๋งˆ์ด๋ฎค์งํ…Œ์ด์ŠคํŠธ์—์„œ ์ •๋ง ๊ฐ๋ช…๊นŠ๊ฒŒ ์‚ฌ์šฉํ–ˆ๋˜ ๋„๊ตฌ์ค‘ ํ•˜๋‚˜๋Š” ๋ฐ”๋กœ Hashicorp Vault ์˜€๋‹ค.
๋ชจ๋“  ์„ค์ •๊ณผ ๋ณด์•ˆ ์ •๋ณด๋“ค์ด ํ•œ๊ณณ์—์„œ ๊ด€๋ฆฌ๋˜๊ณ  Githubํ† ํฐ ํ•˜๋‚˜๋กœ ์ •๋ณด๋ฅผ ๋ฐ›์•„์˜ฌ ์ˆ˜ ์žˆ๋Š”๊ฑด ์ •๋ง ์„ผ์„ธ์ด์…”๋„ํ•œ ๊ฒฝํ—˜์ด์˜€๋‹ค.

์ด์ œ Vault๊ฐ€ ๋ฌด์—‡์ธ์ง€์— ๊ด€ํ•ด ์•Œ์•„๋ณด๊ณ , ์„ค์ •์„ ํ•ด๋ณด๋„๋ก ํ•˜์ž

Vault๋ž€?

Manage Secrets and Protect Sensitive Data
- Hashicorp Vault catchpraise

Vault๋Š” ๋ฏผ๊ฐํ•˜๊ณ  ์ค‘์š”ํ•œ ๋น„๋ฐ€ ์ •๋ณด๋ฅผ ๊ด€๋ฆฌ ํ•˜๊ธฐ ์œ„ํ•œ ๊ด€๋ฆฌ ๋„๊ตฌ์ด๋‹ค.

๋งŽ์€ ์‚ฌ๋žŒ๋“ค๋„ ๊ทธ๋ ‡๊ฒ ์ง€๋งŒ ๋‚˜๋„ ์ด๋•Œ๊นŒ์ง€๋Š” ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์ปค๋„ฅ์…˜ ๋“ฑ์˜ ๋ณด์•ˆ ์ •๋ณด๋ฅผ ๊ทธ๋ƒฅ ์†Œ์Šค์ฝ”๋“œ์— ํ•˜๋“œ์ฝ”๋”ฉํ•ด์„œ ๋„ฃ๊ฑฐ๋‚˜, cfg ํŒŒ์ผ ๋“ฑ์œผ๋กœ ์˜ฎ๊ฒจ๋‹ค๋‹ˆ๊ณ , ํ™˜๊ฒฝ๋ณ€์ˆ˜์—์„œ ๊ฐ€์ ธ๋‹ค ์“ฐ๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์•˜๋‹ค. ๋‹น์—ฐํžˆ ์“ฐ๋Š” ์ •๋ณด์˜ ํฌ๋งท์ด ๋‹ฌ๋ผ์ง€๊ฑฐ๋‚˜, ์ •๋ณด์— ๋ณ€๊ฒฝ์ด ๋ฐœ์ƒํ•˜๋ฉด ํ•ด๋‹น ์ •๋ณด๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๋ชจ๋“  ์•ฑ์˜ ํ™˜๊ฒฝ์— ๋“ค์–ด๊ฐ€์„œ ์ •๋ณด๋ฅผ ๋ฐ”๊ฟ”์ค˜์•ผ ํ–ˆ๋‹ค. ๋‹น์—ฐํžˆ ํ•˜๋“œ์ฝ”๋”ฉํ•ด์„œ ๋„ฃ์€ ๊ฒฝ์šฐ๋Š” ์†Œ์Šค์ฝ”๋“œ ์ €์žฅ์†Œ์— ํ•ด๋‹น ์ •๋ณด๊ฐ€ ์˜ฌ๋ผ๊ฐ€๊ฒŒ ๋˜๋Š”๋ฐ ๋‹น์—ฐํžˆ ์ „ํ˜€ ์ข‹์„๊ฒƒ์ด ์—†๋‹ค.

์ด๋ ‡๊ฒŒ ๋ถˆํŽธํ•˜๊ณ  ๋ถˆ์•ˆ์ •ํ•œ ๋ณด์•ˆ ๊ด€๋ฆฌ์˜ ์–ด๋ ค์›€์„ ํ•ด๊ฒฐํ•ด ์ฃผ๋Š”๊ฒƒ์ด ๋ฐ”๋กœ hashicorp Vault์ด๋‹ค.

