アクセスキーの無い未来を IAM Roles Anywhereで創る @JAWS-UG Yokohama

ΞΫηεΩʔͷແ͍ະདྷΛ *".3PMFT"OZXIFSFͰ૑Δ   4JN4UB !TIJNBHBKJ   +"846(:PLPIBNB ڈ೥ͷΞϨͲ͏ͳͬͨʁεϖγϟϧ
ˡϗϫΠτγϚϦεͷΞϧλ

ࣗݾ঺հ Ӊ஦ػͷߤ๏༠ಋ੍ޚܥͷઃܭͱηϯαͷௐୡʢ೥൒ʣ ʙࡳຈʹҠॅʙ ΦϯϓϨΫϥ΢υΛ࢖ͬͨ(ަ׵ثͷੑೳࢼݧʢ൒೥ʣ Ϋϥ΢υج൫ͷߏஙɾӡ༻ɾ.41औಘࢧԉʢ೥ͪΐͬͱʣ ৗறઌΫϥ΢υج൫ͷߏஙɾӡ༻ɾҠߦʢ೥ͪΐͬͱʣ 4JN4UBʢΦϯϥΠϯͷ͕ͨ͢ʣ !TIJNBHBKJ 5XJUUFS "84ೝఆˠ
޷͖ͳ"84αʔϏεɿ4UFQ'VODUJPOT ಘҙʹͳΓ͍ͨ"84αʔϏεɿ4BHF.BLFS #FESPDL "QQ3VOOFS $%, "NQMJGZ

ౖ౭ͷొஃ࿈ઓ։࠵த ʢ4VOʣ "84Χʔχόϧ࠙਌ձ "84ΞοϓσʔτΛ·ͱΊͨ࿩ͱ͔ɺࡳຈ ʢ'SJʣ ߐ౦۠߹ಉ-5େձʢؔ܎֤ࣾݶఆʣ "84ೝఆףΛࢦೆ͢Δ࿩ɺΦϯϥΠϯ ʢ8FEʣ +"846(:PLPIBNB *".3PMFT"OZXIFSFͷ࿩ɺΦϯϥΠϯ
ʢ.POʣ $MPVEGMBSF.FFUVQ4BQQPSP 8PSE1SFTTʹ$MPVEGMBSFೖΕͯΈͨ࿩ɺࡳຈ ʢ'SJʣ+"846(4BQQPSPʢࡳຈΦϑϥΠϯʣͰ΋ొஃͤͯ͞௖͘༧ఆͰ͢

ϗϫΠτγϚϦεͱ ฻Β͍ͯ͠·͢🐿 ˢ౳਎େνϧλϦε

ݸਓϒϩάΛӡ༻͍ͯ͠·͢ ຖिߋ৽ʂ "84Ξοϓσʔτ ͠Ήͦ͘   ͦͷଞ ΨδΣοτ γϚϦεͷ࿩ͳͲ

"HFOEB • ͸͡Ίʹ • *".3PMFT"OZXIFSFͱ͸ʁ • ಋೖखॱʢ-5Ͱ͸লུʣ • ηΩϡϦςΟతʹͲ͏ͳͷʁ •
·ͱΊ

͸͡Ίʹ

օ͞Μ ΞΫηεΩʔ࢖ͬͯ·͔͢ʁ

ΞΫηεΩʔͱ͸ ϩʔΧϧϚγϯ ΞΫηεΩʔͱγʔΫϨοτΩʔͷ૊Έ߹ΘͤͰ "84ϦιʔεΛ֎෦ͷϩʔΧϧϚγϯͳͲ͔Βૢ࡞ ,FZ",*"*04'0%//&9".1-& 4FDSFUX+BMS96UO'&.*,.%&/(C1Y3GJ$:&9".1-&,&: AWS Cloud "84ͷ ɹɹ͍ΖΜͳαʔϏε
ϦΫΤετ αʔϏεར༻ڐՄ

͔͠͠ʂ

-ത࢜ ΞΫηεΩʔ ͱ͋Δ๺ͷ஍ํʹॅΜͰ͍ͨത࢜΋͜͏ڼ͍ͬͯ·͢

ΞΫηεΩʔͷڪΖ͍͠ͱ͜Ζ •アクセスキーとシークレットキーの2つだけで権限を得てしまう   （アカウントIDを指定しなくてもコマンドが送信できる） •無効化しない限りクレデンシャルが永続化してしまう •うっかりハードコードするだけで脅威に晒されてしまう •⾯倒なローテーションの管理が発⽣してしまう

