Slide 1

Slide 1 text

ΞΫηεΩʔͷແ͍ະདྷΛ *".3PMFT"OZXIFSFͰ૑Δ 
 4JN4UB !TIJNBHBKJ 
 +"846(:PLPIBNB ڈ೥ͷΞϨͲ͏ͳͬͨʁεϖγϟϧ ˡϗϫΠτγϚϦεͷΞϧλ

Slide 2

Slide 2 text

ࣗݾ঺հ Ӊ஦ػͷߤ๏༠ಋ੍ޚܥͷઃܭͱηϯαͷௐୡʢ೥൒ʣ ʙࡳຈʹҠॅʙ ΦϯϓϨΫϥ΢υΛ࢖ͬͨ(ަ׵ثͷੑೳࢼݧʢ൒೥ʣ Ϋϥ΢υج൫ͷߏஙɾӡ༻ɾ.41औಘࢧԉʢ೥ͪΐͬͱʣ ৗறઌΫϥ΢υج൫ͷߏஙɾӡ༻ɾҠߦʢ೥ͪΐͬͱʣ 4JN4UBʢΦϯϥΠϯͷ͕ͨ͢ʣ !TIJNBHBKJ 5XJUUFS "84ೝఆˠ ޷͖ͳ"84αʔϏεɿ4UFQ'VODUJPOT ಘҙʹͳΓ͍ͨ"84αʔϏεɿ4BHF.BLFS #FESPDL "QQ3VOOFS $%, "NQMJGZ

Slide 3

Slide 3 text

ౖ౭ͷొஃ࿈ઓ։࠵த ʢ4VOʣ "84Χʔχόϧ࠙਌ձ "84ΞοϓσʔτΛ·ͱΊͨ࿩ͱ͔ɺࡳຈ ʢ'SJʣ ߐ౦۠߹ಉ-5େձʢؔ܎֤ࣾݶఆʣ "84ೝఆףΛࢦೆ͢Δ࿩ɺΦϯϥΠϯ ʢ8FEʣ +"846(:PLPIBNB *".3PMFT"OZXIFSFͷ࿩ɺΦϯϥΠϯ ʢ.POʣ $MPVEGMBSF.FFUVQ4BQQPSP 8PSE1SFTTʹ$MPVEGMBSFೖΕͯΈͨ࿩ɺࡳຈ ʢ'SJʣ+"846(4BQQPSPʢࡳຈΦϑϥΠϯʣͰ΋ొஃͤͯ͞௖͘༧ఆͰ͢

Slide 4

Slide 4 text

ϗϫΠτγϚϦεͱ ฻Β͍ͯ͠·͢🐿 ˢ౳਎େνϧλϦε

Slide 5

Slide 5 text

ݸਓϒϩάΛӡ༻͍ͯ͠·͢ ຖिߋ৽ʂ "84Ξοϓσʔτ ͠Ήͦ͘ 
 ͦͷଞ ΨδΣοτ γϚϦεͷ࿩ͳͲ

Slide 6

Slide 6 text

"HFOEB • ͸͡Ίʹ • *".3PMFT"OZXIFSFͱ͸ʁ • ಋೖखॱʢ-5Ͱ͸লུʣ • ηΩϡϦςΟతʹͲ͏ͳͷʁ • ·ͱΊ

Slide 7

Slide 7 text

͸͡Ίʹ

Slide 8

Slide 8 text

օ͞Μ ΞΫηεΩʔ࢖ͬͯ·͔͢ʁ

Slide 9

Slide 9 text

ΞΫηεΩʔͱ͸ ϩʔΧϧϚγϯ ΞΫηεΩʔͱγʔΫϨοτΩʔͷ૊Έ߹ΘͤͰ "84ϦιʔεΛ֎෦ͷϩʔΧϧϚγϯͳͲ͔Βૢ࡞ ,FZ",*"*04'0%//&9".1-& 4FDSFUX+BMS96UO'&.*,.%&/(C1Y3GJ$:&9".1-&,&: AWS Cloud "84ͷ ɹɹ͍ΖΜͳαʔϏε ϦΫΤετ αʔϏεར༻ڐՄ

