Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ECSでのコンテナへの秘匿情報の渡し方 at 第129回 PHP勉強会@東京 / How t...

Kazuki Higashiguchi
August 29, 2018
8.2k

ECSでのコンテナへの秘匿情報の渡し方 at 第129回 PHP勉強会@東京 / How to pass confidential information to container in ECS

「ECSでのコンテナへの秘匿情報の渡し方」というテーマで、第129回 PHP勉強会@東京で話した内容です。

詳細については、下記のブログでも記載しています。
http://khigashigashi.hatenablog.com/entry/2018/08/28/214417

Kazuki Higashiguchi

August 29, 2018
Tweet

More Decks by Kazuki Higashiguchi

Transcript

  1. ࣗݾ঺հ • ౦ޱ ࿨ᏻ @Khigashiguchi • Server Side EngineerʢPHP /

    Goʣ • BASE, Inc / BASE Product Division • Blog: http:// khigashigashi.hatenablog.com/
  2. Beyond the Twelve-Factor App • Ϋϥ΢υωΠςΟϒΞϓϦέʔγϣϯͷઃܭύλʔϯͷ ϕετϓϥΫςΟεʹ͍ͭͯ • Herokuͷதͷਓ͕2012೥ʹॻ͍ͨʮThe Twelve-Factor

    AppʯͷΞοϓσʔτ • 2016೥ɺPivotal͕ࣾ12ݸͷΨΠυϥΠϯͷΞοϓσʔτ ͱ3ݸͷ৽ͨͳΨΠυϥΠϯΛ௥Ճ
  3. ઃఆ৘ใͷѻ͍ํ • ઃఆ΍ೝূ৘ใ͸ίʔυ͔Β෼཭͢΂͖ • ؀ڥ͝ͱʹઃఆΛάϧʔϐϯά͢΂͖Ͱ͸ͳ͍ • ؀ڥ͸ແݶʹ૿͍͑ͯ͘ • dev, stag,

    prod, ci, qa …etc • ઃఆΛ෼཭͢ΔҰ൪ͷํ๏͸؀ڥม਺΁ͷ֨ ೲ • ίʔυमਖ਼ແ͠ͰσϓϩΠ͝ͱʹมߋՄೳ • ݴޠ΍OSʹґଘ͠ͳ͍
  4. –Beyond the Twelve-Factor App “Depending on your cloud provider, you

    may be able to use its facility for managing backing services or bound services to expose structured environment variables containing service credentials and URLs to your application in a secure manner.”
  5. ओͳొ৔ਓ෺ ུޠ ਖ਼໊ࣜশ ֓ཁ ECS Amazon Elastic Container Service Docker

    ίϯςφΛαϙʔτ͢Δ֦ுੑͱύϑΥʔϚϯεʹ༏Ε ͨίϯςφΦʔέετϨʔγϣϯαʔϏε ECR Amazon Elastic Container Registry ׬શϚωʔδυܕͷ Docker ίϯςφϨδετϦ Fargate AWS Fargate ECS/EKS಺ͷςΫϊϩδʔɺαʔόʔ΍ΫϥελʔΛ؅ཧ͢Δ ͜ͱͳ͘ίϯςφΛ࣮ߦͰ͖ΔΑ͏ʹͳΔ IAM AWS Identity and AccessManagemen t AWS Ϧιʔε΁ͷΞΫηεΛ҆શʹ੍ޚ͢ΔͨΊͷ΢Σϒαʔ Ϗε Paramete r Store AWS Systems Manager Paramter Store ઃఆσʔλ؅ཧͱػີ؅ཧͷͨΊͷ҆શͳ֊૚ܕετϨʔδ KMS AWS Key Management Service σʔλͷ҉߸Խʹ࢖༻͢ΔΩʔͷ༰қͳ࡞੒͓Αͼ؅ཧ ALB Application Load Balancer L4/L7Ͱػೳ͢Δϩʔυόϥϯαʔ
  6. Step1: KMSͰ҉߸ԽΩʔͷ࡞੒ $ aws kms create-key --description go-ecs-sample --region ap-

