not walk you through using Nethereum or setting up an Azure Blockchain service node. \n\nFor Nethereum documentation please refer to: https://docs.nethereum.com/en/latest/\n\nFor setting up an Azure Blockchain service node please refer to: https://docs.microsoft.com/en-us/azure/blockchain/service/create-member\n\nFor setting up an AKS cluster with AAD Pod Identity, please refer to https://github.com/Azure/aad-pod-identity.\n\nFor setting up VSCode for use with Solidtity, please download the VSCode Solidity Extension.\n\nIt is assumed that the people following this guide have a good understanding of Ethereum concepts (Contracts, functions, signing operations, nonces, submitting transactions via Web3, ect).\n\n## What You Need to Run this Sample\n\nThis sample comes complete with a local.settings.json file that has a few Environment variables set. We really only need to set up 4 Azure services, and copy a few values to \"local.settings.json\"\n\n1. An Azure Blockchain Service Node - so we have our RPC Endpoint\n2. An Azure Key Vault to store our private Key \n3. A Blob storage account for storing the compiled smart contract's JSON file (that contains the bytecode and ABI)\n4. An AKS cluster with AAD Pod Identity Deployed.\n5. (Optional) A Service Principal for the KeyVault above so we can grab the key when deploying our function locally with an Application ID and associated Secret\n\n# Getting Started\n\n## Creating an Azure Blockchain Service Node \n\nCreate a new Azure Blockchain Service node and make a note of the RPC Endpoint by going to Transaction Nodes -\u003e Click on your Node -\u003e Access Keys. Use this value for \"RPC\"\n\n![](img/abs.png)\n\n## Create an Azure Key Vault and a Private Key\n\nCreate an Azure KeyVault and skip the steps pertaining to Access Policies and Virtual Network: \n\n![](img/kv1.png)\n\nClick on Keys, then, Generate An Elliptic Curve Key using the SECP256K1 Curve:\n\n![](img/kv2.png)\n![](img/kv3.png)\n\nNext, Grab the URL of the above Key and paste it into the value for \"KEYVAULT_PRIVATEKEY_URI\" of the QuorumService.yaml file.\n\n## Create a Storage Account to hold our Smart Contract JSON file\n\nCreate a storage account and create a container within \"Blobs\" that has anonymous read access for blobs:\n\n![](img/blob1.png)\n![](img/blob2.png)\n\nUpload the JSON file to the blob container. For an example JSON file generated from a contract compilation (SimpleStorage) please take a look here: https://raw.githubusercontent.com/bobjac/QuorumAKSWithKeyVault/master/abi/SimpleStorage.json.\n\nUpdate the CONTRACT_JSON_BLOB_URL value in the QuorumService.yaml file url of the uploaded smart contract json file.\n\n## Create and AKS Cluster with AAD Pod Identity Deployed\n\nAll microservice code will be containerized and deployed to Azure Kubernetes Service. The containers in AKS will need to access the Azure Key Vault that is storing the key that was generated in the step above, and this sample will use Azure Managed Service Identity to ensure that no credentails to the Azure Key Vault are ever given to the developers of the microservices. AAD Pod Identity is a project that enabled AKS pods to take on the identity of the Azure Managed Service Identity resource, so administrators can grant the managed service identity access to the Azure Key Vault without requiring the developers to know the credentails of the service principal.\n\nDetails on creating the Azure Kubernetes Service cluster, as well as deploying the necessary AAD Pod Identity Resources can be found at the AAD Pod Identity Repository at https://github.com/Azure/aad-pod-identity. You should pay particular attention to the roles that are required for either the service principal or the managed identity used to run your AKS cluster. The version of the cluster will dictate wheter your cluster is running under a service principal or a managed identity. You also need to run some additional commands if the user assigned managed identy that is intented to represent the pods is located in a seperate resource group from the one that hosts your AKS virtual machines (MC_* resource group).\n\nYou should also go through the public documentation for buildin a Docker container, deploying to Azure Container Registry and pushing to AKS.\n\n## Grant the Managed Service Identity Access to the Azure Key Vault\n\nGo back to your KeyVault resource, and click on Access Policies -\u003e Add Access Policy\n\nBecase we only need access to the Key, use \"Select All\" under Key Permissions for simplicity. \n\n**NOTE:** In practice, don't grant the \"Select All\" Property, we really only need GET, LIST and SIGN operations, so if you'd like to keep it those three, please do that instead. \n\nUnder \"Select Principal\", search for the name of the managed service identity that was created in the insturctions found at https://github.com/Azure/aad-pod-identity. This will allow you to grant access to the Azure Key Vault for the AKS pod.\n\n![](img/kv4.png)\n\nAt this point we're done! Make sure your KeyVault policies are saved. You have now granted the AKS deployment/pod access to your KeyVault Key. \n\nWe can use the URL to the Private Key and AKS will automatically grant access to it behnid the scenes. \n\n## Build Quorum Service Docker image\n\nYou will find a docker file located at /src/Bobjac.QuorumService. Build the container image using the standard docker command line tools and deploy to Azure Container Registry.  \n\n## Deploy microservice to AKS\n\nReplace the container image (currently bobjacfoodsafety.azurecr.io/quorumservice:v2) in the QuorumService.yaml file. You should also replace all of the environment variables with vaules that are specific to you deployment, such as your contract blob url, Azure Blockchain Service endpoint, etc.  After modifying the QuorumService.yaml file, deploy it using standard kubernetes techniques.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbobjac%2Fquorumakswithkeyvault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbobjac%2Fquorumakswithkeyvault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbobjac%2Fquorumakswithkeyvault/lists"}