Slide 10

Slide 10 text

͔͠͠ʂ

Slide 11

Slide 11 text

-ത࢜ ΞΫηεΩʔ ͱ͋Δ๺ͷ஍ํʹॅΜͰ͍ͨത࢜΋͜͏ڼ͍ͬͯ·͢

Slide 12

Slide 12 text

ΞΫηεΩʔͷڪΖ͍͠ͱ͜Ζ •アクセスキーとシークレットキーの2つだけで権限を得てしまう 
 (アカウントIDを指定しなくてもコマンドが送信できる) •無効化しない限りクレデンシャルが永続化してしまう •うっかりハードコードするだけで脅威に晒されてしまう •⾯倒なローテーションの管理が発⽣してしまう

Slide 13

Slide 13 text

ͦ͜Ͱʂ

Slide 14

Slide 14 text

*".3PMFT"OZXIFSFΛ࢖͍·͠ΐ͏

Slide 15

Slide 15 text

*".3PMFT"OZXIFSFͱ͸ʁ

Slide 16

Slide 16 text

ͬ͘͟Γݴ͏ͱ AWS Cloud "84ͷ ɹɹ͍ΖΜͳ αʔϏε &$ΠϯελϯεͳͲ"84಺ͷϦιʔε͕࢖͑Δ*".ϩʔϧΛ "84֎͔Β࢖͏͜ͱ͕Ͱ͖ΔΑ͏ʹͳΔαʔϏε ˢ࣋ͪग़ͨ͠ϩʔϧ

Slide 17

Slide 17 text

ϙ̋Ϟϯ෩ʹͬ͘͟Γݴ͏ͱ Paldea Region ຊདྷ͸ಛఆͷΤωϧΪʔ͕ͳ͍ͱෆࢥٞͳྗΛҾ͖ग़ͤͳ͍͓໘Λ ΤωϧΪʔ͕ແ͍ଞͷ஍ํʹ΋࣋ͪग़ͯ͠ྗ͕࢖͑ΔΑ͏ʹͳΔʂ Kitakami Region Unova Region ΤωϧΪʔ͕ͳ͍ʢ"84֎ʣ͚Ͳ࢖͑ΔΑ͏ʹͳΔ ΤωϧΪʔ͕͋Δʢ"84಺ʣ *".ϩʔϧ͸͓໘ͬͯ୭͔͕ݴͬͯͨ

Slide 18

Slide 18 text

*".3PMFT"OZXIFSFͷ͘͠Έ "84ͷ ɹɹ͍ΖΜͳ αʔϏε ೝূہʢ$"ʣ ৴པΞϯΧʔ *". ΤϯυΤϯςΟςΟূ໌ॻͱൿີ伴Λ΋Β͏ ϔϧύʔΛ࢖ͬͯূ໌ॻͱൿີ伴ΛݟͤΔ *".ϩʔϧʢҰ࣌ΫϨσϯγϟϧʣΛ΋Β͏ ݖݶͷൣғ಺Ͱ"84ϦιʔεΛૢ࡞Ͱ͖Δ 44-௨৴࣌΍ΫϥΠΞϯτೝূͱಉ͡ 1,*ೝূΛ࢖͍·͢ ΫϥΠΞϯτ

Slide 19

Slide 19 text

࣮ࡍʹಋೖͯ͠ΈΑ͏ʂ

Slide 20

Slide 20 text

ඞཁͳ΋ͷ w*".ϩʔϧͷྗ͕ཉ͍͠ϩʔΧϧͷ؀ڥʢΫϥΠΞϯτʣ wೝূہʹ͢ΔϚγϯʢϩʔΧϧ&$ΠϯελϯεͳͲʣ 
 ˠΫϥΠΞϯτͱ͸ผͰ͋Δ΂͖ɺࠓճ͸"NB[PO-JOVY w*".ϩʔϧΛߦ࢖͢ΔͨΊͷ"84ΞΧ΢ϯτͱɺઃఆ͢Δݖݶ "84ͷ ɹɹ͍ΖΜͳ αʔϏε ೝূہʢ$"ʣ ΫϥΠΞϯτ "84؀ڥͱݖݶ

Slide 21

Slide 21 text

࣋ͬͯ͘Δ΋ͷɺ࡞ΒΕΔ΋ͷ ೝূہʢ$"ʣ ৴པΞϯΧʔ *". ΤϯυΤϯςΟςΟূ໌ॻ FOEDFSUQFN $SFEFOUJBM)FMQFS ʢμ΢ϯϩʔυʣ ൿີ伴 FOELFZQFN ΫϥΠΞϯτ $"ূ໌ॻόϯυϧ DBDFSUQFN *".ϩʔϧ ϓϩϑΝΠϧ