Vault์˜ ๊ฐœ๋…์€ ๊ฐ„๋‹จํ•˜๋‹ค.

๋ชจ๋“  ์ •๋ณด๋ฅผ ๋ณผํŠธ์—์„œ ๊ด€๋ฆฌํ•˜๊ณ , ํด๋ผ์ด์–ธํŠธ(๊ฐœ๋ฐœ์ž ๋˜๋Š” ์•ฑ)์€ ๋ณผํŠธ ์ ‘๊ทผ ๊ถŒํ•œ์„ ๋ฐ›์€ ๋’ค ๋ณผํŠธ์—์„œ ์ฃผ๋Š” ์ •๋ณด๋ฅผ ๋ฐ›์•„ ์‚ฌ์šฉํ•˜๋ฉด ๋œ๋‹ค.
์ด๋Ÿฌํ•œ ์ฝ˜์…‰ํŠธ๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ๋‹จ์ˆœํžˆ ์•ˆ์ „ํ•œ KV ์Šคํ† ์–ด ์ด์™ธ์—๋„ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค๋‚˜ SSH ์ •๋ณด๋ฅผ TTL์„ ์ง€์ •ํ•ด์„œ ๋™์ ์œผ๋กœ ์ƒ์„ฑํ•ด ์ฃผ๋Š” ๋“ฑ ๋‹ค์–‘ํ•œ ๊ธฐ๋Šฅ์„ ์ œ๊ณตํ•œ๋‹ค.

Vault๋ฅผ ์„ค์น˜ํ•ด๋ด…์‹œ๋‹ค

$ wget https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip(๋˜๋Š” ์ตœ์‹  ๋‹ค์šด๋กœ๋“œ ์ฃผ์†Œ)
$ mkdir vault_server
$ unzip <๋‹ค์šด๋กœ๋“œ ๋ฐ›์€ ๋ฐ”์ด๋„ˆ๋ฆฌ> -d vault_server

๋ณผํŠธ๋ฅผ ํ•ด์‹œ์ฝ”ํ”„ ์„œ๋ฒ„์—์„œ ๋‹ค์šด๋กœ๋“œ ๋ฐ›๊ณ  ์••์ถ•์„ ํ’€๋ฉด ๋ณผํŠธ๋ฅผ ์‚ฌ์šฉํ•  ์ค€๋น„๊ฐ€ ๋œ๋‹ค.

๋ณผํŠธ๋ฅผ ์„œ๋ฒ„๋กœ ์ž‘๋™์‹œํ‚ค๊ธฐ ์œ„ํ•ด์„œ๋Š” ์ •๋ณด๋ฅผ ์ €์žฅํ•  ์Šคํ† ๋ฆฌ์ง€๊ฐ€ ํ•„์š”ํ•˜๋‹ค. ๊ณ ๊ฐ€์šฉ์„ฑ์„ ์‚ด๋ฆฌ๊ณ  ์‹ถ๋‹ค๋ฉด DynamoDB๋‚˜ Hashicorp Consul์„ ์‚ฌ์šฉํ•ด์•ผ ํ•˜์ง€๋งŒ ์—ฌ๊ธฐ์„œ๋Š” ๊ณ ๊ฐ€์šฉ์„ฑ์ด ํ•„์š”ํ•˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— ๊ฐ„๋‹จํžˆ ํŒŒ์ผ์‹œ์Šคํ…œ์„ ์‚ฌ์šฉํ•˜๋„๋ก ํ•œ๋‹ค

์ด์ œ vault ์˜ ํ™˜๊ฒฝ ์„ค์ •์„ ์ €์ •ํ•  HCL ํŒŒ์ผ์„ ๋งŒ๋“ค์–ด๋ณด์ž

$ cd vault_server
$ touch config.hcl
$ nano config.hcl

config.hcl ํŒŒ์ผ์— ๋‹ค์Œ์˜ ๋‚ด์šฉ์„ ์ €์žฅํ•˜์ž.

storage "file" {
  path = "/mnt/vault/data"
}

listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = false
}

ui = true

TLS๋Š” ๋ณผํŠธ ๋˜ํ•œ ๋Œ€๋ถ€๋ถ„์˜ WAS ๊ฐ™์ด nginx๊ฐ™์€ ์›น์„œ๋ฒ„๋ฅผ ํ•œ๋ฒˆ ๊ฑฐ์น˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์•„์„œ ๋น„ํ™œ์„ฑํ™” ํ•˜๋„๋ก ํ–ˆ๋‹ค. TLS ์„ค์ •์€ ์›น์„œ๋ฒ„ ๋‹จ์—์„œ ํ•˜๋„๋ก ํ•˜์ž.
UI๋ฅผ ๋น„ํ™œ์„ฑํ™” ํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ui ์˜ต์…˜์„ false๋กœ ์ฃผ๋ฉด ๋œ๋‹ค.

