ECSでのコンテナへの秘匿情報の渡し方 at 第129回 PHP勉強会＠東京 / How to pass confidential information to container in ECS

Transcript

1. ECSͰͷίϯςφ΁ͷ ઃఆ৘ใͷ౉͠ํ 2018/8/29 (Wed) ୈ129ճ PHPษڧձ@౦ژ BASEגࣜձࣾ ౦ޱ࿨ᏻ @Khigashiguchi

2. ࣗݾ঺հ • ౦ޱ ࿨ᏻ @Khigashiguchi • Server Side EngineerʢPHP /

   Goʣ • BASE, Inc / BASE Product Division • Blog: http:// khigashigashi.hatenablog.com/

3. &$4 'BSHBUF Ͱಈ͔͢ίϯςφʹ44.͔ΒΫϨσϯγϟϧ৘ใΛ౉͢
   IUUQLIJHBTIJHBTIJIBUFOBCMPHDPNFOUSZ

4. Chapters Chapter1: ઃఆ৘ใͷѻ͍ํ Chapter2: ECSΛར༻ͨ͠৔߹ͷߏ੒ Chapter3: ࣮ࡍͷखॱ

5. Chapter1: ઃఆ৘ใͷѻ͍ํ

6. Def ઃఆ৘ใ • ೝূ৘ใͳͲ֎ʹ͸ग़ͤͳ͍৘ใ • σʔλϕʔεɺMemcachedɺଞͷόοΫΤϯυ αʔϏεͳͲͷϦιʔε΁ͷϋϯυϧ • Amazon S3΍TwitterͳͲͷ֎෦αʔϏεͷೝূ৘

   ใ • ؀ڥʢprod/stag/devʣ͝ͱʹҟͳΔࣄ͕ ଟ͍

7. Beyond the Twelve-Factor App IUUQTDPOUFOUQJWPUBMJPFCPPLTCFZPOEUIFGBDUPSBQQ

8. Beyond the Twelve-Factor App • Ϋϥ΢υωΠςΟϒΞϓϦέʔγϣϯͷઃܭύλʔϯͷ ϕετϓϥΫςΟεʹ͍ͭͯ • Herokuͷதͷਓ͕2012೥ʹॻ͍ͨʮThe Twelve-Factor

   AppʯͷΞοϓσʔτ • 2016೥ɺPivotal͕ࣾ12ݸͷΨΠυϥΠϯͷΞοϓσʔτ ͱ3ݸͷ৽ͨͳΨΠυϥΠϯΛ௥Ճ

9. Beyond the Twelve-Factor App: ͪ͜ΒͷεϥΠυ͕Θ͔Γ΍͍͢ IUUQTTQFBLFSEFDLDPNUBZBTVCFZPOEUIFUXFMWFGBDUPSBQQ

10. Beyond The Twelve Factor App: Ⅲ.CONFIGURATION, CREDENTIALS, AND CODE IUUQTTQFBLFSEFDLDPNUBZBTVCFZPOEUIFUXFMWFGBDUPSBQQ

    TMJEF

11. ઃఆ৘ใͷѻ͍ํ • ઃఆ΍ೝূ৘ใ͸ίʔυ͔Β෼཭͢΂͖ • ؀ڥ͝ͱʹઃఆΛάϧʔϐϯά͢΂͖Ͱ͸ͳ͍ • ؀ڥ͸ແݶʹ૿͍͑ͯ͘ • dev, stag,

    prod, ci, qa …etc • ઃఆΛ෼཭͢ΔҰ൪ͷํ๏͸؀ڥม਺΁ͷ֨ ೲ • ίʔυमਖ਼ແ͠ͰσϓϩΠ͝ͱʹมߋՄೳ • ݴޠ΍OSʹґଘ͠ͳ͍

12. –Beyond the Twelve-Factor App “Treat Your Apps Like Open Source”

13. ઃఆ৘ใͷѻ͍ํ • ઃఆͱίʔυ͕෼཭Ͱ͖͍ͯΔ͔ͷ֬ೝ͸ɺ ࠓ͙͢ʹͰ΋ίʔυΛΦʔϓϯιʔεԽͰ ͖Δ͔Ͳ͏͔ͰΘ͔Δ

14. –Beyond the Twelve-Factor App “Depending on your cloud provider, you

    may be able to use its facility for managing backing services or bound services to expose structured environment variables containing service credentials and URLs to your application in a secure manner.”