Slide 22

Slide 22 text

ಋೖखॱ

Slide 23

Slide 23 text

ೝূہΠϯελϯεʢAmazon Linux 2023ʣͷOpenSSLόʔδϣϯ openssl.aarch64 1:3.0.8-1.amzn2023.0.9 @System openssl-libs.aarch64 1:3.0.8-1.amzn2023.0.9 @System openssl-pkcs11.aarch64 0.4.12-3.amzn2023.0.1 @System /etc/ssl/openssl.cnfͷฤू # diff openssl.cnf openssl.cnf.org 114c114 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 216c216 < keyUsage = nonRepudiation, digitalSignature, keyEncipherment --- > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 259c259 < keyUsage = cRLSign, keyCertSign, digitalSignature --- > # keyUsage = cRLSign, keyCertSign ূ໌ॻͷ༗ޮظݶ ͓޷ΈͰมߋ VTS@DFSUͷLFZ6TBHF ίϝϯτΞ΢τ֎͢ W@DBͷLFZ6TBHF ίϝϯτΞ΢τ֎͢ EJHJUBM4JHOBUVSF௥Ճ

Slide 24

Slide 24 text

PQFOTTMDOGͷઃఆՕॴ ͍ͣΕ΋LFZ6TBHFΛมߋ

Slide 25

Slide 25 text

σΟϨΫτϦͱϑΝΠϧΛ࡞੒͓ͯ͘͠ # sudo mkdir -p /etc/pki/CA/certs # sudo mkdir -p /etc/pki/CA/crl # sudo mkdir -p /etc/pki/CA/newcerts # sudo mkdir -p /etc/pki/CA/private # sudo chmod 700 /etc/pki/CA/private # sudo touch /etc/pki/CA/index.txt # sudo echo 01 > /etc/pki/CA/serial ೝূہͷ࡞੒ # sudo openssl req -new -x509 -keyout /etc/pki/CA/private/cakey.pem -out /etc/ pki/CA/certs/cacert.pem -days 3650 Enter PEM pass phrase:ύεϑϨʔζΛೖྗ Verifying - Enter PEM pass phrase:ύεϑϨʔζΛೖྗ ʢதུʣ Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Hokkaido Locality Name (eg, city) [Default City]:Sapporo Organization Name (eg, company) [Default Company Ltd]:SimSta Organizational Unit Name (eg, section) []:Sim Common Name (eg, your name or your server's hostname) []:rolesanywhere Email Address []:೚ҙʢෆཁʣ ͋Δఔ౓ద౰Ͱ0, $/͸͓֮͑ͯ͜͏

Slide 26

Slide 26 text

CAόϯυϧΛऔಘ # sudo openssl x509 -in /etc/pki/CA/certs/cacert.pem -text Certificate: Data: Version: 3 (0x2) ʢதུʣ X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign ʢதུʣ -----BEGIN CERTIFICATE----- MIIDwDCCAqigAwIBAgIUaI//Y1CUf+3LCvlU8C1LUsV3jTAwDQYJKoZIhvcNAQEL ʢதུʣ 5cxP5A== -----END CERTIFICATE----- ೝূہͷ࡞੒ # sudo openssl req -new -x509 -keyout /etc/pki/CA/private/cakey.pem -out /etc/ pki/CA/certs/cacert.pem -days 3650 ৴པΞϯΧʔ࡞੒࣌ ͜͜Λίϐϖ͢Δ 7FSTJPOͰ͋Δ $"536&Ͱ͋Δ ,FZ6TBHF͕͋Δ

Slide 27

Slide 27 text

ΤϯυΤϯςΟςΟ༻ൿີ伴Λ࡞੒ # sudo mkdir -p /etc/pki/CA/endentity # sudo openssl genrsa -out /etc/pki/CA/endentity/endkey.pem 2048 CSRΛ࡞੒ # sudo openssl req -new -key /etc/pki/CA/endentity/endkey.pem -out /etc/pki/CA/ endentity/endcsr.pem ʢதུʣ Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Hokkaido Locality Name (eg, city) [Default City]:Sapporo Organization Name (eg, company) [Default Company Ltd]:SimSta Organizational Unit Name (eg, section) []:Sta Common Name (eg, your name or your server's hostname) []:rolesanywhere Email Address []:೚ҙʢෆཁʣ Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:ෆཁ An optional company name []:೚ҙʢෆཁʣ ΄΅ҰॹͰ0, ύεϑϨʔζ͸ෆཁ ͋ΔͱΤϥʔʹͳΔ

