Develop your app
One of the advantages of using
mse to protect your application and your data in the cloud, is that you don’t need to adapt your own Python application. Indeed, you just need to pick your original code, design a standard Flask application without specific intructions, write a configuration TOML file and run the
In this section, we will list good practices or various considerations you need to know before developing or deploying your application inside an
Using a third-party service with secrets¶
Before sending the Python code of your microservice, each file is encrypted but:
This code is supposed to be sharable, as your convenience, to any users in order to check the trustworthiness of your app. As a matter of fact, do not write any secret into your code. For example: passwords or keys to connect to a third-party service like a remote storage or a database.
For the same reason, do not store your SSL secret key or the configuration TOML file in the code directory.
If you need such secrets to run your code, you can write a
secrets.json file and specify this file into the
code.secrets field in the TOML configuration file. Please see the example below. This file will be sent to the enclave after the latter has been verified during the app deployment. Your application will then be able to read it to retrieve the secrets it needs.
Example of configuation file:
name="helloworld" project="default" resource="free" [code] location="./code" python_application="app:app" healthcheck_endpoint="/whoami" docker="ghcr.io/cosmian/mse-flask:20230124182826" secrets="./secrets.json" [ssl] domain_name="example.com" certificate="./cert.secret.pem" private_key="./key.secret.pem"
As you can see, the code directory (defined in
code.location field) does not contain the SSL private key (defined in
ssl.private_key field) nor the secrets file (defined in
Note that the configuration file does not contain any secrets values and can easily be commited into a code repository.
Example of a secret file:
Which is used by this application code example:
import os import json from http import HTTPStatus from pathlib import Path from datetime import datetime from flask import Flask, Response app = Flask(__name__) WORKFILE: Path = Path(os.getenv("HOME")) / "date.txt" @app.route('/whoami') def whoami(): """A simple example manipulating secrets.""" secrets = json.loads(Path(os.getenv("SECRETS_PATH")).read_text()) return secrets["login"] @app.post('/') def write_date(): """A simple example of file writting.""" WORKFILE.write_text(str(datetime.now())) return Response(status=HTTPStatus.OK) @app.route('/') def read_date(): """A simple example of file reading.""" if not WORKFILE.exists(): return Response(response="You should write before read", status=HTTPStatus.NOT_FOUND) txt = WORKFILE.read_text() WORKFILE.unlink() return txt
You application owns a dedicated storage up to 10GB. The useful directories are the followings:
|Env||Path||Encrypted (1)||Persistent (2)||Comments|
||✅||❌||Could be used by third-party libraries (your application dependencies) to store caches or configuration files|
||✅||❌||The application secrets file you have sent as described in the previous section|
||✅||❌||A temporary folder|
||✅||❌||Containing the decrypted application code|
(1) Only the enclave containing this version of your code can decrypt this directory. Another enclave or even another version of your application won’t be able to read it
(2) The data will be removed when the application is stopped
Please find below limitations that you need to consider to be able to run your application in MSE:
- Do not fork processes
- Do not run subprocess (command execution)
Trying to use these system functionalities will make the app crash.