updated roles/permission doc (#115)

farhanW3 · web-flow · commit 449fe9657c7e · 2023-09-12T10:57:30.000-07:00
diff --git a/.github/aws_kms_how_to.md b/.github/aws_kms_how_to.md
@@ -4,6 +4,17 @@ Web3-API supports AWS KMS for signing & sending transactions over any EVM chain.
 
 1. Create IAM user with programmatic access, see [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console) for more details.
 2. Add create, get, read permission to KMS, see [here](https://docs.aws.amazon.com/kms/latest/developerguide/control-access.html) for more details.
+
+```
+Minimum Permissions Required:
+---------------------------
+kms:CreateKey
+kms:GetPublicKey
+kms:Sign
+kms:CreateAlias
+kms:Verify
+```
+
 3. Create a AWS KMS key, see [here](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) for more details. or, you can use the `/wallet/create` to create a key.
 
 NOTE:
@@ -27,7 +38,4 @@ Create a `.env` file in the root directory of the project and add the below deta
 AWS_ACCESS_KEY_ID=<aws_access_key_id>
 AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>
 AWS_REGION=<aws_region>
-
-# Required for AWS KMS Admin Wallet
-AWS_KMS_KEY_ID=<kms_key_id>
 ```
diff --git a/.github/google_kms_how_to.md b/.github/google_kms_how_to.md
@@ -3,15 +3,19 @@ Web3-API supports Google KMS for signing & sending transactions over any EVM cha
 ### Steps to set up Google KMS
 
 1. Enable Google KMS API for your Google project, see [here](https://cloud.google.com/kms/docs/create-encryption-keys#before-you-begin) for more details.
-2. Create a Service Account (here)[https://cloud.google.com/iam/docs/service-accounts-create] and create a key under this service account and download the JSON file. This JSON file details will be used to authenticate with Google KMS.
-3. Add the below permissions to the service account created in step 2.
+2. Create a Service Account (here)[https://cloud.google.com/iam/docs/service-accounts-create]
+3. Go to IAM & Admin -> IAM. Select the service account created in step 2 and click `Edit Principal` to add the below roles.
 
 ```
+Minimum Roles:
+
 Cloud KMS Admin
 Cloud KMS CryptoKey Signer/Verifier
 ```
 
-4. Create a keyring in Google KMS, see [here](https://cloud.google.com/kms/docs/create-key-ring) for more details.
+4. Click on the created Service-Account and go to `Keys` tab.
+5. Click `Add Key` -> Create new Key -> select `JSON` & download the JSON file. This JSON file details will be used to authenticate google auth while using Google Cloud KMS.
+6. Create a keyring in Google KMS, see [here](https://cloud.google.com/kms/docs/create-key-ring) for more details.
 
 Optional: Create a key in the keyring, see [here](https://cloud.google.com/kms/docs/create-key) for more details. or, you can use the `/wallet/create` to create a key in the keyring.
 
@@ -24,9 +28,8 @@ Create a `.env` file in the root directory of the project and add the below deta
 GOOGLE_APPLICATION_CREDENTIAL_EMAIL=<client_email_from_download_service_account_json>
 GOOGLE_APPLICATION_CREDENTIAL_PRIVATE_KEY=<private_key_from_download_service_account_json>
 
-# Required for Google KMS
+# Required for Google Cloud KMS
 GOOGLE_APPLICATION_PROJECT_ID=<google_project_id>
 GOOGLE_KMS_KEY_RING_ID=<key_ring_id>
 GOOGLE_KMS_LOCATION_ID=<location_of_key_ring>
-GOOGLE_KMS_CRYPTO_KEY_ID=<kms_key_id> # If created on Google Console
 ```
