Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
introducing-vault-half-assed
Search
rrreeeyyy
May 14, 2015
Technology
5
1.2k
introducing-vault-half-assed
2015-05-14 の社内勉強会 (hbstyle) で Hashicorp の Vault についてめちゃくちゃ適当に喋ったやつです
rrreeeyyy
May 14, 2015
Tweet
Share
More Decks by rrreeeyyy
See All by rrreeeyyy
Rethinking Incident Response: Context-Aware AI in Practice
rrreeeyyy
2
1.2k
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
230
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
5.4k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.4k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
10
2.7k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
8.8k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
12k
Cookpad and Prometheus
rrreeeyyy
6
21k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
rrreeeyyy
5
5.5k
Other Decks in Technology
See All in Technology
ObsidianをLLM時代のナレッジベースに! クリッピング→Markdown→CLI連携の実践
srvhat09
7
9.6k
「AI駆動開発」のボトルネック『言語化』を効率化するには
taniiicom
1
200
【CEDEC2025】現場を理解して実現!ゲーム開発を効率化するWebサービスの開発と、利用促進のための継続的な改善
cygames
PRO
0
240
alecthomas/kong はいいぞ
fujiwara3
6
980
メモ整理が苦手な者による頑張らないObsidian活用術
optim
0
140
Snowflake のアーキテクチャは本当に筋がよかったのか / Data Engineering Study #30
indigo13love
0
280
Wasmで社内ツールを作って配布しよう
askua
0
150
AI エンジニアの立場からみた、AI コーディング時代の開発の品質向上の取り組みと妄想
soh9834
8
560
Jitera Company Deck / JP
jitera
0
220
公開初日に個人環境で試した Gemini CLI 体験記など / Gemini CLI実験レポート
you
PRO
3
540
ML Pipelineの開発と運用を OpenTelemetryで繋ぐ @ OpenTelemetry Meetup 2025-07
getty708
0
310
With Devin -AIの自律とメンバーの自立
kotanin0
2
640
Featured
See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.3k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
48
2.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Building an army of robots
kneath
306
45k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
A Modern Web Designer's Workflow
chriscoyier
695
190k
The World Runs on Bad Software
bkeepers
PRO
70
11k
Side Projects
sachag
455
43k
GitHub's CSS Performance
jonrohan
1031
460k
Six Lessons from altMBA
skipperchong
28
3.9k
Transcript
Introducing+Vault hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 1
Vaultͱ • جຊతʹػີใΛཧ͢Δπʔϧ"(by"Hashicorp) • ΫϥυαʔϏε"OSS"ͱͷ࿈ܞ͕Ͱ͖Δ • Ϣʔβཧ͕ڞ௨ͷΠϯλϑΣʔε͔Βߦ͑Δ • CLI"πʔϧ"HTTP"API"͕ଐ͍ͯ͠Δ •
ࣗࣾϓϩμΫτϓϩάϥϜʹΈࠐΈ͍͢ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 2
ओʹཧͰ͖Δใ • ී௨ͷػີใͷཧ • Password/Token.ͷ.Plane.Text.Λ҉߸Խͯ͠อଘͰ͖Δ • AWS/Database/Consul.ͷೝূใͷཧ • IAM.User/MySQL.User/PostgreSQL.User.... •
ಛఆͷݖݶͷΈΛ࣋ͬͨϢʔβΛ࡞Ͱ͖Δ • ಛఆͷظؒͷΈ༻Ͱ͖ΔϢʔβΛ࡞Ͱ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 3
