{"id":17847,"date":"2019-03-25T11:35:35","date_gmt":"2019-03-25T02:35:35","guid":{"rendered":"https:\/\/labs.gree.jp\/blog\/?p=17847"},"modified":"2019-05-13T17:46:16","modified_gmt":"2019-05-13T08:46:16","slug":"post17847","status":"publish","type":"post","link":"https:\/\/labs.gree.jp\/blog\/2019\/03\/17847\/","title":{"rendered":"EC2\u3067\u52d5\u304fPHP\u30b3\u30fc\u30c9\u3067KMS\u3092\u4f7f\u3063\u3066\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u6697\u53f7\u5316"},"content":{"rendered":"<p>\u4f4f\u307e\u3044\u66ae\u3089\u3057\u30e1\u30c7\u30a3\u30a2<a href=\"https:\/\/limia.jp\/\">LIMIA<\/a>\u3067\u958b\u767a\u3092\u62c5\u5f53\u3057\u3066\u3044\u308b\u6a0b\u53e3(<a href=\"https:\/\/twitter.com\/mahiguch1\">@mahiguch1<\/a>)\u3067\u3059\u3002<br \/>\nLIMIA\u3067\u306fWeb\u30b5\u30fc\u30d3\u30b9\u306e\u4e00\u90e8\u3092PHP\u3092\u4f7f\u3063\u3066\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002<br \/>\nEC2\u3067\u52d5\u304fPHP\u30b3\u30fc\u30c9\u3067\u30d1\u30b9\u30ef\u30fc\u30c9\u3092KMS\u3092\u4f7f\u3063\u3066\u5b89\u5168\u306b\u6271\u3046\u5b9f\u88c5\u3092\u884c\u306a\u3063\u305f\u305f\u3081\u3001\u305d\u308c\u306b\u3064\u3044\u3066\u5171\u6709\u3057\u307e\u3059\u3002<\/p>\n<h2>\u6697\u53f7\u5316\u30ad\u30fc\u306e\u4f5c\u6210<\/h2>\n<p>AWS Key Management Service (KMS) \u306f\u3001\u30c7\u30fc\u30bf\u306e\u6697\u53f7\u5316\u306b\u4f7f\u7528\u3055\u308c\u308b\u6697\u53f7\u5316\u30ad\u30fc\u306e\u4f5c\u6210\u3068\u7ba1\u7406\u3092\u5bb9\u6613\u306b\u3059\u308b\u30de\u30cd\u30fc\u30b8\u30c9\u578b\u30b5\u30fc\u30d3\u30b9\u3067\u3059\u3002<br \/>\nAWS Console\u304b\u3089\u7c21\u5358\u306b\u6697\u53f7\u5316\u30ad\u30fc\u3092\u4f5c\u6210\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<br \/>\n\u307e\u305a\u3001AWS Console\u304b\u3089KMS(Key Management Service)\u3092\u958b\u304d\u307e\u3059\u3002<br \/>\n\u6b21\u306b\u753b\u9762\u53f3\u4e0a\u306e\"Create key\"\u3068\u66f8\u304b\u308c\u305f\u30aa\u30ec\u30f3\u30b8\u8272\u306e\u30dc\u30bf\u30f3\u3092\u62bc\u4e0b\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-17964\" src=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img1-600x112.png\" alt=\"\" width=\"600\" height=\"112\" srcset=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img1-600x112.png 600w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img1-276x51.png 276w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img1.png 729w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>\u6b21\u306e\u753b\u9762\u3067\u3001alias\u306b\u5206\u304b\u308a\u3084\u3059\u3044\u540d\u524d\u3092\u5165\u529b\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-17965\" src=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img2-591x400.png\" alt=\"\" width=\"591\" height=\"400\" srcset=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img2-591x400.png 591w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img2-276x187.png 276w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img2-768x520.png 768w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img2.png 814w\" sizes=\"auto, (max-width: 591px) 100vw, 591px\" \/><\/p>\n<p>\u6b21\u306e\u753b\u9762\u3067\u3001\u5fc5\u8981\u306a\u3089Tag\u3092\u5165\u529b\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-17966\" src=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img3-600x365.png\" alt=\"\" width=\"600\" height=\"365\" srcset=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img3-600x365.png 600w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img3-276x168.png 276w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img3-768x467.png 768w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img3.png 813w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>\u6b21\u306e\u753b\u9762\u3067\u3001\u81ea\u5206\u3092Key Administrators\u306b\u5165\u308c\u3066\u304a\u304d\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-17967\" src=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img4-562x400.png\" alt=\"\" width=\"562\" height=\"400\" srcset=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img4-562x400.png 562w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img4-276x196.png 276w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img4-768x546.png 