15. ઃఆ৘ใͷѻ͍ํ • Ϋϥ΢υϕϯμʔʹΑͬͯ͸ɺൿಗ৘ใͱ URLΛؚΉߏ଄Խ͞Εͨ؀ڥม਺ΛɺΞϓ Ϧέʔγϣϯʹ҆શʹ౉ͨ͢ΊͷαʔϏε Λར༻͢Δ͜ͱ͕Ͱ͖Δ͔΋͠Εͳ͍ɻ

16. Chapter1 Ending • ઃఆͱίʔυΛ෼཭͢Δ • ෼཭͢ΔͨΊͷํ๏ͱͯ͠؀ڥม਺΁֨ೲ ͢Δ • ؀ڥม਺΁֨ೲ͢Δઃఆ৘ใ͸ɺߏ଄తʹ ؅ཧͰ͖ΔΫϥ΢υαʔϏεΛར༻͢Δ

17. Chapter2: ECSΛར༻ͨ͠৔߹ͷߏ੒

18. େ·͔ͳߏ੒ਤ

19. ओͳొ৔ਓ෺ ུޠ ਖ਼໊ࣜশ ֓ཁ ECS Amazon Elastic Container Service Docker

    ίϯςφΛαϙʔτ͢Δ֦ுੑͱύϑΥʔϚϯεʹ༏Ε ͨίϯςφΦʔέετϨʔγϣϯαʔϏε ECR Amazon Elastic Container Registry ׬શϚωʔδυܕͷ Docker ίϯςφϨδετϦ Fargate AWS Fargate ECS/EKS಺ͷςΫϊϩδʔɺαʔόʔ΍ΫϥελʔΛ؅ཧ͢Δ ͜ͱͳ͘ίϯςφΛ࣮ߦͰ͖ΔΑ͏ʹͳΔ IAM AWS Identity and AccessManagemen t AWS Ϧιʔε΁ͷΞΫηεΛ҆શʹ੍ޚ͢ΔͨΊͷ΢Σϒαʔ Ϗε Paramete r Store AWS Systems Manager Paramter Store ઃఆσʔλ؅ཧͱػີ؅ཧͷͨΊͷ҆શͳ֊૚ܕετϨʔδ KMS AWS Key Management Service σʔλͷ҉߸Խʹ࢖༻͢ΔΩʔͷ༰қͳ࡞੒͓Αͼ؅ཧ ALB Application Load Balancer L4/L7Ͱػೳ͢Δϩʔυόϥϯαʔ

20. େ·͔ͳߏ੒ਤ ECS: Amazon Elastic Container Service ίϯςφԽ͞ΕͨΞϓϦέʔγϣϯΛ AWS Ͱ؆୯ʹ࣮ߦ͓Α ͼεέʔϧͰ͖Δ

21. େ·͔ͳߏ੒ਤ ECR:Amazon Elastic Container Registry ׬શϚωʔδυܕͷ Docker ίϯςφϨδετϦɻ Docker ίϯςφΠϝʔδΛ؆୯ʹอଘɺ؅ཧɺσϓϩΠͰ͖Δɻ

22. େ·͔ͳߏ੒ਤ Parameter Store: AWS Systems Manager Paramter Store ઃఆσʔλ؅ཧͱػີ؅ཧͷͨΊͷ҆શͳ֊૚ܕετϨʔδ

23. େ·͔ͳߏ੒ਤ KMS: AWS Key Management Service σʔλͷ҉߸Խʹ࢖༻͢ΔΩʔͷ༰қͳ࡞੒͓Αͼ؅ཧ

24. Chapter2 Ending • ECS(Fargate)Λ༻͍Δ • ؀ڥม਺΁֨ೲ͢Δઃఆ৘ใͷ؅ཧΛɺ Parameter StoreΛ༻͍ͯߦ͏ • ҉߸Խ͕ඞཁͳύϥϝʔλʹ͍ͭͯ͸ɺ

    KMSΛར༻͢Δ

25. Chapter3: ࣮ࡍͷखॱ

26. Chapter3: ࣮ࡍͷखॱ Step1: KMSͰ҉߸ԽΩʔͷ࡞੒ Step2: Parameterͷొ࿥ Step3: IAMϩʔϧͷ࡞੒ Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ

