Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
introducing-vault-half-assed
Search
rrreeeyyy
May 14, 2015
Technology
5
1.2k
introducing-vault-half-assed
2015-05-14 の社内勉強会 (hbstyle) で Hashicorp の Vault についてめちゃくちゃ適当に喋ったやつです
rrreeeyyy
May 14, 2015
Tweet
Share
More Decks by rrreeeyyy
See All by rrreeeyyy
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
210
An Efficient Incident Response Training with AI / SRE NEXT 2024 Sponsor Session
rrreeeyyy
1
4.3k
カンファレンスから見る SRE トレンド 2024 / SRE Trends from Conferences in 2024 #SRE_Findy
rrreeeyyy
4
2.3k
信頼性の育て方 / mackerel-meetup-15
rrreeeyyy
10
2.5k
SRE の歩き方・進め方 / sre-walk-through-procedure
rrreeeyyy
0
8.6k
「信頼性」を保ちつつ大規模サービスをリニューアルする / cookpad-tech-kitchen-service-embedded-sres
rrreeeyyy
11
12k
Cookpad and Prometheus
rrreeeyyy
6
20k
SRE-Lounge-8-Cookpad-Microservice-Architecture-Overview
rrreeeyyy
5
5.4k
A survey of anomaly detection methodologies for web system
rrreeeyyy
5
1.3k
Other Decks in Technology
See All in Technology
Oracle Database Technology Night #87-1 : Exadata Database Service on Exascale Infrastructure(ExaDB-XS)サービス詳細
oracle4engineer
PRO
1
210
Two Blades, One Journey: Engineering While Managing
ohbarye
4
2.3k
4th place solution Eedi - Mining Misconceptions in Mathematics
rist
0
150
困難を「一般解」で解く
fujiwara3
7
1.6k
[OpsJAWS Meetup33 AIOps] Amazon Bedrockガードレールで守る安全なAI運用
akiratameto
1
120
30→150人のエンジニア組織拡大に伴うアジャイル文化を醸成する役割と取り組みの変化
nagata03
0
200
JAWS FESTA 2024「バスロケ」GPS×サーバーレスの開発と運用の舞台裏/jawsfesta2024-bus-gps-serverless
ma2shita
3
290
What's new in Go 1.24?
ciarana
1
110
AWSアカウントのセキュリティ自動化、どこまで進める? 最適な設計と実践ポイント
yuobayashi
7
990
Potential EM 制度を始めた理由、そして2年後にやめた理由 - EMConf JP 2025
hoyo
2
2.9k
株式会社Awarefy(アウェアファイ)会社説明資料 / Awarefy-Company-Deck
awarefy
3
11k
20250304_赤煉瓦倉庫_DeepSeek_Deep_Dive
hiouchiy
2
110
Featured
See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
46
2.4k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
27
1.9k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Designing Experiences People Love
moore
140
23k
Bash Introduction
62gerente
611
210k
How GitHub (no longer) Works
holman
314
140k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
175
52k
Rails Girls Zürich Keynote
gr2m
94
13k
Transcript
Introducing+Vault hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 1
Vaultͱ • جຊతʹػີใΛཧ͢Δπʔϧ"(by"Hashicorp) • ΫϥυαʔϏε"OSS"ͱͷ࿈ܞ͕Ͱ͖Δ • Ϣʔβཧ͕ڞ௨ͷΠϯλϑΣʔε͔Βߦ͑Δ • CLI"πʔϧ"HTTP"API"͕ଐ͍ͯ͠Δ •
ࣗࣾϓϩμΫτϓϩάϥϜʹΈࠐΈ͍͢ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 2
ओʹཧͰ͖Δใ • ී௨ͷػີใͷཧ • Password/Token.ͷ.Plane.Text.Λ҉߸Խͯ͠อଘͰ͖Δ • AWS/Database/Consul.ͷೝূใͷཧ • IAM.User/MySQL.User/PostgreSQL.User.... •