    northeast-1 KEYMETADATA < AWSAccountId > arn:aws:kms:ap-northeast-1:< AWSAccountId >:key/< KeyId > go-ecs-sample True < KeyId > CUSTOMER Enabled ENCRYPT_DECRYPT AWS_KMS ҉߸ԽͷKeyId͕ฦͬͯ͘Δ
  7. Step2: Parameterͷొ࿥ $ aws ssm put-parameter --name /goecssample/database/sample/ master/user --type

    "String" --value "user" --description "σʔλϕʔ εͷmasterϢʔβʔ໊" --region ap-northeast-1 $ aws ssm put-parameter --name /goecssample/database/sample/ master/password --type "SecureString" --value "password" --key-id "< KeyId >" --description "σʔλϕʔεͷmasterϢʔβʔύεϫʔυ" -- region ap-northeast-1 /stage1/stage2/stage3/param ͷܗͰ֊૚Λදݱ͢Δ
  8. Step2: Parameterͷొ࿥ $ aws ssm put-parameter --name /goecssample/database/sample/ master/user --type

    "String" --value "user" --description "σʔλϕʔ εͷmasterϢʔβʔ໊" --region ap-northeast-1 $ aws ssm put-parameter --name /goecssample/database/sample/ master/password --type "SecureString" --value "password" --key-id "< KeyId >" --description "σʔλϕʔεͷmasterϢʔβʔύεϫʔυ" -- region ap-northeast-1 type “SecureString”Ͱ҉߸Խର৅ͱͳΔɻ ͦͷ৔߹ɺ—key-idʹKMSͰ࡞੒ͨ͠KeyIdΛࢦఆɻ
  9. Step3: IAMϩʔϧͷ࡞੒ɿIAMϩʔϧ࡞੒ $ vi ecs-tasks-trust-policy.json { "Version": "2012-10-17", "Statement": [

    { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } $ aws iam create-role --role-name go-ecs-sample --assume-role- policy-document file://ecs-tasks-trust-policy.json ECSλεΫϩʔϧ༻ͷIAMϩʔϧΛ࡞੒
  10. Step3: IAMϩʔϧͷ࡞੒ɿIAMϙϦγʔ࡞੒ $ vi ecs-tasks-trust-policy.json { "Version": "2012-10-17", "Statement": [

    { "Effect": "Allow", "Action": [ "ssm:DescribeParameters" ], "Resource": "*" }, { "Sid": "Stmt1482841904000", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:ap-northeast-1:< AWSAccountId >:parameter/goecssample/*" ] }, { "Sid": "Stmt1482841948000", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:ap-northeast-1:< AWSAccountId >:key/< KeyId >" ] } ] } $ aws iam create-policy --policy-name go-ecs-sample --policy-document file://go-ecs-secret-access.json શମ૾
  11. Step3: IAMϩʔϧͷ࡞੒ɿIAMϙϦγʔ࡞੒ $ vi ecs-tasks-trust-policy.json { "Version": "2012-10-17", … {

    "Sid": "Stmt1482841904000", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:ap-northeast-1:< AWSAccountId >:parameter/goecssample/*" ] }, { "Sid": "Stmt1482841948000", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:ap-northeast-1:< AWSAccountId >:key/< KeyId >" ] } ] } Parameter Storeͷࢦఆ֊૚ҎԼͷύϥ ϝʔλΛऔಘͰ͖Δ
  12. Step3: IAMϩʔϧͷ࡞੒ɿIAMϙϦγʔ࡞੒ $ vi ecs-tasks-trust-policy.json { "Version": "2012-10-17", … {

