Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
introducing-vault-half-assed
Search
rrreeeyyy
May 14, 2015
Technology
5
1.2k
introducing-vault-half-assed
2015-05-14 の社内勉強会 (hbstyle) で Hashicorp の Vault についてめちゃくちゃ適当に喋ったやつです
rrreeeyyy
May 14, 2015
Tweet
Share
More Decks by rrreeeyyy
See All by rrreeeyyy
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
200
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
4.2k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.3k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
10
2.5k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
8.6k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
12k
Cookpad and Prometheus
rrreeeyyy
6
20k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
rrreeeyyy
5
5.4k
A survey of anomaly detection methodologies for web system
rrreeeyyy
5
1.3k
Other Decks in Technology
See All in Technology
Two Blades, One Journey: Engineering While Managing
ohbarye
3
840
Amazon Aurora のバージョンアップ手法について
smt7174
1
120
Potential EM 制度を始めた理由、そして2年後にやめた理由 - EMConf JP 2025
hoyo
2
1.6k
Goで作って学ぶWebSocket
ryuichi1208
3
2.4k
プロダクトエンジニア 360°フィードバックを実施した話
hacomono
PRO
0
140
Pwned Labsのすゝめ
ken5scal
0
260
【内製開発Summit 2025】イオンスマートテクノロジーの内製化組織の作り方/In-house-development-summit-AST
aeonpeople
1
500
抽象化をするということ - 具体と抽象の往復を身につける / Abstraction and concretization
soudai
27
15k
Reading Code Is Harder Than Writing It
trishagee
2
120
脳波を用いた嗜好マッチングシステム
hokkey621
0
280
AI Agent時代なのでAWSのLLMs.txtが欲しい!
watany
2
170
ExaDB-XSで利用されているExadata Exascaleについて
oracle4engineer
PRO
3
170
Featured
See All Featured
Documentation Writing (for coders)
carmenintech
67
4.6k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
366
25k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7k
Optimising Largest Contentful Paint
csswizardry
34
3.1k
Agile that works and the tools we love
rasmusluckow
328
21k
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k
It's Worth the Effort
3n
184
28k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Faster Mobile Websites
deanohume
306
31k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
114
50k
Transcript
Introducing+Vault hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 1
Vaultͱ • جຊతʹػີใΛཧ͢Δπʔϧ"(by"Hashicorp) • ΫϥυαʔϏε"OSS"ͱͷ࿈ܞ͕Ͱ͖Δ • Ϣʔβཧ͕ڞ௨ͷΠϯλϑΣʔε͔Βߦ͑Δ • CLI"πʔϧ"HTTP"API"͕ଐ͍ͯ͠Δ •
ࣗࣾϓϩμΫτϓϩάϥϜʹΈࠐΈ͍͢ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 2
ओʹཧͰ͖Δใ • ී௨ͷػີใͷཧ • Password/Token.ͷ.Plane.Text.Λ҉߸Խͯ͠อଘͰ͖Δ • AWS/Database/Consul.ͷೝূใͷཧ • IAM.User/MySQL.User/PostgreSQL.User.... •
ಛఆͷݖݶͷΈΛ࣋ͬͨϢʔβΛ࡞Ͱ͖Δ • ಛఆͷظؒͷΈ༻Ͱ͖ΔϢʔβΛ࡞Ͱ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 3