ͦ͜Ͱʂ

*".3PMFT"OZXIFSFΛ࢖͍·͠ΐ͏

*".3PMFT"OZXIFSFͱ͸ʁ

ͬ͘͟Γݴ͏ͱ AWS Cloud "84ͷ ɹɹ͍ΖΜͳ αʔϏε &$ΠϯελϯεͳͲ"84಺ͷϦιʔε͕࢖͑Δ*".ϩʔϧΛ "84֎͔Β࢖͏͜ͱ͕Ͱ͖ΔΑ͏ʹͳΔαʔϏε ˢ࣋ͪग़ͨ͠ϩʔϧ

ϙ̋Ϟϯ෩ʹͬ͘͟Γݴ͏ͱ Paldea Region ຊདྷ͸ಛఆͷΤωϧΪʔ͕ͳ͍ͱෆࢥٞͳྗΛҾ͖ग़ͤͳ͍͓໘Λ ΤωϧΪʔ͕ແ͍ଞͷ஍ํʹ΋࣋ͪग़ͯ͠ྗ͕࢖͑ΔΑ͏ʹͳΔʂ Kitakami Region Unova Region ΤωϧΪʔ͕ͳ͍ʢ"84֎ʣ͚Ͳ࢖͑ΔΑ͏ʹͳΔ
ΤωϧΪʔ͕͋Δʢ"84಺ʣ *".ϩʔϧ͸͓໘ͬͯ୭͔͕ݴͬͯͨ

*".3PMFT"OZXIFSFͷ͘͠Έ "84ͷ ɹɹ͍ΖΜͳ αʔϏε ೝূہʢ$"ʣ ৴པΞϯΧʔ *". ΤϯυΤϯςΟςΟূ໌ॻͱൿີ伴Λ΋Β͏ ϔϧύʔΛ࢖ͬͯূ໌ॻͱൿີ伴ΛݟͤΔ *".ϩʔϧʢҰ࣌ΫϨσϯγϟϧʣΛ΋Β͏
ݖݶͷൣғ಺Ͱ"84ϦιʔεΛૢ࡞Ͱ͖Δ 44-௨৴࣌΍ΫϥΠΞϯτೝূͱಉ͡ 1,*ೝূΛ࢖͍·͢ ΫϥΠΞϯτ

࣮ࡍʹಋೖͯ͠ΈΑ͏ʂ

ඞཁͳ΋ͷ w*".ϩʔϧͷྗ͕ཉ͍͠ϩʔΧϧͷ؀ڥʢΫϥΠΞϯτʣ wೝূہʹ͢ΔϚγϯʢϩʔΧϧ&$ΠϯελϯεͳͲʣ   ˠΫϥΠΞϯτͱ͸ผͰ͋Δ΂͖ɺࠓճ͸"NB[PO-JOVY w*".ϩʔϧΛߦ࢖͢ΔͨΊͷ"84ΞΧ΢ϯτͱɺઃఆ͢Δݖݶ "84ͷ ɹɹ͍ΖΜͳ αʔϏε ೝূہʢ$"ʣ
ΫϥΠΞϯτ "84؀ڥͱݖݶ

࣋ͬͯ͘Δ΋ͷɺ࡞ΒΕΔ΋ͷ ೝূہʢ$"ʣ ৴པΞϯΧʔ *". ΤϯυΤϯςΟςΟূ໌ॻ FOEDFSUQFN $SFEFOUJBM)FMQFS ʢμ΢ϯϩʔυʣ ൿີ伴 FOELFZQFN
ΫϥΠΞϯτ $"ূ໌ॻόϯυϧ DBDFSUQFN *".ϩʔϧ ϓϩϑΝΠϧ

