Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
introducing-vault-half-assed
Search
rrreeeyyy
May 14, 2015
Technology
1.3k
5
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
introducing-vault-half-assed
2015-05-14 の社内勉強会 (hbstyle) で Hashicorp の Vault についてめちゃくちゃ適当に喋ったやつです
rrreeeyyy
May 14, 2015
More Decks by rrreeeyyy
See All by rrreeeyyy
Reliability in the Age of AI: Engineering for AI Velocity
rrreeeyyy
0
160
Rethinking Incident Response: Context-Aware AI in Practice - Incident Buddy Edition -
rrreeeyyy
0
250
Rethinking Incident Response: Context-Aware AI in Practice
rrreeeyyy
3
2.5k
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
310
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
6.2k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.6k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
10
3k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
9k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
13k
Other Decks in Technology
See All in Technology
『AIに負けない』より『AIと遊ぶ』」〜ワクワクが最強のテスト・QA学習戦略_公開用
odan611
2
510
環境凍結という Toil を倒す -セルフサービス型 Ephemeral テスト環境の 設計と実践
shirouz
1
1.4k
美しいコードを書くためにF#を学んでみた話
yud0uhu
1
310
インフラ寄りSREでも 開発に踏み出せる〜境界を越えてユーザー体験に向き合いたい〜
sansantech
PRO
0
2.4k
地域 SRE コミュニティ最前線 / SRE NEXT 2026 Discussion Night Track C
muziyoshiz
0
150
ループエンジニアリングでE2Eテストを実践
noriyukitakei
0
310
証券システムを10年Scalaで作り続けるということ - 関数型まつり2026
krrrr38
3
730
LiDAR SLAMの実装とセンサ融合 ~Lie群からContinuous-Time LIOまで~
naokiakai
1
1k
知見・人・API・DB・予算 ─ ナイナイ尽くしだった人事データ整備 with dbt、5年間の学び
ken6377
1
170
「ちゃんとやっている」は独りよがりだった ― 不安に寄り添うインシデント対応へ / Towards incident response that addresses anxieties
chmikata
1
3.4k
Terraform共通モジュールをチーム横断で“変えられる”運用へ ― リリースと適用の分離
kekke_n
0
1.6k
Compose 新機能総まとめ / What's New in Jetpack Compose
yanzm
0
150
Featured
See All Featured
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
170
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
AI in Enterprises - Java and Open Source to the Rescue
ivargrimstad
0
1.4k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
118
120k
The SEO identity crisis: Don't let AI make you average
varn
0
510
Thoughts on Productivity
jonyablonski
76
5.2k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.8k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4.3k
Applied NLP in the Age of Generative AI
inesmontani
PRO
4
2.4k
30 Presentation Tips
portentint
PRO
1
340
Measuring & Analyzing Core Web Vitals
bluesmoon
9
880
Redefining SEO in the New Era of Traffic Generation
szymonslowik
1
350
Transcript
Introducing+Vault hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 1
Vaultͱ • جຊతʹػີใΛཧ͢Δπʔϧ"(by"Hashicorp) • ΫϥυαʔϏε"OSS"ͱͷ࿈ܞ͕Ͱ͖Δ • Ϣʔβཧ͕ڞ௨ͷΠϯλϑΣʔε͔Βߦ͑Δ • CLI"πʔϧ"HTTP"API"͕ଐ͍ͯ͠Δ •
ࣗࣾϓϩμΫτϓϩάϥϜʹΈࠐΈ͍͢ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 2