    Step5: ECSͷλεΫఆٛ

27. Step1: KMSͰ҉߸ԽΩʔͷ࡞੒ ൿಗ৘ใΛ҉߸Խͯ͠อଘ͢ΔͨΊͷɺ ΩʔΛ࡞੒͢Δ

28. Step1: KMSͰ҉߸ԽΩʔͷ࡞੒ $ aws kms create-key --description go-ecs-sample --region ap-

    northeast-1 KEYMETADATA < AWSAccountId > arn:aws:kms:ap-northeast-1:< AWSAccountId >:key/< KeyId > go-ecs-sample True < KeyId > CUSTOMER Enabled ENCRYPT_DECRYPT AWS_KMS ҉߸ԽͷKeyId͕ฦͬͯ͘Δ

29. Step2: Parameterͷొ࿥ Parameter Storeʹൿಗ৘ใΛอଘ͢Δɻ

30. Step2: Parameterͷొ࿥ $ aws ssm put-parameter --name /goecssample/database/sample/ master/user --type

    "String" --value "user" --description "σʔλϕʔ εͷmasterϢʔβʔ໊" --region ap-northeast-1 $ aws ssm put-parameter --name /goecssample/database/sample/ master/password --type "SecureString" --value "password" --key-id "< KeyId >" --description "σʔλϕʔεͷmasterϢʔβʔύεϫʔυ" -- region ap-northeast-1 /stage1/stage2/stage3/param ͷܗͰ֊૚Λදݱ͢Δ

31. Step2: Parameterͷొ࿥ $ aws ssm put-parameter --name /goecssample/database/sample/ master/user --type

    "String" --value "user" --description "σʔλϕʔ εͷmasterϢʔβʔ໊" --region ap-northeast-1 $ aws ssm put-parameter --name /goecssample/database/sample/ master/password --type "SecureString" --value "password" --key-id "< KeyId >" --description "σʔλϕʔεͷmasterϢʔβʔύεϫʔυ" -- region ap-northeast-1 type “SecureString”Ͱ҉߸Խର৅ͱͳΔɻ ͦͷ৔߹ɺ—key-idʹKMSͰ࡞੒ͨ͠KeyIdΛࢦఆɻ

32. Step3: IAMϩʔϧͷ࡞੒ Parameter Storeʹ͔ΒύϥϝʔλΛऔಘ͢ΔͨΊͷɺ IAM RoleΛ࡞੒͢Δ

33. Step3: IAMϩʔϧͷ࡞੒ɿIAMϩʔϧ࡞੒ $ vi ecs-tasks-trust-policy.json { "Version": "2012-10-17", "Statement": [

    { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } $ aws iam create-role --role-name go-ecs-sample --assume-role- policy-document file://ecs-tasks-trust-policy.json ECSλεΫϩʔϧ༻ͷIAMϩʔϧΛ࡞੒

34. Step3: IAMϩʔϧͷ࡞੒ɿIAMϙϦγʔ࡞੒ $ vi ecs-tasks-trust-policy.json { "Version": "2012-10-17", "Statement": [

    { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Sid": "Stmt1482841904000", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:ap-northeast-1:< AWSAccountId >:parameter/goecssample/*" ] }, { "Sid": "Stmt1482841948000", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:ap-northeast-1:< AWSAccountId >:key/< KeyId >" ] } ] } $ aws iam create-policy --policy-name go-ecs-sample --policy-document file://go-ecs-secret-access.json શମ૾

35. Step3: IAMϩʔϧͷ࡞੒ɿIAMϙϦγʔ࡞੒ $ vi ecs-tasks-trust-policy.json { "Version": "2012-10-17", … {

    "Sid": "Stmt1482841904000", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:ap-northeast-1:< AWSAccountId >:parameter/goecssample/*" ] }, { "Sid": "Stmt1482841948000", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:ap-northeast-1:< AWSAccountId >:key/< KeyId >" ] } ] } Parameter Storeͷࢦఆ֊૚ҎԼͷύϥ ϝʔλΛऔಘͰ͖Δ

36. Step3: IAMϩʔϧͷ࡞੒ɿIAMϙϦγʔ࡞੒ $ vi ecs-tasks-trust-policy.json { "Version": "2012-10-17", … {

    "Sid": "Stmt1482841904000", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:ap-northeast-1:< AWSAccountId >:parameter/goecssample/*" ] }, { "Sid": "Stmt1482841948000", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:ap-northeast-1:< AWSAccountId >:key/< KeyId >" ] } ] } KMSͷࢦఆΩʔͰͷෳ߹Խ͕Ͱ͖Δ

37. Step3: IAMϩʔϧͷ࡞੒ɿΞλον $ aws iam attach-role-policy --role-name go-ecs-sample --policy- arn

    "arn:aws:iam::< AWSAccountId >policy/go-ecs-sample" ࡞੒ͨ͠IAMϙϦγʔΛIAMϩʔϧʹΞλον

38. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ Docker ContainerΠϝʔδΛ࡞੒ͯ͠ECRʹอଘ

39. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ // NewConfig return configuration struct. func NewConfig() (Config,

    error) { var conf Config port, err := strconv.Atoi(os.Getenv("DB_PORT")) if err != nil { return conf, err } dbConf := DBConfig{ User: os.Getenv("DB_USER"), Password: os.Getenv("DB_PASSWORD"), Host: os.Getenv("DB_HOST"), Port: port, Name: os.Getenv("DB_NAME"), } conf.DB = dbConf return conf, nil } ؀ڥม਺͔Βઃఆ৘ใΛऔಘ͢ΔΞϓϦέʔγϣϯΛ࡞੒ Application IUUQTHJUIVCDPN,IJHBTIJHVDIJHPFDTFYBNQMFCMPCNBTUFSDPOpHDPOpHHP

40. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ #!/usr/bin/env bash set -e PARAMETER_STORE_PREFIX=${PARAMETER_STORE_PREFIX:-} if [ -n

    "$PARAMETER_STORE_PREFIX" ]; then export DB_USER=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/user --query "Parameters[0].Value" --region ap-northeast-1 --output text) export DB_PASSWORD=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/password --with- decryption --query "Parameters[0].Value" --region ap-northeast-1 --output text) fi exec "$@" ಛఆͷ؀ڥม਺͕ઃఆ͞Ε͍ͯΔ৔߹ͷΈɺ Parameter StoreʹΞΫηε͢Δ docker-entrypoint.sh IUUQTHJUIVCDPN,IJHBTIJHVDIJHPFDTFYBNQMFCMPCNBTUFSEPDLFSFOUSZQPJOUTI

41. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ #!/usr/bin/env bash set -e PARAMETER_STORE_PREFIX=${PARAMETER_STORE_PREFIX:-} if [ -n

    "$PARAMETER_STORE_PREFIX" ]; then export DB_USER=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/user --query "Parameters[0].Value" --region ap-northeast-1 --output text) export DB_PASSWORD=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/password --with- decryption --query "Parameters[0].Value" --region ap-northeast-1 --output text) fi exec "$@" $ aws ssm get-parametersͰऔಘͨ͠஋Λɺ ؀ڥม਺ʹઃఆ docker-entrypoint.sh IUUQTHJUIVCDPN,IJHBTIJHVDIJHPFDTFYBNQMFCMPCNBTUFSEPDLFSFOUSZQPJOUTI

42. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ #!/usr/bin/env bash set -e PARAMETER_STORE_PREFIX=${PARAMETER_STORE_PREFIX:-} if [ -n

    "$PARAMETER_STORE_PREFIX" ]; then export DB_USER=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/user --query "Parameters[0].Value" --region ap-northeast-1 --output text) export DB_PASSWORD=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/password --with- decryption --query "Parameters[0].Value" --region ap-northeast-1 --output text) fi exec "$@" ෳ߹Խ͢Δύϥϝʔλ͸ɺ —with-decryption ΦϓγϣϯΛࢦఆ docker-entrypoint.sh IUUQTHJUIVCDPN,IJHBTIJHVDIJHPFDTFYBNQMFCMPCNBTUFSEPDLFSFOUSZQPJOUTI

43. Step5: ECSͷλεΫఆٛ ɹECSλεΫΛఆٛ͢Δ

44. Step5: ECSλεΫఆٛ ࡞੒ͨ͠IAMϩʔϧΛλεΫϩʔϧʹઃఆ

45. ؀ڥม਺ʹɺdocker-entrypoint.shͰࢦఆͨ͠Ωʔɾ஋Λ ొ࿥
    Step5: ECSλεΫఆٛ

46. λεΫ͕࣮ߦ͞Εɺਖ਼ৗʹಈ͍͍ͯΕ͹OK Chapter3: Ending

47. ·ͱΊ

48. ·ͱΊ • ઃఆͱίʔυΛ෼཭͢ΔͨΊʹ؀ڥม਺΁ͷ ֨ೲΛߦͬͨ • ઃఆ৘ใͷ؅ཧɾऔಘʹɺParameter StoreΛ ༻͍ͨ • ECS(Fargate)͔ΒParameter

    StoreɾKMSΛ࢖ ༻͢Δํ๏Λݟ͍ͯͬͨ

49. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·͠ ͨɻ BASEձࣾ ౦ޱ࿨ᏻ @Khigashiguchi