Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Railsアプリで秘匿情報を環境変数からCredentialsに移行した話
Search
pokohide
November 15, 2023
2
580
Railsアプリで秘匿情報を環境変数からCredentialsに移行した話
pokohide
November 15, 2023
Tweet
Share
More Decks by pokohide
See All by pokohide
技術的負債との付き合い方 〜プロダクトミライ会議〜
pokohide
0
120
TechTrain RoRハンズオン
pokohide
0
1.3k
ブラウザとフレンズになろう
pokohide
0
53
Featured
See All Featured
Agile that works and the tools we love
rasmusluckow
329
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
RailsConf 2023
tenderlove
30
1.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
235
140k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
How to Think Like a Performance Engineer
csswizardry
25
1.7k
Facilitating Awesome Meetings
lara
54
6.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Transcript
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ RailsΞϓϦͰൿಗใΛڥม͔Β CredentialsʹҠߦͨ͠ @pokohide
࣍ • Credentialsͱ • Ҡߦͷഎܠͱత • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •
Ҡߦͷ݁Ռ • ͍͞͝ʹ
ൃදͷલʹࣗݾհͱએ
ࣗݾհ • Ά͜ͻͰ / @pokohide • όοΫΤϯυΤϯδχΞ • ͓ञඇৗମݧʢϛϡʔδΧϧɺΦʔέετϥɺ ϥΠϒɺେࣗવɺetc…ʣ͕͖Ͱ͢
• ࠷ۙͷ՝ϫϯϐʔεΞχϝؑ
λΠϛʔͷ࣮ εΩϚ όΠτ No.1 ※20310݄࣌ɹ˞1 [ௐࠪํ๏]σεΫϦαʔνٴͼώΞϦϯάௐࠪ [ௐࠪظؒ]20212݄8~22 [ௐࠪ֓ཁ]εΩϚόΠτ ΞϓϦαʔϏεͷ࣮ଶௐࠪ [ௐࠪର]202012݄·ͰʹαʔϏεΛ։͍࢝ͯ͠ΔεΩϚόΠτΞϓϦ10αʔϏε
[ௐ࣮ࠪࢪ] גࣜձࣾγϣούʔζΞΠɹ˞2 [ग़య]AppStoreϥΠϑελΠϧΧςΰϦʔϥϯΩϯάʢ20215݄࣌ʣ 5 ྦྷܭٻਓҊ݅ ɾμϯϩʔυ ※1 ※2 ಋೖࣄۀऀ 66,000اۀ ϫʔΧʔ 600ສਓ
6
7
ۀքΛ͕͑ͯΔλΠϛʔ λΠϛʔଟ͘ͷۀքͰ׆༻͞ΕΔαʔϏεʹ͠ɺྲྀ/খച/ҿ৯ͷ֤ۀքTOP10ࣾͷҎ্͕λΠϛʔΛಋೖதɻ ݱࡏಋೖࣄۀऀ66,000اۀ 170,000ڌҎ্ʹͳΓɺ༷ʑͳۀքʹ͕͍ͬͯ·͢ɻ 8
ืूਓͷਪҠ 9 ※1ɿ20224Qͱ20214Qͷൺֱ ίϩφՒʹ͓͍ͯɺ աڈʹྫΛݟͳ͍ఔͷ ՃతߴΛ࣮ݱɻ
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ RailsΞϓϦͰൿಗใΛڥม͔Β CredentialsʹҠߦͨ͠ @pokohide
࣍ • Credentialsͱ • Ҡߦͷഎܠͱత • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •
Ҡߦͷ݁Ռ • ͍͞͝ʹ
1 Credentialsͱ
