Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Railsアプリで秘匿情報を環境変数からCredentialsに移行した話
Search
pokohide
November 15, 2023
2
590
Railsアプリで秘匿情報を環境変数からCredentialsに移行した話
pokohide
November 15, 2023
Tweet
Share
More Decks by pokohide
See All by pokohide
技術的負債との付き合い方 〜プロダクトミライ会議〜
pokohide
0
120
TechTrain RoRハンズオン
pokohide
0
1.3k
ブラウザとフレンズになろう
pokohide
0
54
Featured
See All Featured
Making Projects Easy
brettharned
117
6.4k
Building an army of robots
kneath
306
46k
Become a Pro
speakerdeck
PRO
29
5.5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Speed Design
sergeychernyshev
32
1.1k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
139
34k
It's Worth the Effort
3n
187
28k
Visualization
eitanlees
148
16k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
Testing 201, or: Great Expectations
jmmastey
45
7.7k
Done Done
chrislema
185
16k
Transcript
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ RailsΞϓϦͰൿಗใΛڥม͔Β CredentialsʹҠߦͨ͠ @pokohide
࣍ • Credentialsͱ • Ҡߦͷഎܠͱత • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •
Ҡߦͷ݁Ռ • ͍͞͝ʹ
ൃදͷલʹࣗݾհͱએ
ࣗݾհ • Ά͜ͻͰ / @pokohide • όοΫΤϯυΤϯδχΞ • ͓ञඇৗମݧʢϛϡʔδΧϧɺΦʔέετϥɺ ϥΠϒɺେࣗવɺetc…ʣ͕͖Ͱ͢
• ࠷ۙͷ՝ϫϯϐʔεΞχϝؑ
λΠϛʔͷ࣮ εΩϚ όΠτ No.1 ※20310݄࣌ɹ˞1 [ௐࠪํ๏]σεΫϦαʔνٴͼώΞϦϯάௐࠪ [ௐࠪظؒ]20212݄8~22 [ௐࠪ֓ཁ]εΩϚόΠτ ΞϓϦαʔϏεͷ࣮ଶௐࠪ [ௐࠪର]202012݄·ͰʹαʔϏεΛ։͍࢝ͯ͠ΔεΩϚόΠτΞϓϦ10αʔϏε