ಋೖखॱ

ೝূہΠϯελϯεʢAmazon Linux 2023ʣͷOpenSSLόʔδϣϯ openssl.aarch64 1:3.0.8-1.amzn2023.0.9 @System openssl-libs.aarch64 1:3.0.8-1.amzn2023.0.9 @System openssl-pkcs11.aarch64
0.4.12-3.amzn2023.0.1 @System /etc/ssl/openssl.cnfͷฤू # diff openssl.cnf openssl.cnf.org 114c114 < default_days = 3650 # how long to certify for --- > default_days = 365 # how long to certify for 216c216 < keyUsage = nonRepudiation, digitalSignature, keyEncipherment --- > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment 259c259 < keyUsage = cRLSign, keyCertSign, digitalSignature --- > # keyUsage = cRLSign, keyCertSign ূ໌ॻͷ༗ޮظݶ ͓޷ΈͰมߋ VTS@DFSUͷLFZ6TBHF ίϝϯτΞ΢τ֎͢ W@DBͷLFZ6TBHF ίϝϯτΞ΢τ֎͢ EJHJUBM4JHOBUVSF௥Ճ

PQFOTTMDOGͷઃఆՕॴ ͍ͣΕ΋LFZ6TBHFΛมߋ

σΟϨΫτϦͱϑΝΠϧΛ࡞੒͓ͯ͘͠ # sudo mkdir -p /etc/pki/CA/certs # sudo mkdir -p
/etc/pki/CA/crl # sudo mkdir -p /etc/pki/CA/newcerts # sudo mkdir -p /etc/pki/CA/private # sudo chmod 700 /etc/pki/CA/private # sudo touch /etc/pki/CA/index.txt # sudo echo 01 > /etc/pki/CA/serial ೝূہͷ࡞੒ # sudo openssl req -new -x509 -keyout /etc/pki/CA/private/cakey.pem -out /etc/ pki/CA/certs/cacert.pem -days 3650 Enter PEM pass phrase:ύεϑϨʔζΛೖྗ Verifying - Enter PEM pass phrase:ύεϑϨʔζΛೖྗ ʢதུʣ Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Hokkaido Locality Name (eg, city) [Default City]:Sapporo Organization Name (eg, company) [Default Company Ltd]:SimSta Organizational Unit Name (eg, section) []:Sim Common Name (eg, your name or your server's hostname) []:rolesanywhere Email Address []:೚ҙʢෆཁʣ ͋Δఔ౓ద౰Ͱ0, $/͸͓֮͑ͯ͜͏

CAόϯυϧΛऔಘ # sudo openssl x509 -in /etc/pki/CA/certs/cacert.pem -text Certificate: Data:
Version: 3 (0x2) ʢதུʣ X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign ʢதུʣ -----BEGIN CERTIFICATE----- MIIDwDCCAqigAwIBAgIUaI//Y1CUf+3LCvlU8C1LUsV3jTAwDQYJKoZIhvcNAQEL ʢதུʣ 5cxP5A== -----END CERTIFICATE----- ೝূہͷ࡞੒ # sudo openssl req -new -x509 -keyout /etc/pki/CA/private/cakey.pem -out /etc/ pki/CA/certs/cacert.pem -days 3650 ৴པΞϯΧʔ࡞੒࣌ ͜͜Λίϐϖ͢Δ 7FSTJPOͰ͋Δ $"536&Ͱ͋Δ ,FZ6TBHF͕͋Δ

ΤϯυΤϯςΟςΟ༻ൿີ伴Λ࡞੒ # sudo mkdir -p /etc/pki/CA/endentity # sudo openssl genrsa
-out /etc/pki/CA/endentity/endkey.pem 2048 CSRΛ࡞੒ # sudo openssl req -new -key /etc/pki/CA/endentity/endkey.pem -out /etc/pki/CA/ endentity/endcsr.pem ʢதུʣ Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Hokkaido Locality Name (eg, city) [Default City]:Sapporo Organization Name (eg, company) [Default Company Ltd]:SimSta Organizational Unit Name (eg, section) []:Sta Common Name (eg, your name or your server's hostname) []:rolesanywhere Email Address []:೚ҙʢෆཁʣ Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:ෆཁ An optional company name []:೚ҙʢෆཁʣ ΄΅ҰॹͰ0, ύεϑϨʔζ͸ෆཁ ͋ΔͱΤϥʔʹͳΔ

