introducing-vault-half-assed

Transcript

1. Introducing+Vault hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 1

2. Vaultͱ͸ • جຊతʹ͸ػີ৘ใΛ؅ཧ͢Δπʔϧ"(by"Hashicorp) • Ϋϥ΢υαʔϏε΍"OSS"ͱͷ࿈ܞ͕Ͱ͖Δ • Ϣʔβ؅ཧ͕ڞ௨ͷΠϯλϑΣʔε͔Βߦ͑Δ • CLI"πʔϧ΍"HTTP"API"͕෇ଐ͍ͯ͠Δ •

   ࣗࣾϓϩμΫτ΍ϓϩάϥϜ౳ʹ૊ΈࠐΈ΍͍͢ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 2

3. ओʹ؅ཧͰ͖Δ৘ใ • ී௨ͷػີ৘ใͷ؅ཧ • Password/Token.౳ͷ.Plane.Text.Λ҉߸Խͯ͠อଘͰ͖Δ • AWS/Database/Consul.౳ͷೝূ৘ใͷ؅ཧ • IAM.User/MySQL.User/PostgreSQL.User.... •

   ಛఆͷݖݶͷΈΛ࣋ͬͨϢʔβΛ࡞੒Ͱ͖Δ • ಛఆͷظؒͷΈ࢖༻Ͱ͖ΔϢʔβΛ࡞੒Ͱ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 3

4. ػີ৘ใͷಡΈग़͠ • ໊લۭؒΛϕʔεʹͨ͠"Token"base"ACL • secret/foo"΁ͷΞΫηεΛڐՄ͢Δ • secret/bar"΁ͷΞΫηε͸ڐՄ͠ͳ͍ • Github/LDAP"౳ͱ࿈ܞͨ͠"Token"ൃߦ •

   Github"Ͱಛఆͷ૊৫ʹॴଐ͍ͯ͠Ε͹"Token"ൃߦͳͲ • ػີ৘ใʹର͢Δ؂ࠪϩάͷൃߦ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 4

5. Πϯετʔϧ • Go$ͳͷͰҎԼͷΑ͏ͳྫʹै͑͹$OK curl -L -O \ "https://dl.bintray.com/mitchellh/vault/vault_0.1.2_darwin_amd64.zip" unzip vault_0.1.2_darwin_amd64.zip

   mv vault /usr/bin vault -version # Vault v0.1.2 • ͱΓ͋͑ͣࢼ͢ʹ͸"vault server -dev"ͱ͢Ε͹ىಈ͢Δ • (ຊ൪αʔόͰ͸࢖Θͳ͍͜ͱ) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 5

6. ઃఆϑΝΠϧ • h#ps:/ /www.vaultproject.io/docs/config/index.html // ௨ৗͷػີ৘ใͷอଘઌ "file", "consul", "inmem", "zookeeper"

   ͕બ΂Δ backend "file" { // file Λࢦఆͨ͠৔߹͜ͷσΟϨΫτϦʹ௨ৗͷػີ৘ใ͕҉߸Խ͞Εͯอଘ͞ΕΔ path = "/etc/vault/data" } // Listen ͢Δϓϩτίϧ/ΞυϨε/ϙʔτ listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } • vault server -config=vault.conf"Ͱ"vault"Λىಈ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 6

7. ॳظηοτΞοϓ • vault init"ͰηοτΞοϓ • ͜ͷࡍɺػີ৘ใͷ෮߸ʹඞཁͳ伴͕ग़ྗ͞ΕΔ • σϑΥϧτͰ"Key"1ʙ5"͕ग़ྗ͞ΕΔ • ෮߸ʹ͸ͲΕ͔"3"ͭͷ"Key"͕͋Ε͹ྑ͍

   • ͦΕͧΕͷ伴͸όϥόϥͷ৔ॴʹอଘ͓ͯ͘͠ͱྑ͍ • root"ͷ"token"΋ग़ྗ͞ΕΔͷͰͦΕ΋ϝϞ͓ͯ͘͠ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 7

8. hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 8

9. (ؓ࿩ٳ୊)#ػີ৘ใͷ҉߸Խʁ෮߸ʁ • Vault'͸ىಈ͚ͨͩ͠Ͱ͸஋ΛಡΈॻ͖͢Δ͜ͱ͸ग़དྷͳ͍ • ىಈޙɺunseal'ͱ͍͏伴ͷੜ੒࡞ۀ͕ඞཁʹͳΔ • ඞཁྔͷ伴Λೖྗ͢Δ͜ͱͰ҉߸Խ/෮߸Խ༻ͷ伴Λܾఆ'2 • ͳ͓'҉߸Խʹ͸'256bit'AES1GCM'Λ࢖༻͍ͯ͠Δ 2"Shamir's"Secret"Sharing

   hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 9

10. ػີ৘ใͷ؅ཧ!(Plane!Text) • ઌड़ͷ௨Γɺ஋ΛಡΈॻ͖͢ΔͨΊʹ͸"unseal"͕ඞཁ • vault unseal"ͰඞཁྔͷΩʔΛೖྗ͍ͯ͘͠ • ඞཁྔೖΕΔͱ"Sealed: false"ʹͳΔ •

    vault write secret/foo bar=buz"Ͱ஋Λॻ͖ࠐΊΔ • vault read secret/foo"Ͱ֬ೝ • ஋͸͍ͭ͘Ͱ΋ॻ͖ࠐΊΔ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 10

11. ػີ৘ใͷ؅ཧ!(༷ʑͳೝূ৘ใ) • AWS%IAM%User%΍%MySQL%౳ͷϢʔβΛ࡞੒Ͱ͖Δ • vault mount aws%ͱ͢Δͱ%AWS%༻ͷ໊લۭ͕ؒग़དྷΔ • vault mounts%Ͱ֬ೝग़དྷΔ

    • ࠷ॳʹ%vault write aws/config/root%ͰઃఆΛߦ͏ • access_key%ͱ%secret_key%(IAM%؅ཧ༻) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 11

12. ػີ৘ใͷ؅ཧ!(༷ʑͳೝূ৘ใ) • IAM%ϙϦγʔΛఆٛͨ͠ઃఆϑΝΠϧΛ༻ҙ͠஋Λॻ͖ࠐΉ • vault write aws/roles/deploy \ policy=@policy.json •

    ఆٛͨ͠ϙϦγʔʹରԠͨ͠%IAM%User%͕࡞੒͞ΕΔ • ಛఆͷ͕࣌ؒܦա͢Δͱ%expire%͢Δ౳ͷઃఆ΋Ͱ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 12

13. ଓ͖͸ͦͷ͏ͪ΍Γ·͢ (ͱ͍͏͔ϒϩάΛॻ͖·͢(ଟ෼)) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 13

14. ࢀߟจݙ • h#ps:/ /www.vaultproject.io/ • h#ps:/ /www.vaultproject.io/docs/index.html • h#p:/ /pocketstudio.jp/log3/2015/04/29/vault/

    • h#p:/ /pocketstudio.jp/log3/2015/04/30/introducBontovault/ • h#p:/ /pocketstudio.jp/log3/2015/05/01/vaultCgeDngCstarted/ • h#p:/ /kiririmode.hatenablog.jp/entry/20150429/1430279218 hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 14