ػີใͷಡΈग़͠ • ໊લۭؒΛϕʔεʹͨ͠"Token"base"ACL • secret/foo"ͷΞΫηεΛڐՄ͢Δ • secret/bar"ͷΞΫηεڐՄ͠ͳ͍ • Github/LDAP"ͱ࿈ܞͨ͠"Token"ൃߦ •
Github"Ͱಛఆͷ৫ʹॴଐ͍ͯ͠Ε"Token"ൃߦͳͲ • ػີใʹର͢Δࠪϩάͷൃߦ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 4
Πϯετʔϧ • Go$ͳͷͰҎԼͷΑ͏ͳྫʹै͑$OK curl -L -O \ "https://dl.bintray.com/mitchellh/vault/vault_0.1.2_darwin_amd64.zip" unzip vault_0.1.2_darwin_amd64.zip
mv vault /usr/bin vault -version # Vault v0.1.2 • ͱΓ͋͑ͣࢼ͢ʹ"vault server -dev"ͱ͢Εىಈ͢Δ • (ຊ൪αʔόͰΘͳ͍͜ͱ) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 5
ઃఆϑΝΠϧ • h#ps:/ /www.vaultproject.io/docs/config/index.html // ௨ৗͷػີใͷอଘઌ "file", "consul", "inmem", "zookeeper"
͕બΔ backend "file" { // file Λࢦఆͨ͠߹͜ͷσΟϨΫτϦʹ௨ৗͷػີใ͕҉߸Խ͞Εͯอଘ͞ΕΔ path = "/etc/vault/data" } // Listen ͢Δϓϩτίϧ/ΞυϨε/ϙʔτ listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } • vault server -config=vault.conf"Ͱ"vault"Λىಈ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 6
ॳظηοτΞοϓ • vault init"ͰηοτΞοϓ • ͜ͷࡍɺػີใͷ෮߸ʹඞཁͳ伴͕ग़ྗ͞ΕΔ • σϑΥϧτͰ"Key"1ʙ5"͕ग़ྗ͞ΕΔ • ෮߸ʹͲΕ͔"3"ͭͷ"Key"͕͋Εྑ͍
• ͦΕͧΕͷ伴όϥόϥͷॴʹอଘ͓ͯ͘͠ͱྑ͍ • root"ͷ"token"ग़ྗ͞ΕΔͷͰͦΕϝϞ͓ͯ͘͠ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 7
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 8
(ؓٳ)#ػີใͷ҉߸Խʁ෮߸ʁ • Vault'ىಈ͚ͨͩ͠ͰΛಡΈॻ͖͢Δ͜ͱग़དྷͳ͍ • ىಈޙɺunseal'ͱ͍͏伴ͷੜ࡞ۀ͕ඞཁʹͳΔ • ඞཁྔͷ伴Λೖྗ͢Δ͜ͱͰ҉߸Խ/෮߸Խ༻ͷ伴Λܾఆ'2 • ͳ͓'҉߸Խʹ'256bit'AES1GCM'Λ༻͍ͯ͠Δ 2"Shamir's"Secret"Sharing
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 9
ػີใͷཧ!(Plane!Text) • ઌड़ͷ௨ΓɺΛಡΈॻ͖͢ΔͨΊʹ"unseal"͕ඞཁ • vault unseal"ͰඞཁྔͷΩʔΛೖྗ͍ͯ͘͠ • ඞཁྔೖΕΔͱ"Sealed: false"ʹͳΔ •
vault write secret/foo bar=buz"ͰΛॻ͖ࠐΊΔ • vault read secret/foo"Ͱ֬ೝ • ͍ͭ͘Ͱॻ͖ࠐΊΔ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 10
ػີใͷཧ!(༷ʑͳೝূใ) • AWS%IAM%User%%MySQL%ͷϢʔβΛ࡞Ͱ͖Δ • vault mount aws%ͱ͢Δͱ%AWS%༻ͷ໊લۭ͕ؒग़དྷΔ • vault mounts%Ͱ֬ೝग़དྷΔ
• ࠷ॳʹ%vault write aws/config/root%ͰઃఆΛߦ͏ • access_key%ͱ%secret_key%(IAM%ཧ༻) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 11
ػີใͷཧ!(༷ʑͳೝূใ) • IAM%ϙϦγʔΛఆٛͨ͠ઃఆϑΝΠϧΛ༻ҙ͠Λॻ͖ࠐΉ • vault write aws/roles/deploy \
[email protected]
•
ఆٛͨ͠ϙϦγʔʹରԠͨ͠%IAM%User%͕࡞͞ΕΔ • ಛఆͷ͕࣌ؒܦա͢Δͱ%expire%͢ΔͷઃఆͰ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 12
ଓ͖ͦͷ͏ͪΓ·͢ (ͱ͍͏͔ϒϩάΛॻ͖·͢(ଟ)) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 13
ࢀߟจݙ • h#ps:/ /www.vaultproject.io/ • h#ps:/ /www.vaultproject.io/docs/index.html • h#p:/ /pocketstudio.jp/log3/2015/04/29/vault/
• h#p:/ /pocketstudio.jp/log3/2015/04/30/introducBontovault/ • h#p:/ /pocketstudio.jp/log3/2015/05/01/vaultCgeDngCstarted/ • h#p:/ /kiririmode.hatenablog.jp/entry/20150429/1430279218 hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 14