[ௐ࣮ࠪࢪ] גࣜձࣾγϣούʔζΞΠɹ˞2 [ग़య]AppStoreϥΠϑελΠϧΧςΰϦʔϥϯΩϯάʢ20215݄࣌ʣ 5 ྦྷܭٻਓҊ݅ ɾμϯϩʔυ ※1 ※2 ಋೖࣄۀऀ 66,000اۀ ϫʔΧʔ 600ສਓ
6
7
ۀքΛ͕͑ͯΔλΠϛʔ λΠϛʔଟ͘ͷۀքͰ׆༻͞ΕΔαʔϏεʹ͠ɺྲྀ/খച/ҿ৯ͷ֤ۀքTOP10ࣾͷҎ্͕λΠϛʔΛಋೖதɻ ݱࡏಋೖࣄۀऀ66,000اۀ 170,000ڌҎ্ʹͳΓɺ༷ʑͳۀքʹ͕͍ͬͯ·͢ɻ 8
ืूਓͷਪҠ 9 ※1ɿ20224Qͱ20214Qͷൺֱ ίϩφՒʹ͓͍ͯɺ աڈʹྫΛݟͳ͍ఔͷ ՃతߴΛ࣮ݱɻ
2023/11/15ɹGENBA #1 ʙRubyͱRails։ൃͷݱʙ RailsΞϓϦͰൿಗใΛڥม͔Β CredentialsʹҠߦͨ͠ @pokohide
࣍ • Credentialsͱ • Ҡߦͷഎܠͱత • Ҡߦͷखॱ • Ҡߦ࣌ͷTips •
Ҡߦͷ݁Ռ • ͍͞͝ʹ
1 Credentialsͱ
Credentialsͱ • Rails 5.2͔ΒՃ͞ΕͨൿಗใΛཧ͢ΔͨΊͷΈ ◦ Add credentials using a generic
EncryptedConfiguration class #30067 • Rails 6͔ΒෳͷڥΛαϙʔτ ◦ Add support for multi environment credentials. #33521
Credentialsͱ • ओͳొਓ ◦ ҉߸ԽϑΝΠϧɿ config/credentials/<environment>.yml.enc ◦ ෮߸༻ͷ伴ɿ ENV[”RAILS_MASTER_KEY”] or
config/credentials/<environment>.key • RailsΞϓϦىಈ࣌ʹ Rails.env ʹରԠ͢Δ҉߸ԽϑΝΠϧͱ伴Λࢀর͠ɺ ෮߸͢Δ • Rails.application.credentials ܦ༝ͰऔಘՄೳʹͳΔ
Credentialsͱ • ෦తʹYAMLܗࣜͷϑΝΠϧΛ҉߸Խ ⁵ ෮߸͍ͯ͠Δ ◦ YAMLͷߏจʹґଘ͢Δ • ෮߸ͨ͠ޙ ActiveSupport::OrderedOptions
ͰࢀরͰ͖ΔͷͰ fetch dig ͕͑Δ
Credentialsͱʢྫʣ
2 Ҡߦͷഎܠͱత
Ҡߦͷഎܠ • ҎલECSͷλεΫఆٛʹڥมͱͯ͠ύϥϝʔλετΞͷSecureStringΛ ར༻ͯ͠ઃఆ͍ͯͨ͠ʢࠓ͕ͩʣ ◦ ύϥϝʔλετΞͷొɺλεΫఆٛϑΝΠϧͷมߋɺίʔυͷมߋͱखؒͩͬͨ ◦ AWSϦιʔεͷཧΠϯϑϥνʔϜ͕ओಋ͓ͯ͠Γڥք͕ᐆດͩͬͨ ◦ σϓϩΠͷ༰қੑʹ͚ܽΔ
• ύϥϝʔλετΞͷૢ࡞ʹಠࣗͷରܕCLIΛར༻ ◦ ϨϏϡʔ͕ࠔ
ಋೖͷϝϦοτ • ڥք͕໌֬ʹͳΔ • σϓϩΠ͕༰қʹͳΔ • ύϥϝʔλετΞͷૢ࡞ݖݶΛফͤΔ ◦ CredentialsΛಋೖ͢Δͱجຊతʹ RAILS_MASTER_KEY
ͷΈΛཧ͢Εྑ͍ͨΊ
త ΞϓϦέʔγϣϯ͕ཧ͖͢ൿಗใ ڥքσϓϩΠͷ༰қੑΛߟྀͯ͠CredentialsʹҠߦ͢Δ
