Simpler BDRC Db Library and Models
Project description
Rewrite of package which uses a direct config file for the database connection.
Developer notes
The most significant change is that users no longer need to specify a section of a config file to locate a database connection. The former form, -d | --drsConfig prod:~someone/somewhere/somefile is no longer needed. Clients now siimply specify a section name: -d | --drsConfig prod, for example.
The name of the section is free-form.
Critical information is now given in to environment variables:
- BDRC_DB_CONFIG
The path to the database configuration file can be given using ~ notation to designate a user.
- BDRC_DB_PASSWORD
this is the password to the database named in the section given in the drsConfig parameter.
Development
pyproject.toml
python -m build --wheel bdist_wheelDeployment
twine upload --verbose -r testpypi dist/bdrc_db_lib-x.MM.mm-py3-none-any.whlInstallation
Implementation
The architecture lends itself to a Docker Secrets + KMS Decryption Scheme. The interested user can refer to Buda-base/ao-workflows
Steps (Thanks to Perplexity)
Encrypt password (One-Time, secure workstation)
# AWS KMS example (use AWS CLI)
aws kms encrypt \
--key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd \
--plaintext "mypassword123" \
--output text \
--query CiphertextBlob | base64 > encrypted_db_pass.b64Docker Secret (Encrypted Blob)
Add the encrypted blob into the docker image. “But wait,” I hear you say, won’t a hacker have access to the encrypted image?” “Yes, but only until the Docker container is started. The encrypted blob is removed at Docker startup. (See Step 3)
# docker-compose.yml
version: '3.8'
services:
app:
image: myapp:latest
secrets:
- db_password
environment:
DB_PASSWORD_FILE: /run/secrets/db_password
secrets:
db_password:
file: ./encrypted_db_pass.b64
external: false # Don't commitDecrypt at Runtime (Entry script)
This decrypts the password blob at runtime, and then removes the blob from the container’s file system The only hacker access would be if they could inspect the running container (or has injected code into some open source library that grants access to the Docker inspector)
#!/usr/bin/env python3
import boto3
import base64
import os
import sys
kms = boto3.client('kms')
encrypted_pass = base64.b64decode(open('/run/secrets/db_password').read())
decrypted_pass = kms.decrypt(CiphertextBlob=encrypted_pass)['Plaintext'].decode()
os.environ['DB_PASSWORD'] = decrypted_pass
os.unlink('/run/secrets/db_password') # Wipe secret file
# Start app
exec(sys.argv[1])Changelog
version |
Comments |
|
|---|---|---|
1.0.10 |
Initial |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file bdrc_db_lib2-2.0.1-py3-none-any.whl.
File metadata
- Download URL: bdrc_db_lib2-2.0.1-py3-none-any.whl
- Upload date:
- Size: 19.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.7 {"installer":{"name":"uv","version":"0.11.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
118557f4ac9451e04c3874c29e6fcea40f75138adbc293073d8644197dec31fb
|
|
| MD5 |
630610fb61569c9e117a29739ec197de
|
|
| BLAKE2b-256 |
1f4d4e91570cbe2323b30e8c4a10033eb5c5b9ab0433c0d82922dd4fd7c77416
|
