Railsアプリで秘匿情報を環境変数からCredentialsに移行した話

Transcript

1. 2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱ৔ʙ RailsΞϓϦͰൿಗ৘ใΛ؀ڥม਺͔Β CredentialsʹҠߦͨ͠࿩ @pokohide

2. ໨࣍ • Credentialsͱ͸ • Ҡߦͷഎܠͱ໨త • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •

   Ҡߦͷ݁Ռ • ͍͞͝ʹ

3. ൃදͷલʹࣗݾ঺հͱએ఻

4. ࣗݾ঺հ • Ά͜ͻͰ / @pokohide • όοΫΤϯυΤϯδχΞ • ͓ञ΍ඇ೔ৗମݧʢϛϡʔδΧϧɺΦʔέετϥɺ ϥΠϒɺେࣗવɺetc…ʣ͕޷͖Ͱ͢

   • ࠷ۙͷ೔՝͸ϫϯϐʔεΞχϝؑ৆

5. λΠϛʔͷ࣮੷ εΩϚ όΠτ No.1 ※203೥10݄࣌఺ɹ˞1 [ௐࠪํ๏]σεΫϦαʔνٴͼώΞϦϯάௐࠪ [ௐࠪظؒ]2021೥2݄8೔~22೔ [ௐࠪ֓ཁ]εΩϚόΠτ ΞϓϦαʔϏεͷ࣮ଶௐࠪ [ௐࠪର৅]2020೥12݄·ͰʹαʔϏεΛ։͍࢝ͯ͠ΔεΩϚόΠτΞϓϦ10αʔϏε

   [ௐ࣮ࠪࢪ] גࣜձࣾγϣούʔζΞΠɹ˞2 [ग़య]AppStoreϥΠϑελΠϧΧςΰϦʔϥϯΩϯάʢ2021೥5݄࣌఺ʣ 5 ྦྷܭٻਓҊ݅਺ ɾμ΢ϯϩʔυ਺ ※1 ※2 ಋೖࣄۀऀ਺ 66,000اۀ ϫʔΧʔ਺ 600ສਓ

6. 6

7. 7

8. ۀքΛ௒͑ͯ޿͕ΔλΠϛʔ λΠϛʔ͸ଟ͘ͷۀքͰ׆༻͞ΕΔαʔϏεʹ੒௕͠ɺ෺ྲྀ/খച/ҿ৯ͷ֤ۀքTOP10ࣾͷ൒਺Ҏ্͕λΠϛʔΛಋೖதɻ ݱࡏಋೖࣄۀऀ਺͸66,000اۀ 170,000ڌ఺Ҏ্ʹͳΓɺ༷ʑͳۀքʹ޿͕͍ͬͯ·͢ɻ 8

9. ืूਓ਺ͷਪҠ 9 ※1ɿ2022೥4Qͱ2021೥4Qͷൺֱ ίϩφՒʹ͓͍ͯ΋ɺ աڈʹྫΛݟͳ͍ఔͷ Ճ଎తߴ੒௕Λ࣮ݱɻ

10. 2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱ৔ʙ RailsΞϓϦͰൿಗ৘ใΛ؀ڥม਺͔Β CredentialsʹҠߦͨ͠࿩ @pokohide

11. ໨࣍ • Credentialsͱ͸ • Ҡߦͷഎܠͱ໨త • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •

    Ҡߦͷ݁Ռ • ͍͞͝ʹ

12. 1 Credentialsͱ͸

13. Credentialsͱ͸ • Rails 5.2͔Β௥Ճ͞Εͨൿಗ৘ใΛ؅ཧ͢ΔͨΊͷ࢓૊Έ ◦ Add credentials using a generic

    EncryptedConfiguration class #30067 • Rails 6͔Βෳ਺ͷ؀ڥΛαϙʔτ ◦ Add support for multi environment credentials. #33521

14. Credentialsͱ͸ • ओͳొ৔ਓ෺ ◦ ҉߸ԽϑΝΠϧɿ config/credentials/<environment>.yml.enc ◦ ෮߸༻ͷ伴ɿ ENV[”RAILS_MASTER_KEY”] or

    config/credentials/<environment>.key • RailsΞϓϦىಈ࣌ʹ Rails.env ʹରԠ͢Δ҉߸ԽϑΝΠϧͱ伴Λࢀর͠ɺ ෮߸͢Δ • Rails.application.credentials ܦ༝ͰऔಘՄೳʹͳΔ

