Enhance AWS KMS integration and error handling

- Updated AWS KMS credential extraction to use a more consistent header naming convention.
- Improved error handling for retryable RPC errors in the EoaExecutorWorkerError, allowing for better job management.
- Refactored AWS KMS credential validation to ensure proper extraction of key IDs and regions from ARNs.

These changes aim to streamline AWS KMS operations and enhance the robustness of error handling in the executor worker.

Author: d4mr

core/src/credentials.rs

@@ -1,6 +1,6 @@
 use alloy::primitives::ChainId;
 use alloy_signer_aws::AwsSigner;
-use aws_config::BehaviorVersion;
+use aws_config::{BehaviorVersion, Region};
 use aws_credential_types::provider::future::ProvideCredentials as ProvideCredentialsFuture;
 use aws_sdk_kms::config::{Credentials, ProvideCredentials};
 use serde::{Deserialize, Serialize};
@@ -48,6 +48,7 @@ impl AwsKmsCredential {
     pub async fn get_signer(&self, chain_id: Option<ChainId>) -> Result<AwsSigner, EngineError> {
         let config = aws_config::defaults(BehaviorVersion::latest())
             .credentials_provider(self.clone())
+            .region(Region::new(self.region.clone()))
             .load()
             .await;
         let client = aws_sdk_kms::Client::new(&config);

executors/src/eoa/worker/error.rs

@@ -94,6 +94,17 @@ impl EoaExecutorWorkerError {
                 inner_error: TransactionStoreError::LockLost { .. },
                 ..
             } => JobError::Fail(self),
+            EoaExecutorWorkerError::RpcError { .. } => {
+                if is_retryable_preparation_error(&self) {
+                    JobError::Nack {
+                        error: self,
+                        delay: Some(Duration::from_secs(10)),
+                        position: RequeuePosition::Last,
+                    }
+                } else {
+                    JobError::Fail(self)
+                }
+            }
             _ => JobError::Nack {
                 error: self,
                 delay: Some(Duration::from_secs(10)),
@@ -219,6 +230,11 @@ pub fn is_retryable_rpc_error(kind: &RpcErrorKind) -> bool {
     match kind {
         RpcErrorKind::TransportHttpError { status, .. } if *status >= 400 && *status < 500 => false,
         RpcErrorKind::UnsupportedFeature { .. } => false,
+        RpcErrorKind::ErrorResp(resp) => {
+            let message = resp.message.to_lowercase();
+            // if the error message contains "invalid chain", it's not retryable
+            !message.contains("invalid chain")
+        }
         _ => true,
     }
 }

server/src/http/extractors.rs

@@ -22,7 +22,7 @@ const HEADER_THIRDWEB_SERVICE_KEY: &str = "x-thirdweb-service-key";
 const HEADER_WALLET_ACCESS_TOKEN: &str = "x-wallet-access-token";
 const HEADER_VAULT_ACCESS_TOKEN: &str = "x-vault-access-token";
 const HEADER_AWS_KMS_ARN: &str = "x-aws-kms-arn";
-const HEADER_AWS_KMS_ACCESS_KEY_ID: &str = "x-aws-kms-access-key-id";
+const HEADER_AWS_ACCESS_KEY_ID: &str = "x-aws-access-key-id";
 const HEADER_AWS_SECRET_ACCESS_KEY: &str = "x-aws-secret-access-key";
 
 /// Extractor for RPC credentials from headers
@@ -147,7 +147,7 @@ impl SigningCredentialsExtractor {
     /// Try to extract AWS KMS credentials from headers
     fn try_extract_aws_kms(parts: &Parts) -> Result<Option<AwsKmsCredential>, ApiEngineError> {
         let arn = Self::get_header_value(parts, HEADER_AWS_KMS_ARN);
-        let access_key_id = Self::get_header_value(parts, HEADER_AWS_KMS_ACCESS_KEY_ID);
+        let access_key_id = Self::get_header_value(parts, HEADER_AWS_ACCESS_KEY_ID);
         let secret_access_key = Self::get_header_value(parts, HEADER_AWS_SECRET_ACCESS_KEY);
 
         match (arn, access_key_id, secret_access_key) {
@@ -180,12 +180,19 @@ impl SigningCredentialsExtractor {
         }
 
         // Extract and validate key ID
-        let key_id = parsed_arn.resource.to_string();
-        if key_id.is_empty() {
-            return Err(ApiEngineError(EngineError::ValidationError {
-                message: "KMS ARN must contain a valid key ID in the resource part".to_string(),
-            }));
-        }
+        let key_id = parsed_arn
+            .resource
+            .path_split()
+            .last()
+            .map(|id| {
+                dbg!(&id);
+                id.to_string()
+            })
+            .ok_or_else(|| {
+                ApiEngineError(EngineError::ValidationError {
+                    message: "KMS ARN must contain a valid key ID in the resource part".to_string(),
+                })
+            })?;
 
         // Extract and validate region
         let region = parsed_arn.region.ok_or_else(|| {
@@ -194,6 +201,8 @@ impl SigningCredentialsExtractor {
             })
         })?;
 
+        dbg!(&region);
+
         Ok((key_id, region.to_string()))
     }