Slide 1
Slide 1 text
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ
RailsΞϓϦͰൿಗใΛڥม͔Β
CredentialsʹҠߦͨ͠
@pokohide
Slide 2
Slide 2 text
࣍
● Credentialsͱ
● Ҡߦͷഎܠͱత
● Ҡߦͷखॱ
● Ҡߦ࣌ͷTips
● Ҡߦͷ݁Ռ
● ͍͞͝ʹ
Slide 3
Slide 3 text
ൃදͷલʹࣗݾհͱએ
Slide 4
Slide 4 text
ࣗݾհ
● Ά͜ͻͰ / @pokohide
● όοΫΤϯυΤϯδχΞ
● ͓ञඇৗମݧʢϛϡʔδΧϧɺΦʔέετϥɺ
ϥΠϒɺେࣗવɺetc…ʣ͕͖Ͱ͢
● ࠷ۙͷ՝ϫϯϐʔεΞχϝؑ
Slide 5
Slide 5 text
λΠϛʔͷ࣮
εΩϚ
όΠτ
No.1
※20310݄࣌ɹ˞1 [ௐࠪํ๏]σεΫϦαʔνٴͼώΞϦϯάௐࠪ [ௐࠪظؒ]20212݄8~22 [ௐࠪ֓ཁ]εΩϚόΠτ
ΞϓϦαʔϏεͷ࣮ଶௐࠪ [ௐࠪର]202012݄·ͰʹαʔϏεΛ։͍࢝ͯ͠ΔεΩϚόΠτΞϓϦ10αʔϏε [ௐ࣮ࠪࢪ]
גࣜձࣾγϣούʔζΞΠɹ˞2 [ग़య]AppStoreϥΠϑελΠϧΧςΰϦʔϥϯΩϯάʢ20215݄࣌ʣ
5
ྦྷܭٻਓҊ݅ ɾμϯϩʔυ
※1 ※2
ಋೖࣄۀऀ
66,000اۀ
ϫʔΧʔ
600ສਓ
Slide 6
Slide 6 text
6
Slide 7
Slide 7 text
7
Slide 8
Slide 8 text
ۀքΛ͕͑ͯΔλΠϛʔ
λΠϛʔଟ͘ͷۀքͰ׆༻͞ΕΔαʔϏεʹ͠ɺྲྀ/খച/ҿ৯ͷ֤ۀքTOP10ࣾͷҎ্͕λΠϛʔΛಋೖதɻ
ݱࡏಋೖࣄۀऀ66,000اۀ 170,000ڌҎ্ʹͳΓɺ༷ʑͳۀքʹ͕͍ͬͯ·͢ɻ
8
Slide 9
Slide 9 text
ืूਓͷਪҠ
9
※1ɿ20224Qͱ20214Qͷൺֱ
ίϩφՒʹ͓͍ͯɺ
աڈʹྫΛݟͳ͍ఔͷ
ՃతߴΛ࣮ݱɻ
Slide 10
Slide 10 text
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ
RailsΞϓϦͰൿಗใΛڥม͔Β
CredentialsʹҠߦͨ͠
@pokohide
Slide 11
Slide 11 text
࣍
● Credentialsͱ
● Ҡߦͷഎܠͱత
● Ҡߦͷखॱ
● Ҡߦ࣌ͷTips
● Ҡߦͷ݁Ռ
● ͍͞͝ʹ
Slide 12
Slide 12 text
1 Credentialsͱ
Slide 13
Slide 13 text
Credentialsͱ
● Rails 5.2͔ΒՃ͞ΕͨൿಗใΛཧ͢ΔͨΊͷΈ
○ Add credentials using a generic EncryptedConfiguration class #30067
● Rails 6͔ΒෳͷڥΛαϙʔτ
○ Add support for multi environment credentials. #33521
Slide 14
Slide 14 text
Credentialsͱ
● ओͳొਓ
○ ҉߸ԽϑΝΠϧɿ config/credentials/.yml.enc
○ ෮߸༻ͷ伴ɿ ENV[”RAILS_MASTER_KEY”] or config/credentials/.key