Credentialsͱ • Rails 5.2͔ΒՃ͞ΕͨൿಗใΛཧ͢ΔͨΊͷΈ ◦ Add credentials using a generic
EncryptedConfiguration class #30067 • Rails 6͔ΒෳͷڥΛαϙʔτ ◦ Add support for multi environment credentials. #33521
Credentialsͱ • ओͳొਓ ◦ ҉߸ԽϑΝΠϧɿ config/credentials/<environment>.yml.enc ◦ ෮߸༻ͷ伴ɿ ENV[”RAILS_MASTER_KEY”] or
config/credentials/<environment>.key • RailsΞϓϦىಈ࣌ʹ Rails.env ʹରԠ͢Δ҉߸ԽϑΝΠϧͱ伴Λࢀর͠ɺ ෮߸͢Δ • Rails.application.credentials ܦ༝ͰऔಘՄೳʹͳΔ
Credentialsͱ • ෦తʹYAMLܗࣜͷϑΝΠϧΛ҉߸Խ ⁵ ෮߸͍ͯ͠Δ ◦ YAMLͷߏจʹґଘ͢Δ • ෮߸ͨ͠ޙ ActiveSupport::OrderedOptions
ͰࢀরͰ͖ΔͷͰ fetch dig ͕͑Δ
Credentialsͱʢྫʣ
2 Ҡߦͷഎܠͱత
Ҡߦͷഎܠ • ҎલECSͷλεΫఆٛʹڥมͱͯ͠ύϥϝʔλετΞͷSecureStringΛ ར༻ͯ͠ઃఆ͍ͯͨ͠ʢࠓ͕ͩʣ ◦ ύϥϝʔλετΞͷొɺλεΫఆٛϑΝΠϧͷมߋɺίʔυͷมߋͱखؒͩͬͨ ◦ AWSϦιʔεͷཧΠϯϑϥνʔϜ͕ओಋ͓ͯ͠Γڥք͕ᐆດͩͬͨ ◦ σϓϩΠͷ༰қੑʹ͚ܽΔ
• ύϥϝʔλετΞͷૢ࡞ʹಠࣗͷରܕCLIΛར༻ ◦ ϨϏϡʔ͕ࠔ
ಋೖͷϝϦοτ • ڥք͕໌֬ʹͳΔ • σϓϩΠ͕༰қʹͳΔ • ύϥϝʔλετΞͷૢ࡞ݖݶΛফͤΔ ◦ CredentialsΛಋೖ͢Δͱجຊతʹ RAILS_MASTER_KEY
ͷΈΛཧ͢Εྑ͍ͨΊ
త ΞϓϦέʔγϣϯ͕ཧ͖͢ൿಗใ ڥքσϓϩΠͷ༰қੑΛߟྀͯ͠CredentialsʹҠߦ͢Δ
Credentials҆શʁ • ϚελʔΩʔΛ༻ͯ͠҉߸ԽϑΝΠϧΛ෮߸͢Δ • AES-256-GCM҉߸ԽΞϧΰϦζϜΛ༻ͯ͠҉߸Խ͞Ε͍ͯΔ ◦ 2023ݱࡏɺ࠷҆શͳ҉߸Խํࣜͷ1ͭ • ݁ہϚελʔΩʔͷཧ͕ॏཁ •
伴͕ྲྀग़͢Εશͯݟ͑ͯ͠·͏ͷͰཁ༷݅ɺϏδωεڥʹԠͯ͡ݕ ౼ͯ͠Ͷ
3 Ҡߦͷखॱ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 👈 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ • ίʔυΛENVͰgrepͨ͠ΓɺECSͷλεΫఆٛͷڥมΛϦετΞοϓ • ൿಗใʹূ໌ॻൿີ伴ɺGoogleCloudͷJSONΩʔͳͲ͋Δ • Ҡߦ͢Δ͔ͷ؍ʢྫʣ ◦ ͦͦൿಗใ͔ →
ڥຖͷݻ༗ͷઃఆͳΒ config_for Ͱྑ͍͔ ◦ ίϯςφԽ͞Εͨڥຖʹಈతʹೖ͍ͨ͠ͷ͔ ◦ සൟʹߋ৽͢Δใ͔ʢྫ͑PORT൪߸ͱ͔༰қʹม͍͑ͨ߹͕͋Δ͔͠Εͳ͍ʣ
Ҡߦͷखॱ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 👈 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ ҉߸ԽϑΝΠϧͷϨϏϡʔ͕ࠔͳͨΊɺઌʹൿಗใΛҠߦ͓ͯ͘͠ͱ Rails consoleͳͲͰϦϦʔεલʹ֬ೝ͕Ͱ͖ͯศར
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ 👈
Ҡߦͷखॱ ؤுΔ
Ҡߦͷखॱ ͻͨ͢ΒPR࡞ͬͯؤுΔ
Ҡߦͷखॱ োى͖Δ
Ҡߦͷखॱ શ֯εϖʔεͱ֯εϖʔεΛؒҧ͑ͯొ͠ɺࢀর࣌ʹΤϥʔൃੜ ൿಗϑΝΠϧͷϨϏϡʔجຊతʹૉͷVimͱ͔Ͱߦ͍ɺSyntax Highlightޮ͔ ͣɺؾ͖ਏ͍ͷͰҙ͍ͯͩ͘͠͞
Ҡߦͷखॱ ͦΜͳ͜ΜͳͰҠߦͰ͖·ͨ͠ λΠϛʔͰ20%ϧʔϧͰٕज़վળʹ࣌ؒΛ͍ͬͯΔͷͰ͕͢ɺ5ϲ݄͔͔Γ·ͨ͠