Slide 28

Slide 28 text

CAͰॺ໊ͯ͠ΤϯυΤϯςΟςΟূ໌ॻΛൃߦ # sudo openssl ca -in /etc/pki/CA/endentity/endcsr.pem -keyfile /etc/pki/CA/ private/cakey.pem -cert /etc/pki/CA//certs/cacert.pem -out /etc/pki/CA/ endentity/endcrt.pem -extensions usr_cert Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem:CAͷύεϑϨʔζΛೖྗ Check that the request matches the signature Signature ok Certificate Details: ʢதུʣ X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment ʢதུʣ Certificate is to be certified until Nov 8 15:09:39 2033 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $"536&Ͱ͋Δ ,FZ6TBHFʹ %*HJUBM4JHOBUVF

Slide 29

Slide 29 text

ΤϯυΤϯςΟςΟূ໌ॻʢendcert.pemʣͱൿີ伴ʢendkey.pemʣΛϩʔΧϧ΁ίϐʔ endcert.pemͷத਎ Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption ʢதུʣ X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment ʢதུʣ -----BEGIN CERTIFICATE----- MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJKUDER ʢதུʣ mfbk1xKIjqTa -----END CERTIFICATE-----

Slide 30

Slide 30 text

ΤϯυΤϯςΟςΟূ໌ॻʢendcert.pemʣͱൿີ伴ʢendkey.pemʣΛϩʔΧϧ΁ίϐʔ endkey.pemͷத਎ -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDXwkbnRmhRJiUJ QOt31ay+KrbIoVAjWAs96evbTmyuB2NNQ6Dcm08FFc9udGpNYuWIJlV3mFf3dK7F ʢதུʣ mhxPj4CsR/AD08X30SHroNg8TvQHpS2z6ERhdN/KOfvn44SzGngYD0h3qGam10TQ a2KGfekpiRFyfcc0kgkidVBY -----END PRIVATE KEY----- ͜͜·ͰͰ໰୊ͳ͘ઃఆ͞Ε͍ͯΕ͹ɺ

Slide 31

Slide 31 text

*".3PMFT"OZXIFSFίϯιʔϧͷૢ࡞ w৴པΞϯΧʔͷ࡞੒ *".͸άϩʔόϧ͕ͩ 3PMFT"OZXIFSF͸ ϦʔδϣφϧϦιʔεͳͨΊ Ϧʔδϣϯબ୒ʹ஫ҙ ʢόʔδχΞ๺෦ʹͳΓ͕ͪʣ

Slide 32

Slide 32 text

*".3PMFT"OZXIFSFίϯιʔϧͷૢ࡞ w৴པΞϯΧʔͷ࡞੒ ֎෦ূ໌ॻόϯυϧΛબ୒ $"ͷূ໌ॻΛίϐϖ ೝূہཁ͕݅ਖ਼͘͠ͳ͍ͱ Τϥʔ͕ग़Δ ʢWͰͳ͍৔߹ͳͲʣ "3/ΛϝϞ͓ͯ͘͠ʂ

Slide 33

Slide 33 text

*".3PMFT"OZXIFSFίϯιʔϧͷૢ࡞ w*".ϩʔϧͷ࡞੒ ˢҎ֎͸௨ৗͷ*".ϩʔϧͱಉ༷ʹϙϦγʔ෇༩ͳͲߦ͏ Ϣʔεέʔεʹ3PMFT"OZXIFSFΛࢦఆ͢Δ͜ͱͰ ৴པϙϦγʔ͕ࣗಈͰೖྗ͞ΕΔ "3/ΛϝϞ͓ͯ͘͠ʂ

Slide 34

Slide 34 text

*".3PMFT"OZXIFSFίϯιʔϧͷૢ࡞ wϓϩϑΝΠϧͷ࡞੒ *".ϩʔϧΛඥ෇͚Δ ڥքϙϦγʔ΋ઃఆՄೳ ʢ4$1Έ͍ͨͳ΋ͷʣ "3/ΛϝϞ͓ͯ͘͠ʂ

