flip_api.scripts.generate_trust_internal_service_keys

Generate per-trust internal-service keys used across the trust services.

This is the trust-side analogue of generate_internal_service_key.py (which covers the hub’s fl-server → flip-api boundary). Each trust gets a distinct plaintext key shared by every trust-internal service (trust-api, imaging-api, data-access-api, fl-client) — the receiver does a constant-time compare against its own copy. The hub never sees these keys.

Trust names are read from the TRUST_NAMES env var (a JSON list). The plaintext keys are written as a JSON dict into TRUST_INTERNAL_SERVICE_KEYS in the environment file. trust/Makefile extracts the per-trust value at deploy time via get_json_value, the same way it already handles TRUST_API_KEYS.

Usage:: make generate-trust-internal-service-keys make generate-trust-internal-service-keys ENV_FILE=.env.stag make generate-trust-internal-service-keys FORCE=1

Attributes

REPO_ROOT

Functions

`_parse_trust_names`(→ list[str])	Extract trust names from the TRUST_NAMES env var line.
`main`(→ None)	Generate per-trust internal service keys and update the environment file.

Module Contents

flip_api.scripts.generate_trust_internal_service_keys.REPO_ROOT

flip_api.scripts.generate_trust_internal_service_keys._parse_trust_names(lines: list[str]) → list[str][source]

Extract trust names from the TRUST_NAMES env var line.

Parameters:: lines (list[str]) – Lines of the environment file.
Returns:: List of trust names, e.g. ["Trust_1", "Trust_2"].
Return type:: list[str]

flip_api.scripts.generate_trust_internal_service_keys.main() → None[source]

Generate per-trust internal service keys and update the environment file.

Existing per-trust keys are preserved unless --force is given.

Raises:: SystemExit – If the env file is missing or contains no TRUST_NAMES entry.