Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Railsアプリで秘匿情報を環境変数からCredentialsに移行した話
Search
pokohide
November 15, 2023
2
570
Railsアプリで秘匿情報を環境変数からCredentialsに移行した話
pokohide
November 15, 2023
Tweet
Share
More Decks by pokohide
See All by pokohide
技術的負債との付き合い方 〜プロダクトミライ会議〜
pokohide
0
120
TechTrain RoRハンズオン
pokohide
0
1.3k
ブラウザとフレンズになろう
pokohide
0
53
Featured
See All Featured
Music & Morning Musume
bryan
46
6.6k
A better future with KSS
kneath
238
17k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Documentation Writing (for coders)
carmenintech
72
4.9k
GraphQLとの向き合い方2022年版
quramy
49
14k
The Pragmatic Product Professional
lauravandoore
35
6.7k
Visualization
eitanlees
146
16k
How STYLIGHT went responsive
nonsquared
100
5.6k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Typedesign – Prime Four
hannesfritz
42
2.7k
Navigating Team Friction
lara
187
15k
Transcript
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ RailsΞϓϦͰൿಗใΛڥม͔Β CredentialsʹҠߦͨ͠ @pokohide
࣍ • Credentialsͱ • Ҡߦͷഎܠͱత • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •
Ҡߦͷ݁Ռ • ͍͞͝ʹ
ൃදͷલʹࣗݾհͱએ
ࣗݾհ • Ά͜ͻͰ / @pokohide • όοΫΤϯυΤϯδχΞ • ͓ञඇৗମݧʢϛϡʔδΧϧɺΦʔέετϥɺ ϥΠϒɺେࣗવɺetc…ʣ͕͖Ͱ͢
• ࠷ۙͷ՝ϫϯϐʔεΞχϝؑ
λΠϛʔͷ࣮ εΩϚ όΠτ No.1 ※20310݄࣌ɹ˞1 [ௐࠪํ๏]σεΫϦαʔνٴͼώΞϦϯάௐࠪ [ௐࠪظؒ]20212݄8~22 [ௐࠪ֓ཁ]εΩϚόΠτ ΞϓϦαʔϏεͷ࣮ଶௐࠪ [ௐࠪର]202012݄·ͰʹαʔϏεΛ։͍࢝ͯ͠ΔεΩϚόΠτΞϓϦ10αʔϏε