15. Credentialsͱ͸ • ಺෦తʹ͸YAMLܗࣜͷϑΝΠϧΛ҉߸Խ ⁵ ෮߸͍ͯ͠Δ ◦ YAMLͷߏจʹґଘ͢Δ • ෮߸ͨ͠ޙ͸ ActiveSupport::OrderedOptions

    ͰࢀরͰ͖ΔͷͰ fetch ΍ dig ͕࢖͑Δ

16. Credentialsͱ͸ʢྫʣ

17. 2 Ҡߦͷഎܠͱ໨త

18. Ҡߦͷഎܠ • Ҏલ͸ECSͷλεΫఆٛʹ؀ڥม਺ͱͯ͠ύϥϝʔλετΞͷSecureStringΛ ར༻ͯ͠ઃఆ͍ͯͨ͠ʢࠓ΋͕ͩʣ ◦ ύϥϝʔλετΞ΁ͷొ࿥ɺλεΫఆٛϑΝΠϧͷมߋɺίʔυͷมߋͱखؒͩͬͨ ◦ AWSϦιʔεͷ؅ཧ͸ΠϯϑϥνʔϜ͕ओಋ͓ͯ͠Γ੹೚ڥք͕ᐆດͩͬͨ ◦ σϓϩΠͷ༰қੑʹ΋͚ܽΔ

    • ύϥϝʔλετΞͷૢ࡞ʹ͸ಠࣗͷର࿩ܕCLIΛར༻ ◦ ϨϏϡʔ͕ࠔ೉

19. ಋೖͷϝϦοτ • ੹೚ڥք͕໌֬ʹͳΔ • σϓϩΠ͕༰қʹͳΔ • ύϥϝʔλετΞͷૢ࡞ݖݶΛফͤΔ ◦ CredentialsΛಋೖ͢Δͱجຊతʹ RAILS_MASTER_KEY

    ͷΈΛ؅ཧ͢Ε͹ྑ͍ͨΊ

20. ໨త ΞϓϦέʔγϣϯ͕؅ཧ͢΂͖ൿಗ৘ใ͸ ੹೚ڥք΍σϓϩΠͷ༰қੑΛߟྀͯ͠CredentialsʹҠߦ͢Δ

21. Credentials͸҆શʁ • ϚελʔΩʔΛ࢖༻ͯ͠҉߸ԽϑΝΠϧΛ෮߸͢Δ • AES-256-GCM҉߸ԽΞϧΰϦζϜΛ࢖༻ͯ͠҉߸Խ͞Ε͍ͯΔ ◦ 2023೥ݱࡏɺ࠷΋҆શͳ҉߸Խํࣜͷ1ͭ • ݁ہ͸ϚελʔΩʔͷ؅ཧ͕ॏཁ •

    伴͕ྲྀग़͢Ε͹શͯݟ͑ͯ͠·͏ͷͰཁ݅΍࢓༷ɺϏδωε؀ڥʹԠͯ͡ݕ ౼ͯ͠Ͷ

22. 3 Ҡߦͷखॱ

23. Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. Ҡߦର৅ͷൿಗ৘ใΛશͯCredentialsʹ௥Ճ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ

24. Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 👈 2. Ҡߦର৅ͷൿಗ৘ใΛશͯCredentialsʹ௥Ճ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ

25. Ҡߦͷखॱ • ίʔυΛENVͰgrepͨ͠ΓɺECSͷλεΫఆٛͷ؀ڥม਺ΛϦετΞοϓ • ൿಗ৘ใʹ͸ূ໌ॻ΍ൿີ伴ɺGoogleCloudͷJSONΩʔͳͲ΋͋Δ • Ҡߦ͢Δ͔ͷ؍఺ʢྫʣ ◦ ͦ΋ͦ΋ൿಗ৘ใ͔ →

    ؀ڥຖͷݻ༗ͷઃఆͳΒ config_for Ͱ΋ྑ͍͔΋ ◦ ίϯςφԽ͞Εͨ؀ڥຖʹಈతʹ஫ೖ͍ͨ͠΋ͷ͔ ◦ සൟʹߋ৽͢Δ৘ใ͔ʢྫ͑͹PORT൪߸ͱ͔༰қʹม͍͑ͨ৔߹͕͋Δ͔΋͠Εͳ͍ʣ

