Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Railsアプリで秘匿情報を環境変数からCredentialsに移行した話
Search
pokohide
November 15, 2023
2
570
Railsアプリで秘匿情報を環境変数からCredentialsに移行した話
pokohide
November 15, 2023
Tweet
Share
More Decks by pokohide
See All by pokohide
技術的負債との付き合い方 〜プロダクトミライ会議〜
pokohide
0
120
TechTrain RoRハンズオン
pokohide
0
1.3k
ブラウザとフレンズになろう
pokohide
0
53
Featured
See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Adopting Sorbet at Scale
ufuk
77
9.4k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
Thoughts on Productivity
jonyablonski
69
4.7k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
800
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Practical Orchestrator
shlominoach
188
11k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.8k
Transcript
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ RailsΞϓϦͰൿಗใΛڥม͔Β CredentialsʹҠߦͨ͠ @pokohide
࣍ • Credentialsͱ • Ҡߦͷഎܠͱత • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •
Ҡߦͷ݁Ռ • ͍͞͝ʹ
ൃදͷલʹࣗݾհͱએ
ࣗݾհ • Ά͜ͻͰ / @pokohide • όοΫΤϯυΤϯδχΞ • ͓ञඇৗମݧʢϛϡʔδΧϧɺΦʔέετϥɺ ϥΠϒɺେࣗવɺetc…ʣ͕͖Ͱ͢
• ࠷ۙͷ՝ϫϯϐʔεΞχϝؑ
λΠϛʔͷ࣮ εΩϚ όΠτ No.1 ※20310݄࣌ɹ˞1 [ௐࠪํ๏]σεΫϦαʔνٴͼώΞϦϯάௐࠪ [ௐࠪظؒ]20212݄8~22 [ௐࠪ֓ཁ]εΩϚόΠτ ΞϓϦαʔϏεͷ࣮ଶௐࠪ [ௐࠪର]202012݄·ͰʹαʔϏεΛ։͍࢝ͯ͠ΔεΩϚόΠτΞϓϦ10αʔϏε
[ௐ࣮ࠪࢪ] גࣜձࣾγϣούʔζΞΠɹ˞2 [ग़య]AppStoreϥΠϑελΠϧΧςΰϦʔϥϯΩϯάʢ20215݄࣌ʣ 5 ྦྷܭٻਓҊ݅ ɾμϯϩʔυ ※1 ※2 ಋೖࣄۀऀ 66,000اۀ ϫʔΧʔ 600ສਓ
6
7
ۀքΛ͕͑ͯΔλΠϛʔ λΠϛʔଟ͘ͷۀքͰ׆༻͞ΕΔαʔϏεʹ͠ɺྲྀ/খച/ҿ৯ͷ֤ۀքTOP10ࣾͷҎ্͕λΠϛʔΛಋೖதɻ ݱࡏಋೖࣄۀऀ66,000اۀ 170,000ڌҎ্ʹͳΓɺ༷ʑͳۀքʹ͕͍ͬͯ·͢ɻ 8
ืूਓͷਪҠ 9 ※1ɿ20224Qͱ20214Qͷൺֱ ίϩφՒʹ͓͍ͯɺ աڈʹྫΛݟͳ͍ఔͷ ՃతߴΛ࣮ݱɻ
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ RailsΞϓϦͰൿಗใΛڥม͔Β CredentialsʹҠߦͨ͠ @pokohide
࣍ • Credentialsͱ • Ҡߦͷഎܠͱత • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •
Ҡߦͷ݁Ռ • ͍͞͝ʹ
1 Credentialsͱ
Credentialsͱ • Rails 5.2͔ΒՃ͞ΕͨൿಗใΛཧ͢ΔͨΊͷΈ ◦ Add credentials using a generic