Credentials҆શʁ • ϚελʔΩʔΛ༻ͯ͠҉߸ԽϑΝΠϧΛ෮߸͢Δ • AES-256-GCM҉߸ԽΞϧΰϦζϜΛ༻ͯ͠҉߸Խ͞Ε͍ͯΔ ◦ 2023ݱࡏɺ࠷҆શͳ҉߸Խํࣜͷ1ͭ • ݁ہϚελʔΩʔͷཧ͕ॏཁ •
伴͕ྲྀग़͢Εશͯݟ͑ͯ͠·͏ͷͰཁ༷݅ɺϏδωεڥʹԠͯ͡ݕ ౼ͯ͠Ͷ
3 Ҡߦͷखॱ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 👈 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ • ίʔυΛENVͰgrepͨ͠ΓɺECSͷλεΫఆٛͷڥมΛϦετΞοϓ • ൿಗใʹূ໌ॻൿີ伴ɺGoogleCloudͷJSONΩʔͳͲ͋Δ • Ҡߦ͢Δ͔ͷ؍ʢྫʣ ◦ ͦͦൿಗใ͔ →
ڥຖͷݻ༗ͷઃఆͳΒ config_for Ͱྑ͍͔ ◦ ίϯςφԽ͞Εͨڥຖʹಈతʹೖ͍ͨ͠ͷ͔ ◦ සൟʹߋ৽͢Δใ͔ʢྫ͑PORT൪߸ͱ͔༰қʹม͍͑ͨ߹͕͋Δ͔͠Εͳ͍ʣ
Ҡߦͷखॱ
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 👈 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ
Ҡߦͷखॱ ҉߸ԽϑΝΠϧͷϨϏϡʔ͕ࠔͳͨΊɺઌʹൿಗใΛҠߦ͓ͯ͘͠ͱ Rails consoleͳͲͰϦϦʔεલʹ֬ೝ͕Ͱ͖ͯศར
Ҡߦͷखॱ 1. ԿΛҠߦ͢Δ͔ܾΊΔ 2. ҠߦରͷൿಗใΛશͯCredentialsʹՃ͢Δ 3. গͣͭ͠ Rails.application.credentials ʹҠߦ͢Δ 👈
Ҡߦͷखॱ ؤுΔ
Ҡߦͷखॱ ͻͨ͢ΒPR࡞ͬͯؤுΔ
Ҡߦͷखॱ োى͖Δ
Ҡߦͷखॱ શ֯εϖʔεͱ֯εϖʔεΛؒҧ͑ͯొ͠ɺࢀর࣌ʹΤϥʔൃੜ ൿಗϑΝΠϧͷϨϏϡʔجຊతʹૉͷVimͱ͔Ͱߦ͍ɺSyntax Highlightޮ͔ ͣɺؾ͖ਏ͍ͷͰҙ͍ͯͩ͘͠͞
Ҡߦͷखॱ ͦΜͳ͜ΜͳͰҠߦͰ͖·ͨ͠ λΠϛʔͰ20%ϧʔϧͰٕज़վળʹ࣌ؒΛ͍ͬͯΔͷͰ͕͢ɺ5ϲ݄͔͔Γ·ͨ͠
4 Ҡߦ࣌ͷTips
Ҡߦ࣌ͷTips CredentialsͷϚελʔΩʔ͕ͳ͍ͱRailsΞϓϦͷىಈʹࣦഊ͢ΔઃఆΛ༗ޮʹ͠ ͓͖ͯ·͠ΐ͏
Ҡߦ࣌ͷTips ҉߸ԽϑΝΠϧͷฤूʹΤσΟλͷࢦఆ͕ඞਢͳͷͰ༻ҙ͓͖ͯ͠·͠ΐ͏ emacsͰྑ͍Ͱ͢
Ҡߦ࣌ͷTips ൿಗใʹΤεέʔϓจࣈؚ͕·ΕΔ߹μϒϧΫΥʔςʔγϣϯͰׅΔ
Ҡߦ࣌ͷTips ൿಗใʹվߦΛ͍͍ͨ߹ύΠϓΛ͏ͳͲ͢Δ
Ҡߦ࣌ͷTips Credentialsͷ߹ʹ߹Θͤͯɺ֎෦αʔϏεͱͷೝূํ๏Λม͑Δ ྫɿGoogle::Auth::ClientId#from_file ෦తʹfrom_hash ݺͼग़͍ͯ͠Δ https://github.com/googleapis/google-auth-library-ruby/blob/main/lib/googleauth/client_id.rb#L86