26. Ҡߦͷखॱ

27. Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. Ҡߦର৅ͷൿಗ৘ใΛશͯCredentialsʹ௥Ճ͢Δ 👈 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ

28. Ҡߦͷखॱ ҉߸ԽϑΝΠϧͷϨϏϡʔ͕ࠔ೉ͳͨΊɺઌʹൿಗ৘ใΛҠߦ͓ͯ͘͠ͱ Rails consoleͳͲͰϦϦʔεલʹ֬ೝ͕Ͱ͖ͯศར

29. Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. Ҡߦର৅ͷൿಗ৘ใΛશͯCredentialsʹ௥Ճ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ 👈

30. Ҡߦͷखॱ ؤுΔ

31. Ҡߦͷखॱ ͻͨ͢ΒPR࡞ͬͯؤுΔ

32. Ҡߦͷखॱ ো֐΋ى͖Δ

33. Ҡߦͷखॱ શ֯εϖʔεͱ൒֯εϖʔεΛؒҧ͑ͯొ࿥͠ɺࢀর࣌ʹΤϥʔൃੜ ൿಗϑΝΠϧͷϨϏϡʔ͸جຊతʹૉͷVimͱ͔Ͱߦ͍ɺSyntax Highlight΋ޮ͔ ͣɺؾ෇͖ਏ͍ͷͰ஫ҙ͍ͯͩ͘͠͞

34. Ҡߦͷखॱ ͦΜͳ͜ΜͳͰҠߦͰ͖·ͨ͠ λΠϛʔͰ͸20%ϧʔϧͰٕज़վળʹ࣌ؒΛ࢖͍ͬͯΔͷͰ͕͢ɺ໿5ϲ݄͔͔Γ·ͨ͠

35. 4 Ҡߦ࣌ͷTips

36. Ҡߦ࣌ͷTips CredentialsͷϚελʔΩʔ͕ͳ͍ͱRailsΞϓϦͷىಈʹࣦഊ͢ΔઃఆΛ༗ޮʹ͠ ͓͖ͯ·͠ΐ͏

37. Ҡߦ࣌ͷTips ҉߸ԽϑΝΠϧͷฤूʹ͸ΤσΟλͷࢦఆ͕ඞਢͳͷͰ༻ҙ͓͖ͯ͠·͠ΐ͏ emacsͰ΋ྑ͍Ͱ͢

38. Ҡߦ࣌ͷTips ൿಗ৘ใʹΤεέʔϓจࣈؚ͕·ΕΔ৔߹͸μϒϧΫΥʔςʔγϣϯͰׅΔ

39. Ҡߦ࣌ͷTips ൿಗ৘ใʹվߦΛ࢖͍͍ͨ৔߹͸ύΠϓΛ࢖͏ͳͲ͢Δ

40. Ҡߦ࣌ͷTips Credentialsͷ౎߹ʹ߹Θͤͯɺ֎෦αʔϏεͱͷೝূํ๏Λม͑Δ ྫɿGoogle::Auth::ClientId#from_file ͸಺෦తʹfrom_hash ݺͼग़͍ͯ͠Δ https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/client_id.rb#L86

41. Ҡߦ࣌ͷTips • YAML͸ςΩετϕʔεͷσʔλܗࣜͳͷͰόΠφϦʹ͸޲͍͍ͯͳ͍ • ূ໌ॻͳͲόΠφϦσʔλΛCredentialsͰѻ͏৔߹ɺBase64Τϯίʔυ͠ ͨ஋Λอଘ͠ɺΞϓϦέʔγϣϯଆͰऔΓग़ͯ͠σίʔυΛߦ͏ • Τϯίʔυ͞Ε͍ͯΔࣄ͕෼͔Γ΍͍͢Α͏ʹ base64_encoded ϓϨϑΟο

    ΫεΛ͚ͭͨ

42. Ҡߦ࣌ͷTips ൿಗ஋ΛίϯιʔϧͰඇදࣔʹ͢Δ Rails 7.1͔Βඪ४ʹͳΓ·͕͢ɺ·্͍ͩ͛ͯͳ͍৔߹͸γϯϓϧͳมߋͳͷͰόοΫϙʔτ΋ָ https://github.com/rails/rails/pull/48498