์ด์ œ vault ์„œ๋ฒ„๋ฅผ ์‹œ์ž‘์‹œ์ผœ ๋ณด์ž.

$ sudo ./vault server -config=config.hcl

root ๊ถŒํ•œ์œผ๋กœ ์‹คํ–‰ํ•˜์ง€ ์•Š์œผ๋ฉด ๋ฉ”๋ชจ๋ฆฌ ๋ณด์•ˆ ๊ด€๋ จ ์—๋Ÿฌ๊ฐ€ ๋‚˜๊ธฐ ๋•Œ๋ฌธ์— sudo๋กœ ์‹คํ–‰ํ•ด ์ค€๋‹ค.

์„œ๋ฒ„ ์„ค์น˜ ๊ณผ์ •์€ ์ด๊ฒŒ ๋์ด๋‹ค. ์ด์ œ ํด๋ผ์ด์–ธํŠธ์—์„œ Vault๋ฅผ ์ดˆ๊ธฐํ™” ํ•˜๊ณ  ์–ธ์”ฐํ•ด์•ผ ๋ณผํŠธ๋ฅผ ์‚ฌ์šฉํ• ์ˆ˜ ์žˆ๊ฒŒ ๋œ๋‹ค.

ํด๋ผ์ด์–ธํŠธ ํ™˜๊ฒฝ์—์„œ ๋ณผํŠธ์˜ ์ฃผ์†Œ๋ฅผ ํ™˜๊ฒฝ๋ณ€์ˆ˜์— ๋“ฑ๋กํ•˜์ž

$ echo 'export VAULT_ADDR=<์ฃผ์†Œ>' >> ~/.bash_profile

๋ณผํŠธ๋ฅผ ์ดˆ๊ธฐํ™”ํ•˜๊ธฐ ์œ„ํ•ด vault init ๋ช…๋ น์–ด๋ฅผ ์ˆ˜ํ–‰ํ•œ๋‹ค.

$ ./vault operator init
Unseal Key 1: ____________________________________________
Unseal Key 2: ____________________________________________
Unseal Key 3: ____________________________________________
Unseal Key 4: ____________________________________________
Unseal Key 5: ____________________________________________

Initial Root Token: ______________________________

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

๋ณผํŠธ๋ฅผ ์ดˆ๊ธฐํ™” ํ•˜๋ฉด ๋ณผํŠธ๋ฅผ ์–ธ์”ฐํ•˜๊ธฐ ์œ„ํ•œ 5๊ฐœ์˜ ์–ธ์”ฐ ํ‚ค์™€ ๋ฃจํŠธ ํ† ํฐ์„ ์ค€๋‹ค.
์–ธ์”ฐํ‚ค๊ฐ€ ์—†์œผ๋ฉด ๋ณผํŠธ๊ฐ€ ์”ฐ๋ง๋ฌ์„๋•Œ ์–ธ์”ฐ์„ ํ•  ์ˆ˜๊ฐ€ ์—†๊ณ  ์ €์žฅ๋œ ์ •๋ณด์˜ ๋ณตํ˜ธํ™” ๋˜ํ•œ ๋‹ด๋‹นํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์กฐ์‹ฌํžˆ ๊ด€๋ฆฌํ•ด์•ผ ํ•œ๋‹ค. ๋ฃจํŠธ ํ† ํฐ์€ ๋ง ๊ทธ๋Œ€๋กœ์˜ ๊ถŒํ•œ์„ ๊ฐ€์ง€๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์กฐ์‹ฌํžˆ ๋ณด๊ด€ํ•˜๋„๋ก ํ•˜์ž.