Slide 35

Slide 35 text

$SFEFOUJBM)FMQFSͷಋೖ w͍ͣΕ͔ͷखஈͰμ΢ϯϩʔυ wυΩϡϝϯτʢύοέʔδΛೖखͯ͠഑ஔʣ 
 IUUQTEPDTBXTBNB[PODPNSPMFTBOZXIFSFMBUFTU VTFSHVJEFDSFEFOUJBMIFMQFSIUNM w(JU)VCʢιʔείʔυΛೖखͯ͠Ϗϧυʣ 
 IUUQTHJUIVCDPNBXTSPMFTBOZXIFSFDSFEFOUJBMIFMQFS

Slide 36

Slide 36 text

Credential HelperʢSigning HelperʣΛ࢖༻ͯ͠ೝূͰ͖Δ͔ςετ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺϔϧύʔͰҎԼͷίϚϯυΛ࣮ߦ͢Δ # ./aws_signing_helper credential-process \ --certificate .ssh/endcrt.pem \ --private-key .ssh/endkey.pem \ --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role ੒ޭ͢ΔͱҰ࣌ΞΫηεΩʔͱγʔΫϨοτΞΫηεΩʔɺτʔΫϯ͕ฦͬͯ͘Δ {“Version":1,"AccessKeyId":"ASIAWGZVI6IWUEXAMPLE","SecretAccessKey":"IBMHdKtVbCn hmS+Wgu0LbqXq6XXxXXXxEXAMPLE","SessionToken":"IQoJb3JpZ2luX2VjENH////////// wEaDmFwLW5vcnRoZWFzdC0xIkYwRAIgcyD64b45AGCpN/ gxAEL7iUi8pcuXGfLaYKvNzuzora8CIGUpUHm6YsOsdfEc8XX2l9XsredDt9oZbRDallLVDRJMKpYECB ʢதུʣ SDm27AKZzde8p5ayy4/du5dgJzRtEz/ i24rNfjX9BHzZPghqayB4QWzZPWnZy1PD0fJg==","Expiration":"2023-11-11T18:06:59Z"} ূ໌ॻͱൿີ伴͸ DINPEͰ ֎෦ಡΈऔΓΛ๷ࢭ

Slide 37

Slide 37 text

AWS CLIܦ༝Ͱ࢖༻͢Δ৔߹ɺ.aws/configͰҎԼͷΑ͏ʹϓϩϑΝΠϧΛઃఆ͢Δ [default] ·ͨ͸ [profile rolesanywhereʢ೚ҙʣ] credential_process = ./aws_signing_helper credential-process --certificate .ssh/endcrt.pem --private-key .ssh/endkey.pem --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role region = ap-northeast-1 ͜͜·ͰͰ໰୊ͳ͘ઃఆ͞Ε͍ͯΕ͹ɺ BXTTMTͳͲݖݶͷൣғ಺Ͱ BXTίϚϯυΛ࣮ߦ͢Δ͜ͱ͕Ͱ͖Δʂ

Slide 38

Slide 38 text

ηΩϡϦςΟతʹͲ͏ͳͷʁ

Slide 39

Slide 39 text

৴པΞϯΧʔ *". $SFEFOUJBM)FMQFS ʢμ΢ϯϩʔυʣ ΫϥΠΞϯτ $"ূ໌ॻόϯυϧ DBDFSUQFN ϓϩϑΝΠϧ ೝূہʢ$"ʣ ΤϯυΤϯςΟςΟূ໌ॻ FOEDFSUQFN ൿີ伴 FOELFZQFN *".ϩʔϧ ΤϯυΤϯςΟςΟূ໌ॻͱൿີ伴͸ ΫϥΠΞϯτ୺຤Ͱ৵֐͞Εͳ͍Α͏ ద੾ʹอ؅ɾอޢ͠ͳ͚Ε͹ͳΒͳ͍ *".ϩʔϧͷݖݶ͸࠷খͰઃఆ͠Α͏ ೝূہ͸ϓϥΠϕʔτͳ৔ॴʹஔ͖ ৵֐͞Εͳ͍Α͏ʹ͢Δ ৴པΞϯΧʔͰ*".ʹҕ೚͍ͯ͠ΔͨΊ ఀࢭ͍ͯͯ͠΋ೝূʹ໰୊͸ͳ͍ ʢ1,*Ͱ࢖͏$3-͸ࠓճ࢖Θͳ͍ʣ ෆ҆ͳΒϚωʔδυͳ1$"Λ࢖͓͏ ʢֹ݄υϧPSυϧʣ ηΩϡϦςΟ্ͷݒ೦఺