● RailsΞϓϦىಈ࣌ʹ Rails.env ʹରԠ͢Δ҉߸ԽϑΝΠϧͱ伴Λࢀর͠ɺ
෮߸͢Δ
● Rails.application.credentials ܦ༝ͰऔಘՄೳʹͳΔ
Slide 15
Slide 15 text
Credentialsͱ
● ෦తʹYAMLܗࣜͷϑΝΠϧΛ҉߸Խ ⁵ ෮߸͍ͯ͠Δ
○ YAMLͷߏจʹґଘ͢Δ
● ෮߸ͨ͠ޙ ActiveSupport::OrderedOptions ͰࢀরͰ͖ΔͷͰ fetch
dig ͕͑Δ
Slide 16
Slide 16 text
Credentialsͱʢྫʣ
Slide 17
Slide 17 text
2 Ҡߦͷഎܠͱత
Slide 18
Slide 18 text
Ҡߦͷഎܠ
● ҎલECSͷλεΫఆٛʹڥมͱͯ͠ύϥϝʔλετΞͷSecureStringΛ
ར༻ͯ͠ઃఆ͍ͯͨ͠ʢࠓ͕ͩʣ
○ ύϥϝʔλετΞͷొɺλεΫఆٛϑΝΠϧͷมߋɺίʔυͷมߋͱखؒͩͬͨ
○ AWSϦιʔεͷཧΠϯϑϥνʔϜ͕ओಋ͓ͯ͠Γڥք͕ᐆດͩͬͨ
○ σϓϩΠͷ༰қੑʹ͚ܽΔ
● ύϥϝʔλετΞͷૢ࡞ʹಠࣗͷରܕCLIΛར༻
○ ϨϏϡʔ͕ࠔ
Slide 19
Slide 19 text
ಋೖͷϝϦοτ
● ڥք͕໌֬ʹͳΔ
● σϓϩΠ͕༰қʹͳΔ
● ύϥϝʔλετΞͷૢ࡞ݖݶΛফͤΔ
○ CredentialsΛಋೖ͢Δͱجຊతʹ RAILS_MASTER_KEY ͷΈΛཧ͢Εྑ͍ͨΊ
Slide 20
Slide 20 text
త
ΞϓϦέʔγϣϯ͕ཧ͖͢ൿಗใ
ڥքσϓϩΠͷ༰қੑΛߟྀͯ͠CredentialsʹҠߦ͢Δ
Slide 21
Slide 21 text
Credentials҆શʁ
● ϚελʔΩʔΛ༻ͯ͠҉߸ԽϑΝΠϧΛ෮߸͢Δ
● AES-256-GCM҉߸ԽΞϧΰϦζϜΛ༻ͯ͠҉߸Խ͞Ε͍ͯΔ
○ 2023ݱࡏɺ࠷҆શͳ҉߸Խํࣜͷ1ͭ
● ݁ہϚελʔΩʔͷཧ͕ॏཁ
● 伴͕ྲྀग़͢Εશͯݟ͑ͯ͠·͏ͷͰཁ༷݅ɺϏδωεڥʹԠͯ͡ݕ
౼ͯ͠Ͷ
Slide 22
Slide 22 text
3 Ҡߦͷखॱ
Slide 23
Slide 23 text
Ҡߦͷखॱ
1. ԿΛҠߦ͢Δ͔ܾΊΔ
2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ
3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Slide 24
Slide 24 text
Ҡߦͷखॱ
1. ԿΛҠߦ͢Δ͔ܾΊΔ 👈
2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ
3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Slide 25
Slide 25 text
Ҡߦͷखॱ
● ίʔυΛENVͰgrepͨ͠ΓɺECSͷλεΫఆٛͷڥมΛϦετΞοϓ
● ൿಗใʹূ໌ॻൿີ伴ɺGoogleCloudͷJSONΩʔͳͲ͋Δ
● Ҡߦ͢Δ͔ͷ؍ʢྫʣ
○ ͦͦൿಗใ͔ → ڥຖͷݻ༗ͷઃఆͳΒ config_for Ͱྑ͍͔
○ ίϯςφԽ͞Εͨڥຖʹಈతʹೖ͍ͨ͠ͷ͔