EncryptedConfiguration class #30067 • Rails 6͔ΒෳͷڥΛαϙʔτ ◦ Add support for multi environment credentials. #33521
Credentialsͱ • ओͳొਓ ◦ ҉߸ԽϑΝΠϧɿ config/credentials/<environment>.yml.enc ◦ ෮߸༻ͷ伴ɿ ENV[”RAILS_MASTER_KEY”] or
config/credentials/<environment>.key • RailsΞϓϦىಈ࣌ʹ Rails.env ʹରԠ͢Δ҉߸ԽϑΝΠϧͱ伴Λࢀর͠ɺ ෮߸͢Δ • Rails.application.credentials ܦ༝ͰऔಘՄೳʹͳΔ
Credentialsͱ • ෦తʹYAMLܗࣜͷϑΝΠϧΛ҉߸Խ ⁵ ෮߸͍ͯ͠Δ ◦ YAMLͷߏจʹґଘ͢Δ • ෮߸ͨ͠ޙ ActiveSupport::OrderedOptions
ͰࢀরͰ͖ΔͷͰ fetch dig ͕͑Δ
Credentialsͱʢྫʣ
2 Ҡߦͷഎܠͱత
Ҡߦͷഎܠ • ҎલECSͷλεΫఆٛʹڥมͱͯ͠ύϥϝʔλετΞͷSecureStringΛ ར༻ͯ͠ઃఆ͍ͯͨ͠ʢࠓ͕ͩʣ ◦ ύϥϝʔλετΞͷొɺλεΫఆٛϑΝΠϧͷมߋɺίʔυͷมߋͱखؒͩͬͨ ◦ AWSϦιʔεͷཧΠϯϑϥνʔϜ͕ओಋ͓ͯ͠Γڥք͕ᐆດͩͬͨ ◦ σϓϩΠͷ༰қੑʹ͚ܽΔ
• ύϥϝʔλετΞͷૢ࡞ʹಠࣗͷରܕCLIΛར༻ ◦ ϨϏϡʔ͕ࠔ
ಋೖͷϝϦοτ • ڥք͕໌֬ʹͳΔ • σϓϩΠ͕༰қʹͳΔ • ύϥϝʔλετΞͷૢ࡞ݖݶΛফͤΔ ◦ CredentialsΛಋೖ͢Δͱجຊతʹ RAILS_MASTER_KEY
ͷΈΛཧ͢Εྑ͍ͨΊ
త ΞϓϦέʔγϣϯ͕ཧ͖͢ൿಗใ ڥքσϓϩΠͷ༰қੑΛߟྀͯ͠CredentialsʹҠߦ͢Δ
Credentials҆શʁ • ϚελʔΩʔΛ༻ͯ͠҉߸ԽϑΝΠϧΛ෮߸͢Δ • AES-256-GCM҉߸ԽΞϧΰϦζϜΛ༻ͯ͠҉߸Խ͞Ε͍ͯΔ ◦ 2023ݱࡏɺ࠷҆શͳ҉߸Խํࣜͷ1ͭ • ݁ہϚελʔΩʔͷཧ͕ॏཁ •
伴͕ྲྀग़͢Εશͯݟ͑ͯ͠·͏ͷͰཁ༷݅ɺϏδωεڥʹԠͯ͡ݕ ౼ͯ͠Ͷ
3 Ҡߦͷखॱ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 👈 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ • ίʔυΛENVͰgrepͨ͠ΓɺECSͷλεΫఆٛͷڥมΛϦετΞοϓ • ൿಗใʹূ໌ॻൿີ伴ɺGoogleCloudͷJSONΩʔͳͲ͋Δ • Ҡߦ͢Δ͔ͷ؍ʢྫʣ ◦ ͦͦൿಗใ͔ →
ڥຖͷݻ༗ͷઃఆͳΒ config_for Ͱྑ͍͔ ◦ ίϯςφԽ͞Εͨڥຖʹಈతʹೖ͍ͨ͠ͷ͔ ◦ සൟʹߋ৽͢Δใ͔ʢྫ͑PORT൪߸ͱ͔༰қʹม͍͑ͨ߹͕͋Δ͔͠Εͳ͍ʣ
Ҡߦͷखॱ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 👈 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ ҉߸ԽϑΝΠϧͷϨϏϡʔ͕ࠔͳͨΊɺઌʹൿಗใΛҠߦ͓ͯ͘͠ͱ Rails consoleͳͲͰϦϦʔεલʹ֬ೝ͕Ͱ͖ͯศར
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ 👈
Ҡߦͷखॱ ؤுΔ
Ҡߦͷखॱ ͻͨ͢ΒPR࡞ͬͯؤுΔ
Ҡߦͷखॱ োى͖Δ
Ҡߦͷखॱ શ֯εϖʔεͱ֯εϖʔεΛؒҧ͑ͯొ͠ɺࢀর࣌ʹΤϥʔൃੜ ൿಗϑΝΠϧͷϨϏϡʔجຊతʹૉͷVimͱ͔Ͱߦ͍ɺSyntax Highlightޮ͔ ͣɺؾ͖ਏ͍ͷͰҙ͍ͯͩ͘͠͞
Ҡߦͷखॱ ͦΜͳ͜ΜͳͰҠߦͰ͖·ͨ͠ λΠϛʔͰ20%ϧʔϧͰٕज़վળʹ࣌ؒΛ͍ͬͯΔͷͰ͕͢ɺ5ϲ݄͔͔Γ·ͨ͠