๋ณผํŠธ๊ฐ€ ์ดˆ๊ธฐํ™” ๋˜์—ˆ๋‹ค๋ฉด ๋ณผํŠธ๊ฐ€ ์”ฐ๋ง๋œ ์ƒํƒœ์ด๊ธฐ ๋–„๋ฌธ์— ๋ณผํŠธ๋ฅผ ์‚ฌ์šฉํ•˜๋ ค๋ฉด 5๊ฐœ ์ค‘ 3๊ฐœ์˜ ์–ธ์”ฐ ํ‚ค๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ณผํŠธ๋ฅผ ์–ธ์”ฐํ• ์ˆ˜ ์žˆ๋‹ค.

๋ฏธ์‚ฌ์ผ ๋ฐœ์‚ฌ์ฒ˜๋Ÿผ ๋ณผํŠธ๋ฅผ ์—ด๊ธฐ ์œ„ํ•ด์„œ๋Š” ์—ฌ๋Ÿฌ๊ฐœ์˜ ํ‚ค๊ฐ€ ํ•„์š”ํ•˜๋‹ค๊ณ  ์ƒ๊ฐํ•˜๋ฉด ๋œ๋‹ค

$ ./vault operator unseal
Key (will be hidden):
Sealed: true
Key Shares: 5
Key Threshold: 3
Unseal Progress: 1/3

๊ธฐ๋ณธ์ ์œผ๋กœ ์“ฐ๋ ˆ์‹œํ™€๋“œ๊ฐ€ 3๋ฒˆ์ด๊ธฐ ๋–„๋ฌธ์— ์–ธ์”ฐ ๋ช…๋ น์–ด๋ฅผ 3๊ฐœ์˜ ๋‹ค๋ฅธ ํ‚ค๋ฅผ ๊ฐ€์ง€๊ณ  ์ˆ˜ํ–‰ํ•˜๋ฉด ๋ณผํŠธ๊ฐ€ ์–ธ์”ฐ๋  ๊ฒƒ์ด๋‹ค.

Vault Github ํ† ํฐ์œผ๋กœ ์ ‘๊ทผํ•˜๊ธฐ

Vault๋Š” ์ž์ฒด์ ์œผ๋กœ ๋ฐœ๊ธ‰ํ•˜๋Š” ํ† ํฐ์„ ์‚ฌ์šฉํ•ด ์ ‘๊ทผํ•  ์ˆ˜๋„ ์žˆ์ง€๋งŒ ๊นƒํ—ˆ๋ธŒ ํ† ํฐ์ด๋‚˜ LDAP ๋“ฑ ๋‹ค์–‘ํ•œ ์ธ์ฆ ๋ฐฉ๋ฒ•์„ ์ œ๊ณตํ•œ๋‹ค.

๋ณผํŠธ์— root ๊ถŒํ•œ์œผ๋กœ ์ ‘๊ทผํ•˜๊ธฐ ์œ„ํ•ด ํด๋ผ์ด์–ธํŠธ ํ™˜๊ฒฝ์— ํ™˜๊ฒฝ๋ณ€์ˆ˜๋กœ ํ† ํฐ์„ ์ €์žฅํ•˜์ž.

$ echo "export VAULT_TOKEN=<rootํ† ํฐ>" >> ~/.bash_profile

github auth๋ฅผ ํ™œ์„ฑํ™” ํ•œ ํ›„ ์ ‘๊ทผ ๊ถŒํ•œ์„ ๊ฐ€์ง„ ์กฐ์ง์„ ์„ค์ •ํ•˜์ž

$ ./vault auth enable github
$ ./vault write auth/github/config organization=<github organization ์ด๋ฆ„>

์ด์ œ Github ํ† ํฐ์„ ํ†ตํ•ด ๋ณผํŠธ์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋‹ค.

Github ํ† ํฐ์€ https://github.com/settings/tokens ์—์„œ read:org ๊ถŒํ•œ์„ ๊ฐ€์ง„ ํ† ํฐ์„ ๋งŒ๋“ค์–ด์„œ ์‚ฌ์šฉํ•˜๋ฉด ๋œ๋‹ค.

๋งŒ์•ฝ ui ์˜ต์…˜์„ ํ™œ์„ฑํ™” ํ–ˆ๋‹ค๋ฉด ๋ณผํŠธ์— ์›น ๋ธŒ๋ผ์šฐ์ €๋กœ ์ ‘์†ํ•ด ํ™•์ธํ•ด ๋ณด์ž
image.png

์ด์ œ ๋ณผํŠธ๋ฅผ ์‚ฌ์šฉํ•  ์ค€๋น„๊ฐ€ ์™„๋ฃŒ๋˜์—ˆ๋‹ค!