CAͰॺ໊ͯ͠ΤϯυΤϯςΟςΟূ໌ॻΛൃߦ # sudo openssl ca -in /etc/pki/CA/endentity/endcsr.pem -keyfile /etc/pki/CA/ private/cakey.pem
-cert /etc/pki/CA//certs/cacert.pem -out /etc/pki/CA/ endentity/endcrt.pem -extensions usr_cert Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem:CAͷύεϑϨʔζΛೖྗ Check that the request matches the signature Signature ok Certificate Details: ʢதུʣ X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment ʢதུʣ Certificate is to be certified until Nov 8 15:09:39 2033 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $"536&Ͱ͋Δ ,FZ6TBHFʹ %*HJUBM4JHOBUVF

ΤϯυΤϯςΟςΟূ໌ॻʢendcert.pemʣͱൿີ伴ʢendkey.pemʣΛϩʔΧϧ΁ίϐʔ endcert.pemͷத਎ Certificate: Data: Version: 3 (0x2) Serial Number: 1
(0x1) Signature Algorithm: sha256WithRSAEncryption ʢதུʣ X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment ʢதུʣ -----BEGIN CERTIFICATE----- MIIDlTCCAn2gAwIBAgIBATANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJKUDER ʢதུʣ mfbk1xKIjqTa -----END CERTIFICATE-----

ΤϯυΤϯςΟςΟূ໌ॻʢendcert.pemʣͱൿີ伴ʢendkey.pemʣΛϩʔΧϧ΁ίϐʔ endkey.pemͷத਎ -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDXwkbnRmhRJiUJ QOt31ay+KrbIoVAjWAs96evbTmyuB2NNQ6Dcm08FFc9udGpNYuWIJlV3mFf3dK7F ʢதུʣ mhxPj4CsR/AD08X30SHroNg8TvQHpS2z6ERhdN/KOfvn44SzGngYD0h3qGam10TQ a2KGfekpiRFyfcc0kgkidVBY
-----END PRIVATE KEY----- ͜͜·ͰͰ໰୊ͳ͘ઃఆ͞Ε͍ͯΕ͹ɺ

*".3PMFT"OZXIFSFίϯιʔϧͷૢ࡞ w৴པΞϯΧʔͷ࡞੒ *".͸άϩʔόϧ͕ͩ 3PMFT"OZXIFSF͸ ϦʔδϣφϧϦιʔεͳͨΊ Ϧʔδϣϯબ୒ʹ஫ҙ ʢόʔδχΞ๺෦ʹͳΓ͕ͪʣ

*".3PMFT"OZXIFSFίϯιʔϧͷૢ࡞ w৴པΞϯΧʔͷ࡞੒ ֎෦ূ໌ॻόϯυϧΛબ୒ $"ͷূ໌ॻΛίϐϖ ೝূہཁ͕݅ਖ਼͘͠ͳ͍ͱ Τϥʔ͕ग़Δ ʢWͰͳ͍৔߹ͳͲʣ "3/ΛϝϞ͓ͯ͘͠ʂ

*".3PMFT"OZXIFSFίϯιʔϧͷૢ࡞ w*".ϩʔϧͷ࡞੒ ˢҎ֎͸௨ৗͷ*".ϩʔϧͱಉ༷ʹϙϦγʔ෇༩ͳͲߦ͏ Ϣʔεέʔεʹ3PMFT"OZXIFSFΛࢦఆ͢Δ͜ͱͰ ৴པϙϦγʔ͕ࣗಈͰೖྗ͞ΕΔ "3/ΛϝϞ͓ͯ͘͠ʂ

*".3PMFT"OZXIFSFίϯιʔϧͷૢ࡞ wϓϩϑΝΠϧͷ࡞੒ *".ϩʔϧΛඥ෇͚Δ ڥքϙϦγʔ΋ઃఆՄೳ ʢ4$1Έ͍ͨͳ΋ͷʣ "3/ΛϝϞ͓ͯ͘͠ʂ

$SFEFOUJBM)FMQFSͷಋೖ w͍ͣΕ͔ͷखஈͰμ΢ϯϩʔυ wυΩϡϝϯτʢύοέʔδΛೖखͯ͠഑ஔʣ   IUUQTEPDTBXTBNB[PODPNSPMFTBOZXIFSFMBUFTU VTFSHVJEFDSFEFOUJBMIFMQFSIUNM w(JU)VCʢιʔείʔυΛೖखͯ͠Ϗϧυʣ   IUUQTHJUIVCDPNBXTSPMFTBOZXIFSFDSFEFOUJBMIFMQFS