    "Sid": "Stmt1482841904000", "Effect": "Allow", "Action": [ "ssm:GetParameters" ], "Resource": [ "arn:aws:ssm:ap-northeast-1:< AWSAccountId >:parameter/goecssample/*" ] }, { "Sid": "Stmt1482841948000", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "arn:aws:kms:ap-northeast-1:< AWSAccountId >:key/< KeyId >" ] } ] } KMSͷࢦఆΩʔͰͷෳ߹Խ͕Ͱ͖Δ
  13. Step3: IAMϩʔϧͷ࡞੒ɿΞλον $ aws iam attach-role-policy --role-name go-ecs-sample --policy- arn

    "arn:aws:iam::< AWSAccountId >policy/go-ecs-sample" ࡞੒ͨ͠IAMϙϦγʔΛIAMϩʔϧʹΞλον
  14. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ // NewConfig return configuration struct. func NewConfig() (Config,

    error) { var conf Config port, err := strconv.Atoi(os.Getenv("DB_PORT")) if err != nil { return conf, err } dbConf := DBConfig{ User: os.Getenv("DB_USER"), Password: os.Getenv("DB_PASSWORD"), Host: os.Getenv("DB_HOST"), Port: port, Name: os.Getenv("DB_NAME"), } conf.DB = dbConf return conf, nil } ؀ڥม਺͔Βઃఆ৘ใΛऔಘ͢ΔΞϓϦέʔγϣϯΛ࡞੒ Application IUUQTHJUIVCDPN,IJHBTIJHVDIJHPFDTFYBNQMFCMPCNBTUFSDPOpHDPOpHHP
  15. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ #!/usr/bin/env bash set -e PARAMETER_STORE_PREFIX=${PARAMETER_STORE_PREFIX:-} if [ -n

    "$PARAMETER_STORE_PREFIX" ]; then export DB_USER=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/user --query "Parameters[0].Value" --region ap-northeast-1 --output text) export DB_PASSWORD=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/password --with- decryption --query "Parameters[0].Value" --region ap-northeast-1 --output text) fi exec "$@" ಛఆͷ؀ڥม਺͕ઃఆ͞Ε͍ͯΔ৔߹ͷΈɺ Parameter StoreʹΞΫηε͢Δ docker-entrypoint.sh IUUQTHJUIVCDPN,IJHBTIJHVDIJHPFDTFYBNQMFCMPCNBTUFSEPDLFSFOUSZQPJOUTI
  16. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ #!/usr/bin/env bash set -e PARAMETER_STORE_PREFIX=${PARAMETER_STORE_PREFIX:-} if [ -n

    "$PARAMETER_STORE_PREFIX" ]; then export DB_USER=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/user --query "Parameters[0].Value" --region ap-northeast-1 --output text) export DB_PASSWORD=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/password --with- decryption --query "Parameters[0].Value" --region ap-northeast-1 --output text) fi exec "$@" $ aws ssm get-parametersͰऔಘͨ͠஋Λɺ ؀ڥม਺ʹઃఆ docker-entrypoint.sh IUUQTHJUIVCDPN,IJHBTIJHVDIJHPFDTFYBNQMFCMPCNBTUFSEPDLFSFOUSZQPJOUTI
  17. Step4: ContainerΠϝʔδͷ࡞੒ɾϓογϡ #!/usr/bin/env bash set -e PARAMETER_STORE_PREFIX=${PARAMETER_STORE_PREFIX:-} if [ -n

    "$PARAMETER_STORE_PREFIX" ]; then export DB_USER=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/user --query "Parameters[0].Value" --region ap-northeast-1 --output text) export DB_PASSWORD=$(aws ssm get-parameters --name /$ {PARAMETER_STORE_PREFIX}/database/sample/master/password --with- decryption --query "Parameters[0].Value" --region ap-northeast-1 --output text) fi exec "$@" ෳ߹Խ͢Δύϥϝʔλ͸ɺ —with-decryption ΦϓγϣϯΛࢦఆ docker-entrypoint.sh IUUQTHJUIVCDPN,IJHBTIJHVDIJHPFDTFYBNQMFCMPCNBTUFSEPDLFSFOUSZQPJOUTI