Rails Secrets ͷྺ࢙ Ebisu.rb #19

@yutadayo • ງҪ ༤ଠ • ݩ Fablic, inc CTO • Ebisu.rb ͷΦʔΨφΠβʔ͍ͯ͠·͢

ࠓ೔࿩͢͜ͱ ɾRails ͷ version ຖͷൿಗ৘ใͷऔΓѻ͍ʹ͍ͭͯ ɾRails 6.0 Ͱ credentials ͕Ͳ͏ͳΔ͔

ൿಗͳ৘ใ ɾDB ͷ password ɾ֎෦ API KEY ɾtwitter / facebook ͳͲͷ secrets key / token ɾetc…

ػີ৘ใ͸ϋʔυίʔυ͢Δ ΂͖Ͱͳ͍

ͱ͸͍͑ • .env Λ chef ΍ ansible ͳͲͰ഑ͬͨΓ… • σϓϩΠલʹ؀ڥม਺Λαʔό΁௥Ճͨ͠Γ… • ΤϯδχΞ͕૿͑ͨࡍʹΞΫηεΩʔ౉ͨ͠Γ… • ҉߸Խ͞Εͯͳ͍ϑΝΠϧ͸ؾΛ࢖Θͳ͍ͱ….

ਏ͍

Rails 4.1 ʙ

No content

಺༰ͷ҉߸Խ͸ɺ·ͨผखஈ͕ ඞཁ • https://github.com/joker1007/yaml_vault • https://github.com/ahoward/sekrets

Rails 5.1

No content

Rails5.1 ͔Β Encrypted secrets ͕௥Ճ $ rails secrets:setup Adding config/secrets.yml.key to store the encryption key: 01234567890abcdefghijklmnopqrstu Save this in a password manager your team can access. If you lose the key, no one, including you, can access any encrypted secrets. create config/secrets.yml.key

Encrypted secrets • ൿಗ৘ใΛ҉߸Խͨ͠ঢ়ଶͰgit؅ཧͰ͖Δ • ؀ڥม਺ͷ RAILS_MASTER_KEY or config/ secrets.yml.key Ͱ෮߸ԽͰ͖Δ • ैདྷͷ secrets.yml ͷΑ͏ʹ؀ڥຖʹઃఆͰ͖ Δ

Rails 5.2

No content

No content

͞ΑͳΒ Encrypted secrets

Credentials • ൿಗ৘ใΛ҉߸Խͨ͠ঢ়ଶͰgit؅ཧͰ͖Δ • ؀ڥม਺ͷ RAILS_MASTER_KEY or config/ master.key Ͱ෮߸ԽͰ͖Δ • credentials.yml.enc ϑΝΠϧͰൿಗ৘ใ؅ཧ

มߋ఺ &ODSZQUFETFDSFUT
 3BJMT $SFEFOUJBMT 3BJMT TFUVQ SBJMTTFDSFUTTFUVQ FEJU SBJMTTFDSFUTFEJU SBJMTDSFEFOUJBMTFEJU TIPX SBJMTTFDSFUTTIPX SBJMTDSFEFOUJBMTTIPX VTF 3BJMTBQQMJDBUJPOTFDSFUTYYYY 3BJMTBQQMJDBUJPODSFEFOUJB MTYYY FODSZQUFEpMF DPOpHTFDSFUTZNMFOD DPOpHDSFEFOUJBMTZNMFOD EFDSFQJULFZ DPOpHTFDSFUTZNMLFZ DPOpHNBTUFSLFZ

Credentials ͷඍົͳॴ

GSPNIUUQTHJUIVCDPNSBJMTSBJMTQVMM

؀ڥຖͷઃఆ͕Ͱ͖ͳ͍ • Rails.application.secrets Ͱ secrets.yml ͸·ͩࢀরՄೳ • credentials.yml.enc Λ؀ڥຖʹॻ͖෼͚Δͷ΋ҰԠͰ͖ Δɺࢀর࣌ʹenvΛࢦఆ͠ͳ͍ͱ͍͚ͳ͍ • Rails.application.credentials[Rails.env.to_sym] [:api_key] • gem Λ࢖ͬͯղܾ΋Ͱ͖Δ • https://github.com/sinsoku/rails-env-credentials

GSPNIUUQTHJUIVCDPNSBJMTSBJMTQVMM

Rails 6.0 ͔Β͸؀ڥຖʹ credentials ΛઃఆͰ͖ΔΑ͏ʹ ͳΓͦ͏…!

ࢼͯ͠ΈΔ

$ EDITOR=vim bundle exec rails credentials:edit -—environment staging Adding config/credentials/staging.key to store the encryption key: 01234567890abcdefghijklmnopqrstu Save this in a password manager your team can access. If you lose the key, no one, including you, can access anything encrypted with it. create config/credentials/staging.key Ignoring config/credentials/staging.key so it wont’s end up in Git append .gitignore File encrypted and saved. $ ls -l config/credentials staging.key staging.yml.enc

• credentials σΟϨΫτϦ͕ੜ੒͞Εɺ؀ڥຖͷ key ͱ encrypted file ͕ੜ੒͞ΕΔ • ͦΕͧΕͷ key ͕ .gitignore ϑΝΠϧʹ௥Ճ͞ΕΔ • ԼهͷઃఆΛม͑Δ͜ͱͰɺkey ͱ encrypted file ͷੜ ੒ઌΛࢦఆͰ͖ΔΑ͏Ͱ͢ • config.credentials.content_path • config.credentials.key_path • ؀ڥม਺͸ ENV[“RAILS_MASTER_KEY”] ͷΈ ݁Ռ

·ͱΊ • Rails6͔Β؀ڥຖʹൿಗ৘ใΛ҉߸Խͯ͠؅ཧͰ͖ͦ͏ • Rails5ܥͰ৽͘͠؀ڥຖʹ஋Λઃఆ͠Α͏ͱͯ͠Δਓ ͸଴ͬͨํ͕͍͍͔΋ʁ • RAILS_MASTER_KEY ͷ؅ཧ͸ඞཁͳͷͰɺσϓϩΠͷ ࢓૊Έ͸Ҿ͖ଓ͖ߟ͑ͳ͍ͱ͍͚ͳ͍