4 Ҡߦ࣌ͷTips
Ҡߦ࣌ͷTips CredentialsͷϚελʔΩʔ͕ͳ͍ͱRailsΞϓϦͷىಈʹࣦഊ͢ΔઃఆΛ༗ޮʹ͠ ͓͖ͯ·͠ΐ͏
Ҡߦ࣌ͷTips ҉߸ԽϑΝΠϧͷฤूʹΤσΟλͷࢦఆ͕ඞਢͳͷͰ༻ҙ͓͖ͯ͠·͠ΐ͏ emacsͰྑ͍Ͱ͢
Ҡߦ࣌ͷTips ൿಗใʹΤεέʔϓจࣈؚ͕·ΕΔ߹μϒϧΫΥʔςʔγϣϯͰׅΔ
Ҡߦ࣌ͷTips ൿಗใʹվߦΛ͍͍ͨ߹ύΠϓΛ͏ͳͲ͢Δ
Ҡߦ࣌ͷTips Credentialsͷ߹ʹ߹Θͤͯɺ֎෦αʔϏεͱͷೝূํ๏Λม͑Δ ྫɿGoogle::Auth::ClientId#from_file ෦తʹfrom_hash ݺͼग़͍ͯ͠Δ https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/client_id.rb#L86
Ҡߦ࣌ͷTips • YAMLςΩετϕʔεͷσʔλܗࣜͳͷͰόΠφϦʹ͍͍ͯͳ͍ • ূ໌ॻͳͲόΠφϦσʔλΛCredentialsͰѻ͏߹ɺBase64Τϯίʔυ͠ ͨΛอଘ͠ɺΞϓϦέʔγϣϯଆͰऔΓग़ͯ͠σίʔυΛߦ͏ • Τϯίʔυ͞Ε͍ͯΔࣄ͕͔Γ͍͢Α͏ʹ base64_encoded ϓϨϑΟο
ΫεΛ͚ͭͨ
Ҡߦ࣌ͷTips ൿಗΛίϯιʔϧͰඇදࣔʹ͢Δ Rails 7.1͔Βඪ४ʹͳΓ·͕͢ɺ·্͍ͩ͛ͯͳ͍߹γϯϓϧͳมߋͳͷͰόοΫϙʔτָ https://github.com/rails/rails/pull/48498
Ҡߦ࣌ͷTips • SecretsRails 7.1͔Β໌ࣔతʹඇਪԽ͞ΕͨͷͰɺSECRET_KEY_BASE Λ Credentials ʹҠߦ • ֤ڥͷ credentials.yml
ʹ SECRET_KEY_BASE ΛҠߦ͢ΕOKͳͣ
Ҡߦ࣌ͷTips assets:precompile ࣮ߦ࣌ʹ SECRET_KEY_BASE ͕ͳ͍ͱΤϥʔ͕ى͖Δ ࣮ࡍʹ༻͠ͳ͍ͷͰɺμϛʔΛࣗಈͰઃఆͯ͘͠ΕΔ SECRET_KEY_BASE_DUMMY ͕ Rails 7.1͔Βಋೖ͞Εͨ
Ҡߦ࣌ͷҙ • HerokuͰӡ༻ɺHeroku Data for RedisΛར༻ͯ͠ΔݸਓΞϓϦͷREDIS_URL ΛCredentialsʹҠߦͨ͠ΒRedisʹଓͰ͖ͳ͘ͳͬͨ • ࣗͷཧ͍ͯ͠ͳ͍ڥมΛҠߦ͢Δ߹ҙ͠·͠ΐ͏ https://devcenter.heroku.com/ja/articles/heroku-redis
5 Ҡߦͷ݁Ռ
Ҡߦͷ݁Ռ • ڥมͰཧ͢Δൿಗใ RAILS_MASTER_KEY ͷΈͱͳͬͨ • ূ໌ॻͳͲͷൿಗϑΝΠϧΛS3͔Βίϐʔ͢Δඞཁ͕ͳ͘ͳͬͨͨΊɺawscli AWSͷೝূใ͕ෆཁʹͳͬͨ • Rails.application.secrets
Λഇࢭ • dotenv-rails Λআ • ൿಗใͷՃɾߋ৽͕ΞϓϦέʔγϣϯʹด͡ΔΑ͏ʹͳͬͨ 🎉
Ҡߦͷ݁Ռ ʙ ༨ஊ ྺ࢙తܦҢͰdotenv-rails͕։ൃڥҎ֎ʹಡΈࠐ·Ε͍ͯͨ • ຊ൪ڥͰ༧ظͤ͵্ॻ͖͕͋ͬͯා͍͠ɺCredentialsҠߦʹΑΓ΄΅ෆཁ ʹͳͬͨͷͰআ͢Δ͜ͱʹ • notion-ruby-clientͱ͍͏GemͷRuntime Dependencies͔ΒdotenvΛআ
• DockerͰ .env ΛಡΈࠐΜͰ͘ΕΔ ◦ ಡΈࠐΈλΠϛϯάRailsΞϓϦىಈ͔࣌Βίϯςφىಈ࣌ʹมΘΔ͕ͳ͍ͱஅ
6 ͍͞͝ʹ
͍͞͝ʹ ͬͺΓϨϏϡʔେม • ҉߸Խ͞Ε͍ͯΔͨΊɺ෮߸ͨ݁͠ՌΛݟͳ͍ͱ͔ࠩΒͳ͍ • ҉߸ԽϑΝΠϧͷdiffΛݟΕΔΑ͏ʹ͢Δ bin/rails credentials:diff ͕ެࣜαϙʔ τ͞Ε͍ͯΔ
◦ Railsͷ࣮ߦڥ͔Βgitૢ࡞Ͱ͖Δඞཁ͕͋Δ ◦ ։ൃڥʹDockerΛ༻͍ͯϗετଆͰgitૢ࡞͍ͯ͠ΔͷͰɺ͜ͷͨΊʹίϯςφʹgitΛೖΕΔ ͔ݕ౼த
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