ओʹཧͰ͖Δใ • ී௨ͷػີใͷཧ • Password/Token.ͷ.Plane.Text.Λ҉߸Խͯ͠อଘͰ͖Δ • AWS/Database/Consul.ͷೝূใͷཧ • IAM.User/MySQL.User/PostgreSQL.User.... •
ಛఆͷݖݶͷΈΛ࣋ͬͨϢʔβΛ࡞Ͱ͖Δ • ಛఆͷظؒͷΈ༻Ͱ͖ΔϢʔβΛ࡞Ͱ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 3
ػີใͷಡΈग़͠ • ໊લۭؒΛϕʔεʹͨ͠"Token"base"ACL • secret/foo"ͷΞΫηεΛڐՄ͢Δ • secret/bar"ͷΞΫηεڐՄ͠ͳ͍ • Github/LDAP"ͱ࿈ܞͨ͠"Token"ൃߦ •
Github"Ͱಛఆͷ৫ʹॴଐ͍ͯ͠Ε"Token"ൃߦͳͲ • ػີใʹର͢Δࠪϩάͷൃߦ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 4
Πϯετʔϧ • Go$ͳͷͰҎԼͷΑ͏ͳྫʹै͑$OK curl -L -O \ "https://dl.bintray.com/mitchellh/vault/vault_0.1.2_darwin_amd64.zip" unzip vault_0.1.2_darwin_amd64.zip
mv vault /usr/bin vault -version # Vault v0.1.2 • ͱΓ͋͑ͣࢼ͢ʹ"vault server -dev"ͱ͢Εىಈ͢Δ • (ຊ൪αʔόͰΘͳ͍͜ͱ) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 5
ઃఆϑΝΠϧ • h#ps:/ /www.vaultproject.io/docs/config/index.html // ௨ৗͷػີใͷอଘઌ "file", "consul", "inmem", "zookeeper"
͕બΔ backend "file" { // file Λࢦఆͨ͠߹͜ͷσΟϨΫτϦʹ௨ৗͷػີใ͕҉߸Խ͞Εͯอଘ͞ΕΔ path = "/etc/vault/data" } // Listen ͢Δϓϩτίϧ/ΞυϨε/ϙʔτ listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } • vault server -config=vault.conf"Ͱ"vault"Λىಈ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 6
ॳظηοτΞοϓ • vault init"ͰηοτΞοϓ • ͜ͷࡍɺػີใͷ෮߸ʹඞཁͳ伴͕ग़ྗ͞ΕΔ • σϑΥϧτͰ"Key"1ʙ5"͕ग़ྗ͞ΕΔ • ෮߸ʹͲΕ͔"3"ͭͷ"Key"͕͋Εྑ͍
• ͦΕͧΕͷ伴όϥόϥͷॴʹอଘ͓ͯ͘͠ͱྑ͍ • root"ͷ"token"ग़ྗ͞ΕΔͷͰͦΕϝϞ͓ͯ͘͠ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 7
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 8
(ؓٳ)#ػີใͷ҉߸Խʁ෮߸ʁ • Vault'ىಈ͚ͨͩ͠ͰΛಡΈॻ͖͢Δ͜ͱग़དྷͳ͍ • ىಈޙɺunseal'ͱ͍͏伴ͷੜ࡞ۀ͕ඞཁʹͳΔ • ඞཁྔͷ伴Λೖྗ͢Δ͜ͱͰ҉߸Խ/෮߸Խ༻ͷ伴Λܾఆ'2 • ͳ͓'҉߸Խʹ'256bit'AES1GCM'Λ༻͍ͯ͠Δ 2"Shamir's"Secret"Sharing
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 9
ػີใͷཧ!(Plane!Text) • ઌड़ͷ௨ΓɺΛಡΈॻ͖͢ΔͨΊʹ"unseal"͕ඞཁ • vault unseal"ͰඞཁྔͷΩʔΛೖྗ͍ͯ͘͠ • ඞཁྔೖΕΔͱ"Sealed: false"ʹͳΔ •
vault write secret/foo bar=buz"ͰΛॻ͖ࠐΊΔ • vault read secret/foo"Ͱ֬ೝ • ͍ͭ͘Ͱॻ͖ࠐΊΔ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 10
ػີใͷཧ!(༷ʑͳೝূใ) • AWS%IAM%User%%MySQL%ͷϢʔβΛ࡞Ͱ͖Δ • vault mount aws%ͱ͢Δͱ%AWS%༻ͷ໊લۭ͕ؒग़དྷΔ • vault mounts%Ͱ֬ೝग़དྷΔ
• ࠷ॳʹ%vault write aws/config/root%ͰઃఆΛߦ͏ • access_key%ͱ%secret_key%(IAM%ཧ༻) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 11
ػີใͷཧ!(༷ʑͳೝূใ) • IAM%ϙϦγʔΛఆٛͨ͠ઃఆϑΝΠϧΛ༻ҙ͠Λॻ͖ࠐΉ • vault write aws/roles/deploy \
[email protected]
•
ఆٛͨ͠ϙϦγʔʹରԠͨ͠%IAM%User%͕࡞͞ΕΔ • ಛఆͷ͕࣌ؒܦա͢Δͱ%expire%͢ΔͷઃఆͰ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 12
ଓ͖ͦͷ͏ͪΓ·͢ (ͱ͍͏͔ϒϩάΛॻ͖·͢(ଟ)) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 13
ࢀߟจݙ • h#ps:/ /www.vaultproject.io/ • h#ps:/ /www.vaultproject.io/docs/index.html • h#p:/ /pocketstudio.jp/log3/2015/04/29/vault/
• h#p:/ /pocketstudio.jp/log3/2015/04/30/introducBontovault/ • h#p:/ /pocketstudio.jp/log3/2015/05/01/vaultCgeDngCstarted/ • h#p:/ /kiririmode.hatenablog.jp/entry/20150429/1430279218 hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 14