[ௐ࣮ࠪࢪ] גࣜձࣾγϣούʔζΞΠɹ˞2 [ग़య]AppStoreϥΠϑελΠϧΧςΰϦʔϥϯΩϯάʢ20215݄࣌ʣ 5 ྦྷܭٻਓҊ݅ ɾμϯϩʔυ ※1 ※2 ಋೖࣄۀऀ 66,000اۀ ϫʔΧʔ 600ສਓ
6
7
ۀքΛ͕͑ͯΔλΠϛʔ λΠϛʔଟ͘ͷۀքͰ׆༻͞ΕΔαʔϏεʹ͠ɺྲྀ/খച/ҿ৯ͷ֤ۀքTOP10ࣾͷҎ্͕λΠϛʔΛಋೖதɻ ݱࡏಋೖࣄۀऀ66,000اۀ 170,000ڌҎ্ʹͳΓɺ༷ʑͳۀքʹ͕͍ͬͯ·͢ɻ 8
ืूਓͷਪҠ 9 ※1ɿ20224Qͱ20214Qͷൺֱ ίϩφՒʹ͓͍ͯɺ աڈʹྫΛݟͳ͍ఔͷ ՃతߴΛ࣮ݱɻ
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ RailsΞϓϦͰൿಗใΛڥม͔Β CredentialsʹҠߦͨ͠ @pokohide
࣍ • Credentialsͱ • Ҡߦͷഎܠͱత • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •
Ҡߦͷ݁Ռ • ͍͞͝ʹ
1 Credentialsͱ
Credentialsͱ • Rails 5.2͔ΒՃ͞ΕͨൿಗใΛཧ͢ΔͨΊͷΈ ◦ Add credentials using a generic
EncryptedConfiguration class #30067 • Rails 6͔ΒෳͷڥΛαϙʔτ ◦ Add support for multi environment credentials. #33521
Credentialsͱ • ओͳొਓ ◦ ҉߸ԽϑΝΠϧɿ config/credentials/<environment>.yml.enc ◦ ෮߸༻ͷ伴ɿ ENV[”RAILS_MASTER_KEY”] or
config/credentials/<environment>.key • RailsΞϓϦىಈ࣌ʹ Rails.env ʹରԠ͢Δ҉߸ԽϑΝΠϧͱ伴Λࢀর͠ɺ ෮߸͢Δ • Rails.application.credentials ܦ༝ͰऔಘՄೳʹͳΔ
Credentialsͱ • ෦తʹYAMLܗࣜͷϑΝΠϧΛ҉߸Խ ⁵ ෮߸͍ͯ͠Δ ◦ YAMLͷߏจʹґଘ͢Δ • ෮߸ͨ͠ޙ ActiveSupport::OrderedOptions
ͰࢀরͰ͖ΔͷͰ fetch dig ͕͑Δ
Credentialsͱʢྫʣ
2 Ҡߦͷഎܠͱత
Ҡߦͷഎܠ • ҎલECSͷλεΫఆٛʹڥมͱͯ͠ύϥϝʔλετΞͷSecureStringΛ ར༻ͯ͠ઃఆ͍ͯͨ͠ʢࠓ͕ͩʣ ◦ ύϥϝʔλετΞͷొɺλεΫఆٛϑΝΠϧͷมߋɺίʔυͷมߋͱखؒͩͬͨ ◦ AWSϦιʔεͷཧΠϯϑϥνʔϜ͕ओಋ͓ͯ͠Γڥք͕ᐆດͩͬͨ ◦ σϓϩΠͷ༰қੑʹ͚ܽΔ
• ύϥϝʔλετΞͷૢ࡞ʹಠࣗͷରܕCLIΛར༻ ◦ ϨϏϡʔ͕ࠔ
ಋೖͷϝϦοτ • ڥք͕໌֬ʹͳΔ • σϓϩΠ͕༰қʹͳΔ • ύϥϝʔλετΞͷૢ࡞ݖݶΛফͤΔ ◦ CredentialsΛಋೖ͢Δͱجຊతʹ RAILS_MASTER_KEY
ͷΈΛཧ͢Εྑ͍ͨΊ
