Python
Last updated
Was this helpful?
Last updated
Was this helpful?
Let's connect a python app in one AWS VPC with a python API in another AWS VPC. The example uses AWS CLI to create these VPCs.
Each company’s network is private, isolated, and doesn't expose ports. To learn how end-to-end trust is established, please read: “”
If everything runs as expected, you'll see the message: The example run was successful 🥳
In a typical production setup an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project.
First, the monitoring_corp/run.sh script creates a network to host the database:
Then, the monitoring_corp/run.sh script creates an EC2 instance where the Ockam outlet node will run:
Next, the instance is started and the run_ockam.sh script is executed:
We then create an Ockam node:
Finally, we wait for the instance to be ready and run the python api application:
First, the travel_app_corp/run.sh script creates a network to host the python application:
Then, we create an EC2 instance where the Ockam inlet node will run:
Next, the instance is started and the run_ockam.sh script is executed:
We then create an Ockam node:
Finally, we wait for the instance to be ready and run the python client application:
We connected a python app in one AWS VPC with a python API service in another AWS VPC over an end-to-end encrypted portal.
Travel App Corp. does not get unfettered access to Monitoring Corp.’s network. It only gets access to the API service. Monitoring Corp. does not get unfettered access to Travel App Corp.’s network. It gets access only to respond to requests over a tcp connection. Monitoring Corp. cannot initiate connections.
To delete all AWS resources created by this example:
This example requires Bash, Git, and AWS CLI. Please set up these tools for your operating system. In particular you need to with aws sso login.
The , that you ran above, and its are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore.
The calls the which invokes the to create an new identity, sign into Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership .
The run function then . The tickets are valid for 60 minutes. Each ticket can be redeemed only once and assigns to its redeemer. The is meant for the Ockam node that will run in Monitoring Corp.’s network. The is meant for the Ockam node that will run in Travel App Corp.’s network.
The run function passes the enrollment tickets as variables of the run scripts provisioning and .
We and tag it.
We and attach it to the VPC.
We and to the Internet via the gateway.
We , and associate it with the route table.
We finally so that there is:
,
And to install python and run the API service.
We .
We above and a start script based on run_ockam.sh where the
created by the administrator and given as a parameter to run.sh.
We and .
The .
The .
With .
A . The policy authorizes identities with a credential containing the attribute monitoring-api-inlet="true".
With capable of forwarding the TCP traffic to the TCP outlet.
The is (this uses the previously created key.pem file to identify).
We can then and:
.
.
.
We and tag it.
We and attach it to the VPC.
We and to the Internet via the gateway.
We , and associate it with the route table.
We finally so that there is:
,
And to download and install the python application.
We .
We above and a start script based on run_ockam.sh where the
created by the administrator and given as a parameter to run.sh.
The .
The .
With .
A . The policy authorizes identities with a credential containing the attribute monitoring-api-outlet="true".
The is (this uses the previously created key.pem file to identify).
We can then and:
.
.
.
Non-public access to private API endpoints are only accessible to enrolled members of the project with the appropriate attributes. The communication channel is and . Keys and credentials are automatically rotated. Access to the API can be easily revoked.
All are secure-by-default. Only project members, with valid credentials, can connect with each other. NAT’s are traversed using a relay and outgoing tcp connections. Neither Monitoring Corp. nor Travel App Corp. expose any listening endpoints to the Internet. Their networks are completely closed and protected from any attacks from the Internet.