4 Ҡߦ࣌ͷTips
Ҡߦ࣌ͷTips CredentialsͷϚελʔΩʔ͕ͳ͍ͱRailsΞϓϦͷىಈʹࣦഊ͢ΔઃఆΛ༗ޮʹ͠ ͓͖ͯ·͠ΐ͏
Ҡߦ࣌ͷTips ҉߸ԽϑΝΠϧͷฤूʹΤσΟλͷࢦఆ͕ඞਢͳͷͰ༻ҙ͓͖ͯ͠·͠ΐ͏ emacsͰྑ͍Ͱ͢
Ҡߦ࣌ͷTips ൿಗใʹΤεέʔϓจࣈؚ͕·ΕΔ߹μϒϧΫΥʔςʔγϣϯͰׅΔ
Ҡߦ࣌ͷTips ൿಗใʹվߦΛ͍͍ͨ߹ύΠϓΛ͏ͳͲ͢Δ
Ҡߦ࣌ͷTips Credentialsͷ߹ʹ߹Θͤͯɺ֎෦αʔϏεͱͷೝূํ๏Λม͑Δ ྫɿGoogle::Auth::ClientId#from_file ෦తʹfrom_hash ݺͼग़͍ͯ͠Δ https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/client_id.rb#L86
Ҡߦ࣌ͷTips • YAMLςΩετϕʔεͷσʔλܗࣜͳͷͰόΠφϦʹ͍͍ͯͳ͍ • ূ໌ॻͳͲόΠφϦσʔλΛCredentialsͰѻ͏߹ɺBase64Τϯίʔυ͠ ͨΛอଘ͠ɺΞϓϦέʔγϣϯଆͰऔΓग़ͯ͠σίʔυΛߦ͏ • Τϯίʔυ͞Ε͍ͯΔࣄ͕͔Γ͍͢Α͏ʹ base64_encoded ϓϨϑΟο
ΫεΛ͚ͭͨ
Ҡߦ࣌ͷTips ൿಗΛίϯιʔϧͰඇදࣔʹ͢Δ Rails 7.1͔Βඪ४ʹͳΓ·͕͢ɺ·্͍ͩ͛ͯͳ͍߹γϯϓϧͳมߋͳͷͰόοΫϙʔτָ https://github.com/rails/rails/pull/48498
Ҡߦ࣌ͷTips • SecretsRails 7.1͔Β໌ࣔతʹඇਪԽ͞ΕͨͷͰɺSECRET_KEY_BASE Λ Credentials ʹҠߦ • ֤ڥͷ credentials.yml
ʹ SECRET_KEY_BASE ΛҠߦ͢ΕOKͳͣ
Ҡߦ࣌ͷTips assets:precompile ࣮ߦ࣌ʹ SECRET_KEY_BASE ͕ͳ͍ͱΤϥʔ͕ى͖Δ ࣮ࡍʹ༻͠ͳ͍ͷͰɺμϛʔΛࣗಈͰઃఆͯ͘͠ΕΔ SECRET_KEY_BASE_DUMMY ͕ Rails 7.1͔Βಋೖ͞Εͨ
Ҡߦ࣌ͷҙ • HerokuͰӡ༻ɺHeroku Data for RedisΛར༻ͯ͠ΔݸਓΞϓϦͷREDIS_URL ΛCredentialsʹҠߦͨ͠ΒRedisʹଓͰ͖ͳ͘ͳͬͨ • ࣗͷཧ͍ͯ͠ͳ͍ڥมΛҠߦ͢Δ߹ҙ͠·͠ΐ͏ https://devcenter.heroku.com/ja/articles/heroku-redis
5 Ҡߦͷ݁Ռ
Ҡߦͷ݁Ռ • ڥมͰཧ͢Δൿಗใ RAILS_MASTER_KEY ͷΈͱͳͬͨ • ূ໌ॻͳͲͷൿಗϑΝΠϧΛS3͔Βίϐʔ͢Δඞཁ͕ͳ͘ͳͬͨͨΊɺawscli AWSͷೝূใ͕ෆཁʹͳͬͨ • Rails.application.secrets
Λഇࢭ • dotenv-rails Λআ • ൿಗใͷՃɾߋ৽͕ΞϓϦέʔγϣϯʹด͡ΔΑ͏ʹͳͬͨ 🎉
Ҡߦͷ݁Ռ ʙ ༨ஊ ྺ࢙తܦҢͰdotenv-rails͕։ൃڥҎ֎ʹಡΈࠐ·Ε͍ͯͨ • ຊ൪ڥͰ༧ظͤ͵্ॻ͖͕͋ͬͯා͍͠ɺCredentialsҠߦʹΑΓ΄΅ෆཁ ʹͳͬͨͷͰআ͢Δ͜ͱʹ • notion-ruby-clientͱ͍͏GemͷRuntime Dependencies͔ΒdotenvΛআ
• DockerͰ .env ΛಡΈࠐΜͰ͘ΕΔ ◦ ಡΈࠐΈλΠϛϯάRailsΞϓϦىಈ͔࣌Βίϯςφىಈ࣌ʹมΘΔ͕ͳ͍ͱஅ
6 ͍͞͝ʹ
͍͞͝ʹ ͬͺΓϨϏϡʔେม • ҉߸Խ͞Ε͍ͯΔͨΊɺ෮߸ͨ݁͠ՌΛݟͳ͍ͱ͔ࠩΒͳ͍ • ҉߸ԽϑΝΠϧͷdiffΛݟΕΔΑ͏ʹ͢Δ bin/rails credentials:diff ͕ެࣜαϙʔ τ͞Ε͍ͯΔ
◦ Railsͷ࣮ߦڥ͔Βgitૢ࡞Ͱ͖Δඞཁ͕͋Δ ◦ ։ൃڥʹDockerΛ༻͍ͯϗετଆͰgitૢ࡞͍ͯ͠ΔͷͰɺ͜ͷͨΊʹίϯςφʹgitΛೖΕΔ ͔ݕ౼த
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