త ΞϓϦέʔγϣϯ͕ཧ͖͢ൿಗใ ڥքσϓϩΠͷ༰қੑΛߟྀͯ͠CredentialsʹҠߦ͢Δ
Credentials҆શʁ • ϚελʔΩʔΛ༻ͯ͠҉߸ԽϑΝΠϧΛ෮߸͢Δ • AES-256-GCM҉߸ԽΞϧΰϦζϜΛ༻ͯ͠҉߸Խ͞Ε͍ͯΔ ◦ 2023ݱࡏɺ࠷҆શͳ҉߸Խํࣜͷ1ͭ • ݁ہϚελʔΩʔͷཧ͕ॏཁ •
伴͕ྲྀग़͢Εશͯݟ͑ͯ͠·͏ͷͰཁ༷݅ɺϏδωεڥʹԠͯ͡ݕ ౼ͯ͠Ͷ
3 Ҡߦͷखॱ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 👈 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ • ίʔυΛENVͰgrepͨ͠ΓɺECSͷλεΫఆٛͷڥมΛϦετΞοϓ • ൿಗใʹূ໌ॻൿີ伴ɺGoogleCloudͷJSONΩʔͳͲ͋Δ • Ҡߦ͢Δ͔ͷ؍ʢྫʣ ◦ ͦͦൿಗใ͔ →
ڥຖͷݻ༗ͷઃఆͳΒ config_for Ͱྑ͍͔ ◦ ίϯςφԽ͞Εͨڥຖʹಈతʹೖ͍ͨ͠ͷ͔ ◦ සൟʹߋ৽͢Δใ͔ʢྫ͑PORT൪߸ͱ͔༰қʹม͍͑ͨ߹͕͋Δ͔͠Εͳ͍ʣ
Ҡߦͷखॱ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 👈 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ ҉߸ԽϑΝΠϧͷϨϏϡʔ͕ࠔͳͨΊɺઌʹൿಗใΛҠߦ͓ͯ͘͠ͱ Rails consoleͳͲͰϦϦʔεલʹ֬ೝ͕Ͱ͖ͯศར
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ 👈
Ҡߦͷखॱ ؤுΔ
Ҡߦͷखॱ ͻͨ͢ΒPR࡞ͬͯؤுΔ
Ҡߦͷखॱ োى͖Δ
Ҡߦͷखॱ શ֯εϖʔεͱ֯εϖʔεΛؒҧ͑ͯొ͠ɺࢀর࣌ʹΤϥʔൃੜ ൿಗϑΝΠϧͷϨϏϡʔجຊతʹૉͷVimͱ͔Ͱߦ͍ɺSyntax Highlightޮ͔ ͣɺؾ͖ਏ͍ͷͰҙ͍ͯͩ͘͠͞
Ҡߦͷखॱ ͦΜͳ͜ΜͳͰҠߦͰ͖·ͨ͠ λΠϛʔͰ20%ϧʔϧͰٕज़վળʹ࣌ؒΛ͍ͬͯΔͷͰ͕͢ɺ5ϲ݄͔͔Γ·ͨ͠
4 Ҡߦ࣌ͷTips
Ҡߦ࣌ͷTips CredentialsͷϚελʔΩʔ͕ͳ͍ͱRailsΞϓϦͷىಈʹࣦഊ͢ΔઃఆΛ༗ޮʹ͠ ͓͖ͯ·͠ΐ͏
Ҡߦ࣌ͷTips ҉߸ԽϑΝΠϧͷฤूʹΤσΟλͷࢦఆ͕ඞਢͳͷͰ༻ҙ͓͖ͯ͠·͠ΐ͏ emacsͰྑ͍Ͱ͢
Ҡߦ࣌ͷTips ൿಗใʹΤεέʔϓจࣈؚ͕·ΕΔ߹μϒϧΫΥʔςʔγϣϯͰׅΔ
Ҡߦ࣌ͷTips ൿಗใʹվߦΛ͍͍ͨ߹ύΠϓΛ͏ͳͲ͢Δ
Ҡߦ࣌ͷTips Credentialsͷ߹ʹ߹Θͤͯɺ֎෦αʔϏεͱͷೝূํ๏Λม͑Δ ྫɿGoogle::Auth::ClientId#from_file ෦తʹfrom_hash ݺͼग़͍ͯ͠Δ https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/client_id.rb#L86