Slide 40

Slide 40 text

ূ໌ॻͱൿີ伴Λอޢ͢Δखஈ w04ͷূ໌ॻετΞʹ؅ཧΛ೚ͤΒΕΔΑ͏ʹͳͬͨ 
 ˠɺ8JOEPXT$/($SZQUP"1*ɾ.BDΩʔνΣʔϯ w1,$4Ϟδϡʔϧʹ؅ཧΛ೚ͤΒΕΔΑ͏ʹͳͬͨ 
 ˠɺ:VCJLFZͳͲͷηΩϡϦςΟΩʔ

Slide 41

Slide 41 text

֤πʔϧͷར༻ํ๏

Slide 42

Slide 42 text

04ূ໌ॻฤʢ.BDͷΈʣ

Slide 43

Slide 43 text

৽نΩʔνΣʔϯΛ࡞੒͢Δ # security create-keychain credential-helper.keychain ΩʔνΣʔϯ༻ύεϫʔυΛ৽نͰೖྗʢ͙͢࢖͏ʣ # security unlock-keychain credential-helper.keychain ΩʔνΣʔϯ༻ύεϫʔυΛೖྗ # EXISTING_KEYCHAINS=$(security list-keychains | cut -d '"' -f2) security list- keychains -s credential-helper.keychain $(echo ${EXISTING_KEYCHAINS} | awk -v ORS=" " '{print $1}') PKCS#12ܗࣜͷূ໌ॻΛ࡞੒ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺopensslͰҎԼΛ࣮ߦ # openssl pkcs12 -export -legacy -inkey ./endentity/endkey.pem -in ./endentity/ endcrt.pem -out ./endentity/composite.pfx ϥοϐϯά༻ύεϫʔυΛ৽نͰೖྗʢޙͰূ໌ॻΛΠϯϙʔτ͢Δࡍʹ࢖༻ʣ ˞ҎԼɺ.BDΩʔνΣʔϯͰઃఆɻ ɹ8JOEPXTͷํ͸͝ΊΜͳ͍͞ʢ(JU)VCʹࡌͬͯ·͢ʣ ˞0QFO44-Ҏ্ͷ৔߹ɺ.BDͷΩʔνΣʔϯͱΞϧΰϦζϜͷޓ׵ੑ͕ແ͍ͨΊɺ ɹMFHBDZΦϓγϣϯΛ࢖༻͢Δ͜ͱͰಡΈࠐΈ͕Ͱ͖ΔΑ͏ʹ͢Δ

Slide 44

Slide 44 text

ΩʔνΣʔϯʹূ໌ॻΛΠϯϙʔτ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺҎԼΛ࣮ߦ # security import ./endentity/composite.pfx -T ./aws_signing_helper -k credential-helper.keychain ϥοϐϯά༻ύεϫʔυΛೖྗ ੒ޭ͢ΔͱΩʔνΣʔϯʹ௥Ճ͞ΕɺҎԼίϚϯυͰূ໌ॻΛ֬ೝͰ͖Δ # ./aws_signing_helper read-certificate-data Matching identities 1) 0fd93fb177e1bd0f87d0XXXXXXXXXXXXXXXXXXXX “CN=rolesanywhere,OU=Sta,O=SimSta,ST=Hokkaido,C=JP" Credential HelperͷೝূίϚϯυΛॻ͖׵͑ͯςετ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺϔϧύʔͰҎԼͷίϚϯυΛ࣮ߦ͢Δ # ./aws_signing_helper credential-process \ —-cert-selector Key=x509Serial,Value=1 \ --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role γϦΞϧ͸্ه͔ ࣍ͷϖʔδͰ֬ೝ ͍͍ͩͨͩͱࢥ͏