Ҡߦ࣌ͷTips • YAMLςΩετϕʔεͷσʔλܗࣜͳͷͰόΠφϦʹ͍͍ͯͳ͍ • ূ໌ॻͳͲόΠφϦσʔλΛCredentialsͰѻ͏߹ɺBase64Τϯίʔυ͠ ͨΛอଘ͠ɺΞϓϦέʔγϣϯଆͰऔΓग़ͯ͠σίʔυΛߦ͏ • Τϯίʔυ͞Ε͍ͯΔࣄ͕͔Γ͍͢Α͏ʹ base64_encoded ϓϨϑΟο
ΫεΛ͚ͭͨ
Ҡߦ࣌ͷTips ൿಗΛίϯιʔϧͰඇදࣔʹ͢Δ Rails 7.1͔Βඪ४ʹͳΓ·͕͢ɺ·্͍ͩ͛ͯͳ͍߹γϯϓϧͳมߋͳͷͰόοΫϙʔτָ https://github.com/rails/rails/pull/48498
Ҡߦ࣌ͷTips • SecretsRails 7.1͔Β໌ࣔతʹඇਪԽ͞ΕͨͷͰɺSECRET_KEY_BASE Λ Credentials ʹҠߦ • ֤ڥͷ credentials.yml
ʹ SECRET_KEY_BASE ΛҠߦ͢ΕOKͳͣ
Ҡߦ࣌ͷTips assets:precompile ࣮ߦ࣌ʹ SECRET_KEY_BASE ͕ͳ͍ͱΤϥʔ͕ى͖Δ ࣮ࡍʹ༻͠ͳ͍ͷͰɺμϛʔΛࣗಈͰઃఆͯ͘͠ΕΔ SECRET_KEY_BASE_DUMMY ͕ Rails 7.1͔Βಋೖ͞Εͨ
Ҡߦ࣌ͷҙ • HerokuͰӡ༻ɺHeroku Data for RedisΛར༻ͯ͠ΔݸਓΞϓϦͷREDIS_URL ΛCredentialsʹҠߦͨ͠ΒRedisʹଓͰ͖ͳ͘ͳͬͨ • ࣗͷཧ͍ͯ͠ͳ͍ڥมΛҠߦ͢Δ߹ҙ͠·͠ΐ͏ https://devcenter.heroku.com/ja/articles/heroku-redis
5 Ҡߦͷ݁Ռ
Ҡߦͷ݁Ռ • ڥมͰཧ͢Δൿಗใ RAILS_MASTER_KEY ͷΈͱͳͬͨ • ূ໌ॻͳͲͷൿಗϑΝΠϧΛS3͔Βίϐʔ͢Δඞཁ͕ͳ͘ͳͬͨͨΊɺawscli AWSͷೝূใ͕ෆཁʹͳͬͨ • Rails.application.secrets
Λഇࢭ • dotenv-rails Λআ • ൿಗใͷՃɾߋ৽͕ΞϓϦέʔγϣϯʹด͡ΔΑ͏ʹͳͬͨ 🎉
Ҡߦͷ݁Ռ ʙ ༨ஊ ྺ࢙తܦҢͰdotenv-rails͕։ൃڥҎ֎ʹಡΈࠐ·Ε͍ͯͨ • ຊ൪ڥͰ༧ظͤ͵্ॻ͖͕͋ͬͯා͍͠ɺCredentialsҠߦʹΑΓ΄΅ෆཁ ʹͳͬͨͷͰআ͢Δ͜ͱʹ • notion-ruby-clientͱ͍͏GemͷRuntime Dependencies͔ΒdotenvΛআ
• DockerͰ .env ΛಡΈࠐΜͰ͘ΕΔ ◦ ಡΈࠐΈλΠϛϯάRailsΞϓϦىಈ͔࣌Βίϯςφىಈ࣌ʹมΘΔ͕ͳ͍ͱஅ
6 ͍͞͝ʹ
͍͞͝ʹ ͬͺΓϨϏϡʔେม • ҉߸Խ͞Ε͍ͯΔͨΊɺ෮߸ͨ݁͠ՌΛݟͳ͍ͱ͔ࠩΒͳ͍ • ҉߸ԽϑΝΠϧͷdiffΛݟΕΔΑ͏ʹ͢Δ bin/rails credentials:diff ͕ެࣜαϙʔ τ͞Ε͍ͯΔ
◦ Railsͷ࣮ߦڥ͔Βgitૢ࡞Ͱ͖Δඞཁ͕͋Δ ◦ ։ൃڥʹDockerΛ༻͍ͯϗετଆͰgitૢ࡞͍ͯ͠ΔͷͰɺ͜ͷͨΊʹίϯςφʹgitΛೖΕΔ ͔ݕ౼த
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