So the masterAccount parameter has this description within the docs
--masterAccount Account used to create requested account. [string] [required]
I have a few questions here:
1) If I need an account, to create an account, how am I supposed to make the original account?
2) It does not ask for the master account private key to sign the transaction, if the goal is that the master account "pays" for the creation of the specified account, then where do I sign the transaction with my private key? Perhaps I'm not far enough in the process but from the parameters I see no place to specify the publicKey to sign
1) You can create original account in the web wallet for necessary network, e.g. https://wallet.testnet.nearprotocol.com/
2) The private key to sign transaction is taken from a key file for given account. It's inside network's subfolder of ./neardev/ folder currently used for key storage.
For example neardev/shared-test/generate-key-test.json contains key for generate-key-test account on shared-test network.
Related
For developing on localnear, contracts and sub-accounts need to be deployed and created programmatically
The localnear deployment script does output the test.near public and private key, however, this workflow is different than the typical seed-phrase driven workflow, and it's also helpful to login to the wallet and see the root account's current state
Is the seed phrase for the root account (i.e. test.near) documented somewhere?
There is now a static account and details are logged in the Github Readme
It doesn't yet document the seed phrase, but the private key is there
I have an account which was initially created via near-cli.
I then geneated a ledger key:
near generate-key key --useLedgerKey="44'/397'/0'/0'/2'"
And added it to the account:
near add-key <account_id> <the key from the previous step>
I now open the wallet, click "Access your account", "Ledger Recovery", "Sign in with Ledger", "Sign In".
At this stage it asks me to confirm the public key, though doesn't really show which public key I am approving. I approve it on the ledger.
It asks me for the account id, I enter it. It says "user found".
I confirm, and it errors out with "No accounts are associated with this Ledger device. You must first create an account, then add this Ledger to it to login."
How do I get around it? Am I using the wrong path when generating the key?
Currently, the NEAR Wallet only supports the default Ledger path:
"44'/397'/0'/0'/1'"
If you add the public key that corresponds to this HD path to your account, you should be able to login successfully.
near generate-key key --useLedgerKey="44'/397'/0'/0'/1'"
Unfortunately this is not supported yet. Current Ledger support in wallet is limited to use 44'/397'/0'/0'/1' HD key path. This is going to change in later releases.
In the meanwhile if you want to stake your tokens from multiple such accounts you might find this tool useful:
http://multistaker.near.org/
The NEAR wallet now supports the updated flow which allows you to create your account using any ledger path from the CLI (as per your question), fund that account or implicit account (the 64 char nonsense string) with at least 1 NEAR and then add that account to your NEAR wallet. You can't add without funding the account since it takes NEAR to make the add.
To add to the wallet, on the wallet dropdown select "Import Account" and then click "Advanced Options" to bring up the HD path selector. Select the right HD path, plug in the ledger and good to go.
ATM Chrome isn't working with the wallet as per this post but firefox does.
There is currently an open path to import a private key into the NEAR Wallet. To my understanding, the wallet then creates another new keypair on the fly and adds it as a full access keypair, such that the wallet doesn't actually use or store the private key you just sent it after this transaction.
https://wallet.near.org/auto-import-secret-key#YOUR_ACCOUNT_ID/YOUR_PRIVATE_KEY
See also How to import an account into the NEAR wallet using only the private key (no seedphrase)
From the docs:
Accounts can be atomically and securely transferred between parties as a native transaction on the network.
I know the currently support Actions on the network are:
CreateAccount
DeployContract
FunctionCall
Transfer
Stake
AddKey
DeleteKey
DeleteAccount
source: https://nomicon.io/Runtime/Actions.html
I know from NEAR Shell that the DeleteAccount action takes an account to be deleted (the "sender") and a beneficiary account (the "receiver").
Is this what is meant by "atomically and securely transferred between parties"? Applying the DeleteAccount action?
Or am I missing something?
The idea behind the secure transfer is the ability to replace access keys.
Let's say you have an account alice and you want to transfer this account to me.
I give you a public key (without revealing the private key).
You create a transaction and sign it with your current private key. The transaction has 2 actions: remove your key, add my public key.
Now alice account has my public key, so only I have access to it. And you don't have access to alice anymore because it doesn't have your key, and you don't know my private key.
I'm setting up a new Near account, and I want to use its keys to sign a message in an app I'm building. How can I do this?
I used the wallet.nearprotocol.com page to create an account. Then, I used nearlib to connect to the testnet, and verify the account's balance and public keys.
But I couldn't find a way to add the account into the localStorage key store or otherwise access a method to sign a message. Nor could I find a wallet plugin or extension that would provide me access.
Generally the idea is that you never transfer given private key between 2 devices / security contexts.
So normally instead of getting private key out of wallet you just want to generate new key pair and request wallet to add public key.
https://github.com/nearprotocol/nearlib/blob/master/src.ts/wallet-account.ts provides relatively easy way to do it for webapp.
Note that it limits access to a give contract ID, so if you need unrestricted access you basically just need to omit contractId.
See examples at https://near.dev/ for WalletAccount usage.
With Google service accounts, Google generates the public/private key pair associated with the service account and passes that along to the end user who wants to make API calls. And its up to the end user to keep the keys safe. Is it possible to generate a service account and an associated client, but provide a certificate that Google can use to validate the service account client making the request? The problem I'm trying to solve is not to exchange any private keys.
Also is it possible to scope the users a service account has access to? For example if I wanted to create a service account that only has impersonation api access rights on a sub set of users on the Google domain. From what I've read if you create a service account with domain wide delegation, the service account has impersonation api rights for ALL users on the domain.
No, you cannot associate service account and provide a certificate to validate the client request. As stated here a service account's credentials is unique and at least one public or private key pair. To generate service account credentials, go to Google Developers Console. In the Create service account window, type a name for the service account and select Furnish a new private key. Your private/public key pair is generated and download to your machine. It serves as the only copy of this key. You are responsible for storing it securely. For more details about service account credentials in the Developers Console, see Service account in the Developers Console help file.