ػີใͷಡΈग़͠ • ໊લۭؒΛϕʔεʹͨ͠"Token"base"ACL • secret/foo"ͷΞΫηεΛڐՄ͢Δ • secret/bar"ͷΞΫηεڐՄ͠ͳ͍ • Github/LDAP"ͱ࿈ܞͨ͠"Token"ൃߦ •
Github"Ͱಛఆͷ৫ʹॴଐ͍ͯ͠Ε"Token"ൃߦͳͲ • ػີใʹର͢Δࠪϩάͷൃߦ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 4
Πϯετʔϧ • Go$ͳͷͰҎԼͷΑ͏ͳྫʹै͑$OK curl -L -O \ "https://dl.bintray.com/mitchellh/vault/vault_0.1.2_darwin_amd64.zip" unzip vault_0.1.2_darwin_amd64.zip
mv vault /usr/bin vault -version # Vault v0.1.2 • ͱΓ͋͑ͣࢼ͢ʹ"vault server -dev"ͱ͢Εىಈ͢Δ • (ຊ൪αʔόͰΘͳ͍͜ͱ) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 5
ઃఆϑΝΠϧ • h#ps:/ /www.vaultproject.io/docs/config/index.html // ௨ৗͷػີใͷอଘઌ "file", "consul", "inmem", "zookeeper"
͕બΔ backend "file" { // file Λࢦఆͨ͠߹͜ͷσΟϨΫτϦʹ௨ৗͷػີใ͕҉߸Խ͞Εͯอଘ͞ΕΔ path = "/etc/vault/data" } // Listen ͢Δϓϩτίϧ/ΞυϨε/ϙʔτ listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } • vault server -config=vault.conf"Ͱ"vault"Λىಈ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 6
ॳظηοτΞοϓ • vault init"ͰηοτΞοϓ • ͜ͷࡍɺػີใͷ෮߸ʹඞཁͳ伴͕ग़ྗ͞ΕΔ • σϑΥϧτͰ"Key"1ʙ5"͕ग़ྗ͞ΕΔ • ෮߸ʹͲΕ͔"3"ͭͷ"Key"͕͋Εྑ͍
• ͦΕͧΕͷ伴όϥόϥͷॴʹอଘ͓ͯ͘͠ͱྑ͍ • root"ͷ"token"ग़ྗ͞ΕΔͷͰͦΕϝϞ͓ͯ͘͠ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 7
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 8
(ؓٳ)#ػີใͷ҉߸Խʁ෮߸ʁ • Vault'ىಈ͚ͨͩ͠ͰΛಡΈॻ͖͢Δ͜ͱग़དྷͳ͍ • ىಈޙɺunseal'ͱ͍͏伴ͷੜ࡞ۀ͕ඞཁʹͳΔ • ඞཁྔͷ伴Λೖྗ͢Δ͜ͱͰ҉߸Խ/෮߸Խ༻ͷ伴Λܾఆ'2 • ͳ͓'҉߸Խʹ'256bit'AES1GCM'Λ༻͍ͯ͠Δ 2"Shamir's"Secret"Sharing
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 9
ػີใͷཧ!(Plane!Text) • ઌड़ͷ௨ΓɺΛಡΈॻ͖͢ΔͨΊʹ"unseal"͕ඞཁ • vault unseal"ͰඞཁྔͷΩʔΛೖྗ͍ͯ͘͠ • ඞཁྔೖΕΔͱ"Sealed: false"ʹͳΔ •
vault write secret/foo bar=buz"ͰΛॻ͖ࠐΊΔ • vault read secret/foo"Ͱ֬ೝ • ͍ͭ͘Ͱॻ͖ࠐΊΔ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 10
ػີใͷཧ!(༷ʑͳೝূใ) • AWS%IAM%User%%MySQL%ͷϢʔβΛ࡞Ͱ͖Δ • vault mount aws%ͱ͢Δͱ%AWS%༻ͷ໊લۭ͕ؒग़དྷΔ • vault mounts%Ͱ֬ೝग़དྷΔ
• ࠷ॳʹ%vault write aws/config/root%ͰઃఆΛߦ͏ • access_key%ͱ%secret_key%(IAM%ཧ༻) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 11
ػີใͷཧ!(༷ʑͳೝূใ) • IAM%ϙϦγʔΛఆٛͨ͠ઃఆϑΝΠϧΛ༻ҙ͠Λॻ͖ࠐΉ • vault write aws/roles/deploy \
[email protected]
•
ఆٛͨ͠ϙϦγʔʹରԠͨ͠%IAM%User%͕࡞͞ΕΔ • ಛఆͷ͕࣌ؒܦա͢Δͱ%expire%͢ΔͷઃఆͰ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 12
ଓ͖ͦͷ͏ͪΓ·͢ (ͱ͍͏͔ϒϩάΛॻ͖·͢(ଟ)) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 13
ࢀߟจݙ • h#ps:/ /www.vaultproject.io/ • h#ps:/ /www.vaultproject.io/docs/index.html • h#p:/ /pocketstudio.jp/log3/2015/04/29/vault/
• h#p:/ /pocketstudio.jp/log3/2015/04/30/introducBontovault/ • h#p:/ /pocketstudio.jp/log3/2015/05/01/vaultCgeDngCstarted/ • h#p:/ /kiririmode.hatenablog.jp/entry/20150429/1430279218 hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 14