Credential HelperʢSigning HelperʣΛ࢖༻ͯ͠ೝূͰ͖Δ͔ςετ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺϔϧύʔͰҎԼͷίϚϯυΛ࣮ߦ͢Δ # ./aws_signing_helper credential-process \ --certificate .ssh/endcrt.pem
\ --private-key .ssh/endkey.pem \ --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role ੒ޭ͢ΔͱҰ࣌ΞΫηεΩʔͱγʔΫϨοτΞΫηεΩʔɺτʔΫϯ͕ฦͬͯ͘Δ {“Version":1,"AccessKeyId":"ASIAWGZVI6IWUEXAMPLE","SecretAccessKey":"IBMHdKtVbCn hmS+Wgu0LbqXq6XXxXXXxEXAMPLE","SessionToken":"IQoJb3JpZ2luX2VjENH////////// wEaDmFwLW5vcnRoZWFzdC0xIkYwRAIgcyD64b45AGCpN/ gxAEL7iUi8pcuXGfLaYKvNzuzora8CIGUpUHm6YsOsdfEc8XX2l9XsredDt9oZbRDallLVDRJMKpYECB ʢதུʣ SDm27AKZzde8p5ayy4/du5dgJzRtEz/ i24rNfjX9BHzZPghqayB4QWzZPWnZy1PD0fJg==","Expiration":"2023-11-11T18:06:59Z"} ূ໌ॻͱൿີ伴͸ DINPEͰ ֎෦ಡΈऔΓΛ๷ࢭ

AWS CLIܦ༝Ͱ࢖༻͢Δ৔߹ɺ.aws/configͰҎԼͷΑ͏ʹϓϩϑΝΠϧΛઃఆ͢Δ [default] ·ͨ͸ [profile rolesanywhereʢ೚ҙʣ] credential_process = ./aws_signing_helper credential-process
--certificate .ssh/endcrt.pem --private-key .ssh/endkey.pem --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role region = ap-northeast-1 ͜͜·ͰͰ໰୊ͳ͘ઃఆ͞Ε͍ͯΕ͹ɺ BXTTMTͳͲݖݶͷൣғ಺Ͱ BXTίϚϯυΛ࣮ߦ͢Δ͜ͱ͕Ͱ͖Δʂ

ηΩϡϦςΟతʹͲ͏ͳͷʁ

৴པΞϯΧʔ *". $SFEFOUJBM)FMQFS ʢμ΢ϯϩʔυʣ ΫϥΠΞϯτ $"ূ໌ॻόϯυϧ DBDFSUQFN ϓϩϑΝΠϧ ೝূہʢ$"ʣ ΤϯυΤϯςΟςΟূ໌ॻ
FOEDFSUQFN ൿີ伴 FOELFZQFN *".ϩʔϧ ΤϯυΤϯςΟςΟূ໌ॻͱൿີ伴͸ ΫϥΠΞϯτ୺຤Ͱ৵֐͞Εͳ͍Α͏ ద੾ʹอ؅ɾอޢ͠ͳ͚Ε͹ͳΒͳ͍ *".ϩʔϧͷݖݶ͸࠷খͰઃఆ͠Α͏ ೝূہ͸ϓϥΠϕʔτͳ৔ॴʹஔ͖ ৵֐͞Εͳ͍Α͏ʹ͢Δ ৴པΞϯΧʔͰ*".ʹҕ೚͍ͯ͠ΔͨΊ ఀࢭ͍ͯͯ͠΋ೝূʹ໰୊͸ͳ͍ ʢ1,*Ͱ࢖͏$3-͸ࠓճ࢖Θͳ͍ʣ ෆ҆ͳΒϚωʔδυͳ1$"Λ࢖͓͏ ʢֹ݄υϧPSυϧʣ ηΩϡϦςΟ্ͷݒ೦఺