Slide 45

Slide 45 text

.BDͷΩʔνΣʔϯʹ Πϯϙʔτ͞Εͨূ໌ॻ ίϚϯυ͕͏·͍͘͘ͱ ΩʔνΣʔϯͷೝূΛཁٻ͞ΕΔ

Slide 46

Slide 46 text

:VCJLFZฤ ˞్த·Ͱ͔͠ḷΓண͚·ͤΜͰͨ͠ʜ

Slide 47

Slide 47 text

YubikeyͷPIVۭ͖εϩοτʹূ໌ॻΛΠϯϙʔτ ະ࢖༻ͷ৔߹ɺ9aͰOKɻ9a, 9c, 9d, 9eͷ4छྨ͋Γɺݫີʹ༻్͕ҟͳΔΒ͍͠ʁ # ykman piv certificates import 9a ./endentity/composite.pfx Enter password to decrypt certificate: pfxͷύεϫʔυΛೖྗ Enter a management key [blank to use default key]:ۭཝ 9aεϩοτʹূ໌ॻ͕ೖ͍ͬͯΔ͜ͱΛ֬ೝ # ykman piv info Yubikey ManagerΛpipͰΠϯετʔϧ # pip install —user yubikey-manager Τϥʔ͕ൃੜͨ͠৔߹ɺҎԼͷΠϯετʔϧ͕ඞཁͳ৔߹͋Γ # brew install swig # pip install wheel ඞཁʹԠͯ͡ύεΛ௨͢ ˞ҎԼɺ.BDͰ:VCJLFZ.BOBHFSΛ࢖༻͢Δ৔߹ͷखॱɻ IUUQTEFWFMPQFSTZVCJDPDPNZVCJLFZNBOBHFS ͜͜Ͱ:VCJLFZΛૠೖ

Slide 48

Slide 48 text

(6*ͷ:VCJLFZ.BOBHFSΛΠϯετʔϧ͍ͯͯ͠΋֬ೝՄೳ IUUQTXXXZVCJDPDPNTVQQPSUEPXOMPBEZVCJLFZNBOBHFSIEPXOMPBET

Slide 49

Slide 49 text

˞͔͜͜Βઌ͕ḷΓண͚ͣʜ ຊདྷͳΒ:VCJLFZͷ1*7ʹ֨ೲ͞Εͨূ໌ॻͷ1,$463*Λ QLJU·ͨ͸QUPPMTͷMJTUUPLFOTͰදࣔͤ͞Δ͜ͱͰɺ DSFEFOUJBMQSPDFTTίϚϯυʹͯ DFSUJGJDBUFQLDTNBOVGBDUVSFSQJW@**JE ͷΑ͏ʹ63*ࢦఆ͢Ε͹:VCJLFZ͔Βͷূ໌ॻΛ࢖ͬͯೝূͰ͖Δ͸͕ͣɺ QLJUͱQUPPMT͍ͣΕ΋τʔΫϯ͕දࣔ͞Εͣɺଞʹ֬ೝ͢Δํ๏͕ ݟ෇͔Βͳ͍ͷͰஅ೦͠·ͨ͠ʜ ͓·؀͔΋͠Ε·ͤΜ͕ɺ্ख͍ͬͨͭ͘ΑͭΑͳํ͕͍Βͬ͠ΌͬͨΒ !TIJNBHBKJ·Ͱ͝Ұใ௖͚Ε͹ʜʂ

Slide 50

Slide 50 text

·ͱΊ

Slide 51

Slide 51 text

·ͱΊ w*".3PMFT"OZXIFSFΛ࢖͏͜ͱͰɺ"84֎ͷ୺຤͔ΒͰ΋ 
 Ұ࣌ΫϨσϯγϟϧʹΑΔ*".ϩʔϧͷݖݶΛߦ࢖Ͱ͖Δ wೝূ͸44-௨৴΍ΫϥΠΞϯτ௨৴ͱಉ͡1,*Λ࢖༻͠ɺ 
 ೝূہ͔Βൃߦͨ͠ূ໌ॻͱൿີ伴Ͱઃఆ͍ͯ͘͠ wূ໌ॻͱൿີ伴ͷ؅ཧͳͲɺ͍͔ͭ͘ͷηΩϡϦςΟ໘ʹ͓͚Δ 
 ߟྀࣄ߲͸ଘࡏ͢Δ͕ɺ҆શʹ؅ཧ͢Δखஈ΋༻ҙ͞Ε͍ͯΔ wΞΫηεΩʔͷແ͍ੜ׆Λ࣮ݱͰ͖Δʂʁ

Slide 52

Slide 52 text

ͦ͏ͩɺ ΞΫηεΩʔ ແͦ͘͏ɻ 終 制作・著作 S i m

Slide 53

Slide 53 text

5IBOLZPVʂ