Ҡߦ࣌ͷTips • YAMLςΩετϕʔεͷσʔλܗࣜͳͷͰόΠφϦʹ͍͍ͯͳ͍ • ূ໌ॻͳͲόΠφϦσʔλΛCredentialsͰѻ͏߹ɺBase64Τϯίʔυ͠ ͨΛอଘ͠ɺΞϓϦέʔγϣϯଆͰऔΓग़ͯ͠σίʔυΛߦ͏ • Τϯίʔυ͞Ε͍ͯΔࣄ͕͔Γ͍͢Α͏ʹ base64_encoded ϓϨϑΟο
ΫεΛ͚ͭͨ
Ҡߦ࣌ͷTips ൿಗΛίϯιʔϧͰඇදࣔʹ͢Δ Rails 7.1͔Βඪ४ʹͳΓ·͕͢ɺ·্͍ͩ͛ͯͳ͍߹γϯϓϧͳมߋͳͷͰόοΫϙʔτָ https://github.com/rails/rails/pull/48498
Ҡߦ࣌ͷTips • SecretsRails 7.1͔Β໌ࣔతʹඇਪԽ͞ΕͨͷͰɺSECRET_KEY_BASE Λ Credentials ʹҠߦ • ֤ڥͷ credentials.yml
ʹ SECRET_KEY_BASE ΛҠߦ͢ΕOKͳͣ
Ҡߦ࣌ͷTips assets:precompile ࣮ߦ࣌ʹ SECRET_KEY_BASE ͕ͳ͍ͱΤϥʔ͕ى͖Δ ࣮ࡍʹ༻͠ͳ͍ͷͰɺμϛʔΛࣗಈͰઃఆͯ͘͠ΕΔ SECRET_KEY_BASE_DUMMY ͕ Rails 7.1͔Βಋೖ͞Εͨ
Ҡߦ࣌ͷҙ • HerokuͰӡ༻ɺHeroku Data for RedisΛར༻ͯ͠ΔݸਓΞϓϦͷREDIS_URL ΛCredentialsʹҠߦͨ͠ΒRedisʹଓͰ͖ͳ͘ͳͬͨ • ࣗͷཧ͍ͯ͠ͳ͍ڥมΛҠߦ͢Δ߹ҙ͠·͠ΐ͏ https://devcenter.heroku.com/ja/articles/heroku-redis
5 Ҡߦͷ݁Ռ
Ҡߦͷ݁Ռ • ڥมͰཧ͢Δൿಗใ RAILS_MASTER_KEY ͷΈͱͳͬͨ • ূ໌ॻͳͲͷൿಗϑΝΠϧΛS3͔Βίϐʔ͢Δඞཁ͕ͳ͘ͳͬͨͨΊɺawscli AWSͷೝূใ͕ෆཁʹͳͬͨ • Rails.application.secrets
Λഇࢭ • dotenv-rails Λআ • ൿಗใͷՃɾߋ৽͕ΞϓϦέʔγϣϯʹด͡ΔΑ͏ʹͳͬͨ 🎉
Ҡߦͷ݁Ռ ʙ ༨ஊ ྺ࢙తܦҢͰdotenv-rails͕։ൃڥҎ֎ʹಡΈࠐ·Ε͍ͯͨ • ຊ൪ڥͰ༧ظͤ͵্ॻ͖͕͋ͬͯා͍͠ɺCredentialsҠߦʹΑΓ΄΅ෆཁ ʹͳͬͨͷͰআ͢Δ͜ͱʹ • notion-ruby-clientͱ͍͏GemͷRuntime Dependencies͔ΒdotenvΛআ
• DockerͰ .env ΛಡΈࠐΜͰ͘ΕΔ ◦ ಡΈࠐΈλΠϛϯάRailsΞϓϦىಈ͔࣌Βίϯςφىಈ࣌ʹมΘΔ͕ͳ͍ͱஅ
6 ͍͞͝ʹ
͍͞͝ʹ ͬͺΓϨϏϡʔେม • ҉߸Խ͞Ε͍ͯΔͨΊɺ෮߸ͨ݁͠ՌΛݟͳ͍ͱ͔ࠩΒͳ͍ • ҉߸ԽϑΝΠϧͷdiffΛݟΕΔΑ͏ʹ͢Δ bin/rails credentials:diff ͕ެࣜαϙʔ τ͞Ε͍ͯΔ
◦ Railsͷ࣮ߦڥ͔Βgitૢ࡞Ͱ͖Δඞཁ͕͋Δ ◦ ։ൃڥʹDockerΛ༻͍ͯϗετଆͰgitૢ࡞͍ͯ͠ΔͷͰɺ͜ͷͨΊʹίϯςφʹgitΛೖΕΔ ͔ݕ౼த
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