ূ໌ॻͱൿີ伴Λอޢ͢Δखஈ w04ͷূ໌ॻετΞʹ؅ཧΛ೚ͤΒΕΔΑ͏ʹͳͬͨ   ˠɺ8JOEPXT$/($SZQUP"1*ɾ.BDΩʔνΣʔϯ w1,$4Ϟδϡʔϧʹ؅ཧΛ೚ͤΒΕΔΑ͏ʹͳͬͨ   ˠɺ:VCJLFZͳͲͷηΩϡϦςΟΩʔ

֤πʔϧͷར༻ํ๏

04ূ໌ॻฤʢ.BDͷΈʣ

৽نΩʔνΣʔϯΛ࡞੒͢Δ # security create-keychain credential-helper.keychain ΩʔνΣʔϯ༻ύεϫʔυΛ৽نͰೖྗʢ͙͢࢖͏ʣ # security unlock-keychain credential-helper.keychain
ΩʔνΣʔϯ༻ύεϫʔυΛೖྗ # EXISTING_KEYCHAINS=$(security list-keychains | cut -d '"' -f2) security list- keychains -s credential-helper.keychain $(echo ${EXISTING_KEYCHAINS} | awk -v ORS=" " '{print $1}') PKCS#12ܗࣜͷূ໌ॻΛ࡞੒ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺopensslͰҎԼΛ࣮ߦ # openssl pkcs12 -export -legacy -inkey ./endentity/endkey.pem -in ./endentity/ endcrt.pem -out ./endentity/composite.pfx ϥοϐϯά༻ύεϫʔυΛ৽نͰೖྗʢޙͰূ໌ॻΛΠϯϙʔτ͢Δࡍʹ࢖༻ʣ ˞ҎԼɺ.BDΩʔνΣʔϯͰઃఆɻ ɹ8JOEPXTͷํ͸͝ΊΜͳ͍͞ʢ(JU)VCʹࡌͬͯ·͢ʣ ˞0QFO44-Ҏ্ͷ৔߹ɺ.BDͷΩʔνΣʔϯͱΞϧΰϦζϜͷޓ׵ੑ͕ແ͍ͨΊɺ ɹMFHBDZΦϓγϣϯΛ࢖༻͢Δ͜ͱͰಡΈࠐΈ͕Ͱ͖ΔΑ͏ʹ͢Δ

ΩʔνΣʔϯʹূ໌ॻΛΠϯϙʔτ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺҎԼΛ࣮ߦ # security import ./endentity/composite.pfx -T ./aws_signing_helper -k credential-helper.keychain
ϥοϐϯά༻ύεϫʔυΛೖྗ ੒ޭ͢ΔͱΩʔνΣʔϯʹ௥Ճ͞ΕɺҎԼίϚϯυͰূ໌ॻΛ֬ೝͰ͖Δ # ./aws_signing_helper read-certificate-data Matching identities 1) 0fd93fb177e1bd0f87d0XXXXXXXXXXXXXXXXXXXX “CN=rolesanywhere,OU=Sta,O=SimSta,ST=Hokkaido,C=JP" Credential HelperͷೝূίϚϯυΛॻ͖׵͑ͯςετ ϑΝΠϧͷஔ͖৔ॴΛదٓमਖ਼͠ɺϔϧύʔͰҎԼͷίϚϯυΛ࣮ߦ͢Δ # ./aws_signing_helper credential-process \ —-cert-selector Key=x509Serial,Value=1 \ --trust-anchor-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:trust- anchor/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --profile-arn arn:aws:rolesanywhere:ap-northeast-1:XXXXXXXXXXXX:profile/ XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX \ --role-arn arn:aws:iam::XXXXXXXXXXXX:role/rolesanywhere-role γϦΞϧ͸্ه͔ ࣍ͷϖʔδͰ֬ೝ ͍͍ͩͨͩͱࢥ͏