43. Ҡߦ࣌ͷTips • Secrets͸Rails 7.1͔Β໌ࣔతʹඇਪ঑Խ͞ΕͨͷͰɺSECRET_KEY_BASE Λ Credentials ʹҠߦ • ֤؀ڥͷ credentials.yml

    ʹ SECRET_KEY_BASE ΛҠߦ͢Ε͹OKͳ͸ͣ

44. Ҡߦ࣌ͷTips assets:precompile ࣮ߦ࣌ʹ SECRET_KEY_BASE ͕ͳ͍ͱΤϥʔ͕ى͖Δ
 ࣮ࡍʹ࢖༻͸͠ͳ͍ͷͰɺμϛʔ஋ΛࣗಈͰઃఆͯ͘͠ΕΔ SECRET_KEY_BASE_DUMMY ͕ Rails 7.1͔Βಋೖ͞Εͨ

45. Ҡߦ࣌ͷ஫ҙ • HerokuͰӡ༻ɺHeroku Data for RedisΛར༻ͯ͠ΔݸਓΞϓϦͷREDIS_URL ΛCredentialsʹҠߦͨ͠ΒRedisʹ઀ଓͰ͖ͳ͘ͳͬͨ • ࣗ෼ͷ؅ཧ͍ͯ͠ͳ͍؀ڥม਺౳ΛҠߦ͢Δ৔߹͸஫ҙ͠·͠ΐ͏ https://devcenter.heroku.com/ja/articles/heroku-redis

46. 5 Ҡߦͷ݁Ռ

47. Ҡߦͷ݁Ռ • ؀ڥม਺Ͱ؅ཧ͢Δൿಗ৘ใ͸ RAILS_MASTER_KEY ͷΈͱͳͬͨ • ূ໌ॻͳͲͷൿಗϑΝΠϧΛS3͔Βίϐʔ͢Δඞཁ͕ͳ͘ͳͬͨͨΊɺawscli΍ AWSͷೝূ৘ใ͕ෆཁʹͳͬͨ • Rails.application.secrets

    Λഇࢭ • dotenv-rails Λ࡟আ • ൿಗ৘ใͷ௥Ճɾߋ৽͕ΞϓϦέʔγϣϯʹด͡ΔΑ͏ʹͳͬͨ 🎉

48. Ҡߦͷ݁Ռ ʙ ༨ஊ ྺ࢙తܦҢͰdotenv-rails͕։ൃ؀ڥҎ֎ʹ΋ಡΈࠐ·Ε͍ͯͨ • ຊ൪؀ڥͰ༧ظͤ͵্ॻ͖͕͋ͬͯ΋ා͍͠ɺCredentialsҠߦʹΑΓ΄΅ෆཁ ʹͳͬͨͷͰ࡟আ͢Δ͜ͱʹ • notion-ruby-clientͱ͍͏GemͷRuntime Dependencies͔ΒdotenvΛ࡟আ

    • DockerͰ΋ .env ΛಡΈࠐΜͰ͘ΕΔ ◦ ಡΈࠐΈλΠϛϯά͸RailsΞϓϦىಈ͔࣌Βίϯςφىಈ࣌ʹมΘΔ͕໰୊ͳ͍ͱ൑அ

49. 6 ͍͞͝ʹ

50. ͍͞͝ʹ ΍ͬͺΓϨϏϡʔ͸େม • ҉߸Խ͞Ε͍ͯΔͨΊɺ෮߸ͨ݁͠ՌΛݟͳ͍ͱࠩ෼͸෼͔Βͳ͍ • ҉߸ԽϑΝΠϧͷdiffΛݟΕΔΑ͏ʹ͢Δ bin/rails credentials:diff ͕ެࣜαϙʔ τ͞Ε͍ͯΔ

    ◦ Railsͷ࣮ߦ؀ڥ͔Βgitૢ࡞Ͱ͖Δඞཁ͕͋Δ ◦ ։ൃ؀ڥʹDockerΛ༻͍ͯϗετଆͰgitૢ࡞͍ͯ͠ΔͷͰɺ͜ͷͨΊʹίϯςφʹgitΛೖΕΔ ͔ݕ౼த

51. ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