Architecture

Setup

Begin by installing uv, then simply run uv sync in the project folder.

HTTP JSON API - Simple secrets manager

Persist state using shelve
Use contextlib.asynccontextmanager to manage the lifespan of the application
Paths include:
- GET /me
- GET /projects/{project_id}/secrets
- POST /projects/{project_id}/secret
Use OpenFGA as policy decision point
Use App as policy enforcement point

Try it out

First, review the the OpenFGA store. Then proceed with spinning up the stack:

In Terminal 1:

docker compose up # spins up and initializes OpenFGA

In Terminal 2:

export FGA_STORE_ID=$(fga store list | jq -r '.stores | sort_by(.created_at) | last | .id') # get the store id
echo $FGA_STORE_ID # print store id
echo OPENFGA_STORE_ID=$FGA_STORE_ID > .env # write .env file
rm app.db # reset database
# Start the app
uv run uvicorn main:app --reload

Now you can start using the application. Review authorization offloading in code (lines 59 and 79).

In Terminal 3:

# Check authentication (nobody vs alice)
curl -s localhost:8000/me | jq
curl -sH 'user: alice' localhost:8000/me | jq

# Create a secret in project 1 (alice)
curl -sX POST localhost:8000/projects/1/secret \
  -H 'user: alice' \
  -H 'Content-Type: application/json' \
  -d '{"name": "secret-ingredient", "value": "coffee"}'

# Create a secret in project 2 (bob)
curl -sX POST localhost:8000/projects/2/secret \
  -H 'user: bob' \
  -H 'Content-Type: application/json' \
  -d '{"name": "secret-ingredient", "value": "tea"}'

# List secrets in project 1 (alice)
curl -sH 'user: alice' localhost:8000/projects/1/secrets | jq

# List secrets in project 2 (alice)
curl -sH 'user: alice' localhost:8000/projects/2/secrets | jq

# Create secret in project 2 (alice)
curl -sX POST localhost:8000/projects/2/secret \
  -H 'user: alice' \
  -H 'Content-Type: application/json' \
  -d '{"name": "secret-ingredient", "value": "coffee"}'

# List secrets in project 1 (bob)
curl -sH 'user: bob' localhost:8000/projects/1/secrets | jq

# List secrets in project 2 (bob)
curl -sH 'user: bob' localhost:8000/projects/2/secrets | jq

Think about applied IAM paradigms

What have we gained by offloading authorization?
What are the costs?
Where to go from here?

Name		Name	Last commit message	Last commit date
Latest commit History 1 Commit
.env.example		.env.example
.gitignore		.gitignore
.python-version		.python-version
README.md		README.md
arch.excalidraw.svg		arch.excalidraw.svg
docker-compose.yaml		docker-compose.yaml
main.py		main.py
pyproject.toml		pyproject.toml
store.fga.yaml		store.fga.yaml
uv.lock		uv.lock

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Architecture

Setup

HTTP JSON API - Simple secrets manager

Try it out

Think about applied IAM paradigms

About

Releases

Packages

Languages

syseleven/iam-demo

Folders and files

Latest commit

History

Repository files navigation

Architecture

Setup

HTTP JSON API - Simple secrets manager

Try it out

Think about applied IAM paradigms

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages