Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
introducing-vault-half-assed
Search
rrreeeyyy
May 14, 2015
Technology
5
1.2k
introducing-vault-half-assed
2015-05-14 の社内勉強会 (hbstyle) で Hashicorp の Vault についてめちゃくちゃ適当に喋ったやつです
rrreeeyyy
May 14, 2015
Tweet
Share
More Decks by rrreeeyyy
See All by rrreeeyyy
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
220
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
5.1k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.4k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
10
2.6k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
8.8k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
12k
Cookpad and Prometheus
rrreeeyyy
6
21k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
rrreeeyyy
5
5.5k
A survey of anomaly detection methodologies for web system
rrreeeyyy
5
1.3k
Other Decks in Technology
See All in Technology
5min GuardDuty Extended Threat Detection EKS
takakuni
0
190
Delta airlines Customer®️ USA Contact Numbers: Complete 2025 Support Guide
deltahelp
0
320
Tokyo_reInforce_2025_recap_iam_access_analyzer
hiashisan
0
180
MobileActOsaka_250704.pdf
akaitadaaki
0
110
Connect 100+を支える技術
kanyamaguc
0
190
Model Mondays S2E03: SLMs & Reasoning
nitya
0
350
ビズリーチにおけるリアーキテクティング実践事例 / JJUG CCC 2025 Spring
visional_engineering_and_design
0
110
MUITにおける開発プロセスモダナイズの取り組みと開発生産性可視化の取り組みについて / Modernize the Development Process and Visualize Development Productivity at MUIT
muit
1
14k
American airlines ®️ USA Contact Numbers: Complete 2025 Support Guide
airhelpsupport
0
350
KubeCon + CloudNativeCon Japan 2025 に行ってきた! & containerd の新機能紹介
honahuku
0
120
無意味な開発生産性の議論から抜け出すための予兆検知とお金とAI
i35_267
3
11k
LangChain Interrupt & LangChain Ambassadors meetingレポート
os1ma
2
290
Featured
See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
KATA
mclloyd
30
14k
Designing for Performance
lara
610
69k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
810
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Scaling GitHub
holman
459
140k
We Have a Design System, Now What?
morganepeng
53
7.7k
Docker and Python
trallard
44
3.5k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
The Invisible Side of Design
smashingmag
301
51k
Transcript
Introducing+Vault hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 1
Vaultͱ • جຊతʹػີใΛཧ͢Δπʔϧ"(by"Hashicorp) • ΫϥυαʔϏε"OSS"ͱͷ࿈ܞ͕Ͱ͖Δ • Ϣʔβཧ͕ڞ௨ͷΠϯλϑΣʔε͔Βߦ͑Δ • CLI"πʔϧ"HTTP"API"͕ଐ͍ͯ͠Δ •
ࣗࣾϓϩμΫτϓϩάϥϜʹΈࠐΈ͍͢ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 2
ओʹཧͰ͖Δใ • ී௨ͷػີใͷཧ • Password/Token.ͷ.Plane.Text.Λ҉߸Խͯ͠อଘͰ͖Δ • AWS/Database/Consul.ͷೝূใͷཧ • IAM.User/MySQL.User/PostgreSQL.User.... •