○ සൟʹߋ৽͢Δใ͔ʢྫ͑PORT൪߸ͱ͔༰қʹม͍͑ͨ߹͕͋Δ͔͠Εͳ͍ʣ
Slide 26
Slide 26 text
Ҡߦͷखॱ
Slide 27
Slide 27 text
Ҡߦͷखॱ
1. ԿΛҠߦ͢Δ͔ܾΊΔ
2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 👈
3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Slide 28
Slide 28 text
Ҡߦͷखॱ
҉߸ԽϑΝΠϧͷϨϏϡʔ͕ࠔͳͨΊɺઌʹൿಗใΛҠߦ͓ͯ͘͠ͱ
Rails consoleͳͲͰϦϦʔεલʹ֬ೝ͕Ͱ͖ͯศར
Slide 29
Slide 29 text
Ҡߦͷखॱ
1. ԿΛҠߦ͢Δ͔ܾΊΔ
2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ
3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ 👈
Slide 30
Slide 30 text
Ҡߦͷखॱ
ؤுΔ
Slide 31
Slide 31 text
Ҡߦͷखॱ
ͻͨ͢ΒPR࡞ͬͯؤுΔ
Slide 32
Slide 32 text
Ҡߦͷखॱ
োى͖Δ
Slide 33
Slide 33 text
Ҡߦͷखॱ
શ֯εϖʔεͱ֯εϖʔεΛؒҧ͑ͯొ͠ɺࢀর࣌ʹΤϥʔൃੜ
ൿಗϑΝΠϧͷϨϏϡʔجຊతʹૉͷVimͱ͔Ͱߦ͍ɺSyntax Highlightޮ͔
ͣɺؾ͖ਏ͍ͷͰҙ͍ͯͩ͘͠͞
Slide 34
Slide 34 text
Ҡߦͷखॱ
ͦΜͳ͜ΜͳͰҠߦͰ͖·ͨ͠
λΠϛʔͰ20%ϧʔϧͰٕज़վળʹ࣌ؒΛ͍ͬͯΔͷͰ͕͢ɺ5ϲ݄͔͔Γ·ͨ͠
Slide 35
Slide 35 text
4 Ҡߦ࣌ͷTips
Slide 36
Slide 36 text
Ҡߦ࣌ͷTips
CredentialsͷϚελʔΩʔ͕ͳ͍ͱRailsΞϓϦͷىಈʹࣦഊ͢ΔઃఆΛ༗ޮʹ͠
͓͖ͯ·͠ΐ͏
Slide 37
Slide 37 text
Ҡߦ࣌ͷTips
҉߸ԽϑΝΠϧͷฤूʹΤσΟλͷࢦఆ͕ඞਢͳͷͰ༻ҙ͓͖ͯ͠·͠ΐ͏
emacsͰྑ͍Ͱ͢
Slide 38
Slide 38 text
Ҡߦ࣌ͷTips
ൿಗใʹΤεέʔϓจࣈؚ͕·ΕΔ߹μϒϧΫΥʔςʔγϣϯͰׅΔ
Slide 39
Slide 39 text
Ҡߦ࣌ͷTips
ൿಗใʹվߦΛ͍͍ͨ߹ύΠϓΛ͏ͳͲ͢Δ
Slide 40
Slide 40 text
Ҡߦ࣌ͷTips
Credentialsͷ߹ʹ߹Θͤͯɺ֎෦αʔϏεͱͷೝূํ๏Λม͑Δ
ྫɿGoogle::Auth::ClientId#from_file ෦తʹfrom_hash ݺͼग़͍ͯ͠Δ
https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/client_id.rb#L86
Slide 41
Slide 41 text
Ҡߦ࣌ͷTips
● YAMLςΩετϕʔεͷσʔλܗࣜͳͷͰόΠφϦʹ͍͍ͯͳ͍
● ূ໌ॻͳͲόΠφϦσʔλΛCredentialsͰѻ͏߹ɺBase64Τϯίʔυ͠
ͨΛอଘ͠ɺΞϓϦέʔγϣϯଆͰऔΓग़ͯ͠σίʔυΛߦ͏
● Τϯίʔυ͞Ε͍ͯΔࣄ͕͔Γ͍͢Α͏ʹ base64_encoded ϓϨϑΟο