.BDͷΩʔνΣʔϯʹ Πϯϙʔτ͞Εͨূ໌ॻ ίϚϯυ͕͏·͍͘͘ͱ ΩʔνΣʔϯͷೝূΛཁٻ͞ΕΔ

:VCJLFZฤ ˞్த·Ͱ͔͠ḷΓண͚·ͤΜͰͨ͠ʜ

YubikeyͷPIVۭ͖εϩοτʹূ໌ॻΛΠϯϙʔτ ະ࢖༻ͷ৔߹ɺ9aͰOKɻ9a, 9c, 9d, 9eͷ4छྨ͋Γɺݫີʹ༻్͕ҟͳΔΒ͍͠ʁ # ykman piv certificates import
9a ./endentity/composite.pfx Enter password to decrypt certificate: pfxͷύεϫʔυΛೖྗ Enter a management key [blank to use default key]:ۭཝ 9aεϩοτʹূ໌ॻ͕ೖ͍ͬͯΔ͜ͱΛ֬ೝ # ykman piv info Yubikey ManagerΛpipͰΠϯετʔϧ # pip install —user yubikey-manager Τϥʔ͕ൃੜͨ͠৔߹ɺҎԼͷΠϯετʔϧ͕ඞཁͳ৔߹͋Γ # brew install swig # pip install wheel ඞཁʹԠͯ͡ύεΛ௨͢ ˞ҎԼɺ.BDͰ:VCJLFZ.BOBHFSΛ࢖༻͢Δ৔߹ͷखॱɻ IUUQTEFWFMPQFSTZVCJDPDPNZVCJLFZNBOBHFS ͜͜Ͱ:VCJLFZΛૠೖ

(6*ͷ:VCJLFZ.BOBHFSΛΠϯετʔϧ͍ͯͯ͠΋֬ೝՄೳ IUUQTXXXZVCJDPDPNTVQQPSUEPXOMPBEZVCJLFZNBOBHFSIEPXOMPBET

˞͔͜͜Βઌ͕ḷΓண͚ͣʜ ຊདྷͳΒ:VCJLFZͷ1*7ʹ֨ೲ͞Εͨূ໌ॻͷ1,$463*Λ QLJU·ͨ͸QUPPMTͷMJTUUPLFOTͰදࣔͤ͞Δ͜ͱͰɺ DSFEFOUJBMQSPDFTTίϚϯυʹͯ DFSUJGJDBUFQLDTNBOVGBDUVSFSQJW@**JE ͷΑ͏ʹ63*ࢦఆ͢Ε͹:VCJLFZ͔Βͷূ໌ॻΛ࢖ͬͯೝূͰ͖Δ͸͕ͣɺ QLJUͱQUPPMT͍ͣΕ΋τʔΫϯ͕දࣔ͞Εͣɺଞʹ֬ೝ͢Δํ๏͕ ݟ෇͔Βͳ͍ͷͰஅ೦͠·ͨ͠ʜ ͓·؀͔΋͠Ε·ͤΜ͕ɺ্ख͍ͬͨͭ͘ΑͭΑͳํ͕͍Βͬ͠ΌͬͨΒ !TIJNBHBKJ·Ͱ͝Ұใ௖͚Ε͹ʜʂ

·ͱΊ

·ͱΊ w*".3PMFT"OZXIFSFΛ࢖͏͜ͱͰɺ"84֎ͷ୺຤͔ΒͰ΋   Ұ࣌ΫϨσϯγϟϧʹΑΔ*".ϩʔϧͷݖݶΛߦ࢖Ͱ͖Δ wೝূ͸44-௨৴΍ΫϥΠΞϯτ௨৴ͱಉ͡1,*Λ࢖༻͠ɺ   ೝূہ͔Βൃߦͨ͠ূ໌ॻͱൿີ伴Ͱઃఆ͍ͯ͘͠ wূ໌ॻͱൿີ伴ͷ؅ཧͳͲɺ͍͔ͭ͘ͷηΩϡϦςΟ໘ʹ͓͚Δ   ߟྀࣄ߲͸ଘࡏ͢Δ͕ɺ҆શʹ؅ཧ͢Δखஈ΋༻ҙ͞Ε͍ͯΔ
wΞΫηεΩʔͷແ͍ੜ׆Λ࣮ݱͰ͖Δʂʁ

ͦ͏ͩɺ ΞΫηεΩʔ ແͦ͘͏ɻ 終制作・著作 S i m

5IBOLZPVʂ

アクセスキーの無い未来を IAM Roles Anywhereで創る @JAWS-UG Yok...

アクセスキーの無い未来を IAM Roles Anywhereで創る @JAWS-UG Yokohama

More Decks by SimSta

Featured

Transcript