ಛఆͷݖݶͷΈΛ࣋ͬͨϢʔβΛ࡞Ͱ͖Δ • ಛఆͷظؒͷΈ༻Ͱ͖ΔϢʔβΛ࡞Ͱ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 3
ػີใͷಡΈग़͠ • ໊લۭؒΛϕʔεʹͨ͠"Token"base"ACL • secret/foo"ͷΞΫηεΛڐՄ͢Δ • secret/bar"ͷΞΫηεڐՄ͠ͳ͍ • Github/LDAP"ͱ࿈ܞͨ͠"Token"ൃߦ •
Github"Ͱಛఆͷ৫ʹॴଐ͍ͯ͠Ε"Token"ൃߦͳͲ • ػີใʹର͢Δࠪϩάͷൃߦ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 4
Πϯετʔϧ • Go$ͳͷͰҎԼͷΑ͏ͳྫʹै͑$OK curl -L -O \ "https://dl.bintray.com/mitchellh/vault/vault_0.1.2_darwin_amd64.zip" unzip vault_0.1.2_darwin_amd64.zip
mv vault /usr/bin vault -version # Vault v0.1.2 • ͱΓ͋͑ͣࢼ͢ʹ"vault server -dev"ͱ͢Εىಈ͢Δ • (ຊ൪αʔόͰΘͳ͍͜ͱ) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 5
ઃఆϑΝΠϧ • h#ps:/ /www.vaultproject.io/docs/config/index.html // ௨ৗͷػີใͷอଘઌ "file", "consul", "inmem", "zookeeper"
͕બΔ backend "file" { // file Λࢦఆͨ͠߹͜ͷσΟϨΫτϦʹ௨ৗͷػີใ͕҉߸Խ͞Εͯอଘ͞ΕΔ path = "/etc/vault/data" } // Listen ͢Δϓϩτίϧ/ΞυϨε/ϙʔτ listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } • vault server -config=vault.conf"Ͱ"vault"Λىಈ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 6
ॳظηοτΞοϓ • vault init"ͰηοτΞοϓ • ͜ͷࡍɺػີใͷ෮߸ʹඞཁͳ伴͕ग़ྗ͞ΕΔ • σϑΥϧτͰ"Key"1ʙ5"͕ग़ྗ͞ΕΔ • ෮߸ʹͲΕ͔"3"ͭͷ"Key"͕͋Εྑ͍
• ͦΕͧΕͷ伴όϥόϥͷॴʹอଘ͓ͯ͘͠ͱྑ͍ • root"ͷ"token"ग़ྗ͞ΕΔͷͰͦΕϝϞ͓ͯ͘͠ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 7
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 8
(ؓٳ)#ػີใͷ҉߸Խʁ෮߸ʁ • Vault'ىಈ͚ͨͩ͠ͰΛಡΈॻ͖͢Δ͜ͱग़དྷͳ͍ • ىಈޙɺunseal'ͱ͍͏伴ͷੜ࡞ۀ͕ඞཁʹͳΔ • ඞཁྔͷ伴Λೖྗ͢Δ͜ͱͰ҉߸Խ/෮߸Խ༻ͷ伴Λܾఆ'2 • ͳ͓'҉߸Խʹ'256bit'AES1GCM'Λ༻͍ͯ͠Δ 2"Shamir's"Secret"Sharing
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 9
ػີใͷཧ!(Plane!Text) • ઌड़ͷ௨ΓɺΛಡΈॻ͖͢ΔͨΊʹ"unseal"͕ඞཁ • vault unseal"ͰඞཁྔͷΩʔΛೖྗ͍ͯ͘͠ • ඞཁྔೖΕΔͱ"Sealed: false"ʹͳΔ •
vault write secret/foo bar=buz"ͰΛॻ͖ࠐΊΔ • vault read secret/foo"Ͱ֬ೝ • ͍ͭ͘Ͱॻ͖ࠐΊΔ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 10
ػີใͷཧ!(༷ʑͳೝূใ) • AWS%IAM%User%%MySQL%ͷϢʔβΛ࡞Ͱ͖Δ • vault mount aws%ͱ͢Δͱ%AWS%༻ͷ໊લۭ͕ؒग़དྷΔ • vault mounts%Ͱ֬ೝग़དྷΔ
• ࠷ॳʹ%vault write aws/config/root%ͰઃఆΛߦ͏ • access_key%ͱ%secret_key%(IAM%ཧ༻) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 11
ػີใͷཧ!(༷ʑͳೝূใ) • IAM%ϙϦγʔΛఆٛͨ͠ઃఆϑΝΠϧΛ༻ҙ͠Λॻ͖ࠐΉ • vault write aws/roles/deploy \
[email protected]
•
ఆٛͨ͠ϙϦγʔʹରԠͨ͠%IAM%User%͕࡞͞ΕΔ • ಛఆͷ͕࣌ؒܦա͢Δͱ%expire%͢ΔͷઃఆͰ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 12
ଓ͖ͦͷ͏ͪΓ·͢ (ͱ͍͏͔ϒϩάΛॻ͖·͢(ଟ)) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 13
ࢀߟจݙ • h#ps:/ /www.vaultproject.io/ • h#ps:/ /www.vaultproject.io/docs/index.html • h#p:/ /pocketstudio.jp/log3/2015/04/29/vault/
• h#p:/ /pocketstudio.jp/log3/2015/04/30/introducBontovault/ • h#p:/ /pocketstudio.jp/log3/2015/05/01/vaultCgeDngCstarted/ • h#p:/ /kiririmode.hatenablog.jp/entry/20150429/1430279218 hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 14