ಛఆͷݖݶͷΈΛ࣋ͬͨϢʔβΛ࡞Ͱ͖Δ • ಛఆͷظؒͷΈ༻Ͱ͖ΔϢʔβΛ࡞Ͱ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 3
ػີใͷಡΈग़͠ • ໊લۭؒΛϕʔεʹͨ͠"Token"base"ACL • secret/foo"ͷΞΫηεΛڐՄ͢Δ • secret/bar"ͷΞΫηεڐՄ͠ͳ͍ • Github/LDAP"ͱ࿈ܞͨ͠"Token"ൃߦ •
Github"Ͱಛఆͷ৫ʹॴଐ͍ͯ͠Ε"Token"ൃߦͳͲ • ػີใʹର͢Δࠪϩάͷൃߦ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 4
Πϯετʔϧ • Go$ͳͷͰҎԼͷΑ͏ͳྫʹै͑$OK curl -L -O \ "https://dl.bintray.com/mitchellh/vault/vault_0.1.2_darwin_amd64.zip" unzip vault_0.1.2_darwin_amd64.zip
mv vault /usr/bin vault -version # Vault v0.1.2 • ͱΓ͋͑ͣࢼ͢ʹ"vault server -dev"ͱ͢Εىಈ͢Δ • (ຊ൪αʔόͰΘͳ͍͜ͱ) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 5
ઃఆϑΝΠϧ • h#ps:/ /www.vaultproject.io/docs/config/index.html // ௨ৗͷػີใͷอଘઌ "file", "consul", "inmem", "zookeeper"
͕બΔ backend "file" { // file Λࢦఆͨ͠߹͜ͷσΟϨΫτϦʹ௨ৗͷػີใ͕҉߸Խ͞Εͯอଘ͞ΕΔ path = "/etc/vault/data" } // Listen ͢Δϓϩτίϧ/ΞυϨε/ϙʔτ listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } • vault server -config=vault.conf"Ͱ"vault"Λىಈ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 6
ॳظηοτΞοϓ • vault init"ͰηοτΞοϓ • ͜ͷࡍɺػີใͷ෮߸ʹඞཁͳ伴͕ग़ྗ͞ΕΔ • σϑΥϧτͰ"Key"1ʙ5"͕ग़ྗ͞ΕΔ • ෮߸ʹͲΕ͔"3"ͭͷ"Key"͕͋Εྑ͍
• ͦΕͧΕͷ伴όϥόϥͷॴʹอଘ͓ͯ͘͠ͱྑ͍ • root"ͷ"token"ग़ྗ͞ΕΔͷͰͦΕϝϞ͓ͯ͘͠ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 7
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 8
(ؓٳ)#ػີใͷ҉߸Խʁ෮߸ʁ • Vault'ىಈ͚ͨͩ͠ͰΛಡΈॻ͖͢Δ͜ͱग़དྷͳ͍ • ىಈޙɺunseal'ͱ͍͏伴ͷੜ࡞ۀ͕ඞཁʹͳΔ • ඞཁྔͷ伴Λೖྗ͢Δ͜ͱͰ҉߸Խ/෮߸Խ༻ͷ伴Λܾఆ'2 • ͳ͓'҉߸Խʹ'256bit'AES1GCM'Λ༻͍ͯ͠Δ 2"Shamir's"Secret"Sharing
hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 9
ػີใͷཧ!(Plane!Text) • ઌड़ͷ௨ΓɺΛಡΈॻ͖͢ΔͨΊʹ"unseal"͕ඞཁ • vault unseal"ͰඞཁྔͷΩʔΛೖྗ͍ͯ͘͠ • ඞཁྔೖΕΔͱ"Sealed: false"ʹͳΔ •
vault write secret/foo bar=buz"ͰΛॻ͖ࠐΊΔ • vault read secret/foo"Ͱ֬ೝ • ͍ͭ͘Ͱॻ͖ࠐΊΔ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 10
ػີใͷཧ!(༷ʑͳೝূใ) • AWS%IAM%User%%MySQL%ͷϢʔβΛ࡞Ͱ͖Δ • vault mount aws%ͱ͢Δͱ%AWS%༻ͷ໊લۭ͕ؒग़དྷΔ • vault mounts%Ͱ֬ೝग़དྷΔ
• ࠷ॳʹ%vault write aws/config/root%ͰઃఆΛߦ͏ • access_key%ͱ%secret_key%(IAM%ཧ༻) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 11
ػີใͷཧ!(༷ʑͳೝূใ) • IAM%ϙϦγʔΛఆٛͨ͠ઃఆϑΝΠϧΛ༻ҙ͠Λॻ͖ࠐΉ • vault write aws/roles/deploy \ policy=@policy.json •
ఆٛͨ͠ϙϦγʔʹରԠͨ͠%IAM%User%͕࡞͞ΕΔ • ಛఆͷ͕࣌ؒܦա͢Δͱ%expire%͢ΔͷઃఆͰ͖Δ hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 12
ଓ͖ͦͷ͏ͪΓ·͢ (ͱ͍͏͔ϒϩάΛॻ͖·͢(ଟ)) hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 13
ࢀߟจݙ • h#ps:/ /www.vaultproject.io/ • h#ps:/ /www.vaultproject.io/docs/index.html • h#p:/ /pocketstudio.jp/log3/2015/04/29/vault/
• h#p:/ /pocketstudio.jp/log3/2015/04/30/introducBontovault/ • h#p:/ /pocketstudio.jp/log3/2015/05/01/vaultCgeDngCstarted/ • h#p:/ /kiririmode.hatenablog.jp/entry/20150429/1430279218 hbstyle((2015/05/14)(1(Yoshikawa(Ryota(((@rrreeeyyy() 14