ΫεΛ͚ͭͨ
Slide 42
Slide 42 text
Ҡߦ࣌ͷTips
ൿಗΛίϯιʔϧͰඇදࣔʹ͢Δ
Rails 7.1͔Βඪ४ʹͳΓ·͕͢ɺ·্͍ͩ͛ͯͳ͍߹γϯϓϧͳมߋͳͷͰόοΫϙʔτָ
https://github.com/rails/rails/pull/48498
Slide 43
Slide 43 text
Ҡߦ࣌ͷTips
● SecretsRails 7.1͔Β໌ࣔతʹඇਪԽ͞ΕͨͷͰɺSECRET_KEY_BASE
Λ Credentials ʹҠߦ
● ֤ڥͷ credentials.yml ʹ SECRET_KEY_BASE ΛҠߦ͢ΕOKͳͣ
Slide 44
Slide 44 text
Ҡߦ࣌ͷTips
assets:precompile ࣮ߦ࣌ʹ SECRET_KEY_BASE ͕ͳ͍ͱΤϥʔ͕ى͖Δ
࣮ࡍʹ༻͠ͳ͍ͷͰɺμϛʔΛࣗಈͰઃఆͯ͘͠ΕΔ
SECRET_KEY_BASE_DUMMY ͕ Rails 7.1͔Βಋೖ͞Εͨ
Slide 45
Slide 45 text
Ҡߦ࣌ͷҙ
● HerokuͰӡ༻ɺHeroku Data for RedisΛར༻ͯ͠ΔݸਓΞϓϦͷREDIS_URL
ΛCredentialsʹҠߦͨ͠ΒRedisʹଓͰ͖ͳ͘ͳͬͨ
● ࣗͷཧ͍ͯ͠ͳ͍ڥมΛҠߦ͢Δ߹ҙ͠·͠ΐ͏
https://devcenter.heroku.com/ja/articles/heroku-redis
Slide 46
Slide 46 text
5 Ҡߦͷ݁Ռ
Slide 47
Slide 47 text
Ҡߦͷ݁Ռ
● ڥมͰཧ͢Δൿಗใ RAILS_MASTER_KEY ͷΈͱͳͬͨ
● ূ໌ॻͳͲͷൿಗϑΝΠϧΛS3͔Βίϐʔ͢Δඞཁ͕ͳ͘ͳͬͨͨΊɺawscli
AWSͷೝূใ͕ෆཁʹͳͬͨ
● Rails.application.secrets Λഇࢭ
● dotenv-rails Λআ
● ൿಗใͷՃɾߋ৽͕ΞϓϦέʔγϣϯʹด͡ΔΑ͏ʹͳͬͨ 🎉
Slide 48
Slide 48 text
Ҡߦͷ݁Ռ ʙ ༨ஊ
ྺ࢙తܦҢͰdotenv-rails͕։ൃڥҎ֎ʹಡΈࠐ·Ε͍ͯͨ
● ຊ൪ڥͰ༧ظͤ͵্ॻ͖͕͋ͬͯා͍͠ɺCredentialsҠߦʹΑΓ΄΅ෆཁ
ʹͳͬͨͷͰআ͢Δ͜ͱʹ
● notion-ruby-clientͱ͍͏GemͷRuntime Dependencies͔ΒdotenvΛআ
● DockerͰ .env ΛಡΈࠐΜͰ͘ΕΔ
○ ಡΈࠐΈλΠϛϯάRailsΞϓϦىಈ͔࣌Βίϯςφىಈ࣌ʹมΘΔ͕ͳ͍ͱஅ
Slide 49
Slide 49 text
6 ͍͞͝ʹ
Slide 50
Slide 50 text
͍͞͝ʹ
ͬͺΓϨϏϡʔେม
● ҉߸Խ͞Ε͍ͯΔͨΊɺ෮߸ͨ݁͠ՌΛݟͳ͍ͱ͔ࠩΒͳ͍
● ҉߸ԽϑΝΠϧͷdiffΛݟΕΔΑ͏ʹ͢Δ bin/rails credentials:diff ͕ެࣜαϙʔ
τ͞Ε͍ͯΔ
○ Railsͷ࣮ߦڥ͔Βgitૢ࡞Ͱ͖Δඞཁ͕͋Δ
○ ։ൃڥʹDockerΛ༻͍ͯϗετଆͰgitૢ࡞͍ͯ͠ΔͷͰɺ͜ͷͨΊʹίϯςφʹgitΛೖΕΔ
͔ݕ౼த
Slide 51
Slide 51 text
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