768w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img4.png 793w\" sizes=\"auto, (max-width: 562px) 100vw, 562px\" \/><\/p>\n<p>\u6b21\u306e\u753b\u9762\u306f\u3001\u4f55\u3082\u5165\u529b\u3057\u306a\u3044\u3067\u304a\u304d\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-17968\" src=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img5-475x400.png\" alt=\"\" width=\"475\" height=\"400\" srcset=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img5-475x400.png 475w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img5-238x200.png 238w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img5-768x646.png 768w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img5.png 796w\" sizes=\"auto, (max-width: 475px) 100vw, 475px\" \/><\/p>\n<p>Review\u753b\u9762\u3067CloudFormation\u306eTemplate\u304c\u8868\u793a\u3055\u308c\u308b\u306e\u3067\u3001\u305d\u306e\u307e\u307eFinish\u3092\u62bc\u3057\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-17969\" src=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img6-600x371.png\" alt=\"\" width=\"600\" height=\"371\" srcset=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img6-600x371.png 600w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img6-276x171.png 276w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img6.png 709w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>\u3059\u308b\u3068\u3001\u6697\u53f7\u5316\u30ad\u30fc\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-17970\" src=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img7-571x400.png\" alt=\"\" width=\"571\" height=\"400\" srcset=\"https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img7-571x400.png 571w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img7-276x193.png 276w, https:\/\/labs.gree.jp\/blog\/wp-content\/uploads\/2019\/03\/img7.png 672w\" sizes=\"auto, (max-width: 571px) 100vw, 571px\" \/><\/p>\n<h2>EC2\u3067KMS\u306e\u5fa9\u53f7\u3092\u53ef\u80fd\u306b\u3059\u308b<\/h2>\n<p>\u5fa9\u53f7\u3092\u5b9f\u65bd\u3059\u308bEC2\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306eInstance Profile\u306bKMS\u306e\u5fa9\u53f7\u3092\u53ef\u80fd\u3068\u3059\u308bAction\u3067\u3042\u308b\"kms:Decrypt\"\u3092\u8ffd\u52a0\u3057\u307e\u3059\u3002<br \/>\n\u4eca\u56de\u306f\u52d5\u4f5c\u691c\u8a3c\u306e\u90fd\u5408\u3067\u3001\u6697\u53f7\u5316\u3092\u53ef\u80fd\u3068\u3059\u308bAction\u3067\u3042\u308b\"kms:Encrypt\"\u3082\u4ed8\u4e0e\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre class=\"lang:js decode:true \">    \"KMSDecryptPolicy\": {\n      \"Type\": \"AWS::IAM::Policy\",\n      \"Properties\": {\n        \"Roles\": [\n          { \n            \"Ref\": \"XXXXXServerRole\"\n          }\n        ],\n        \"PolicyName\": \"KMSDecryptPolicy\",\n        \"PolicyDocument\": {\n          \"Version\": \"2012-10-17\",\n          \"Statement\": [\n            { \n              \"Effect\": \"Allow\",\n              \"Action\": [\n                \"kms:Encrypt\",\n                \"kms:Decrypt\"\n              ]\n            }\n          ]\n        }\n      }\n    }<\/pre>\n<h2>\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u6697\u53f7\u5316<\/h2>\n<p>\u6697\u53f7\u5316\u6a29\u9650\u3092\u4ed8\u4e0e\u3057\u305f\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3067\u3001\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3067\u6697\u53f7\u5316\u304c\u53ef\u80fd\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">$ aws kms encrypt --key-id alias\/limia-sapmle-key --plaintext \"password\" --query \"CiphertextBlob\" --output text \nxxxxxxxxxxxxx\/xxxxxxxxxxxxxxxx\/xxxxxxxxxxx\/xxxxxxxxxxxxxx<\/pre>\n<p>\u691c\u8a3c\u306e\u305f\u3081\u3001awscli\u3067\u5fa9\u53f7\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">$ aws kms decrypt --ciphertext-blob fileb:\/\/&lt;(echo 'xxxxxxxxxxxxx\/xxxxxxxxxxxxxxxx\/xxxxxxxxxxx\/xxxxxxxxxxxxxx' | base64 -d)|jq .Plaintext --raw-output|base64 -d\npassword<\/pre>\n<h2>PHP\u3067\u306e\u30d1\u30b9\u30ef\u30fc\u30c9\u53d6\u5f97<\/h2>\n<p>\u6697\u53f7\u5316\u3057\u305f\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u30b3\u30fc\u30c9\u306e\u4e2d\u306b\u57cb\u3081\u8fbc\u307f\u3001\u5b9f\u884c\u6642\u306bKMS\u304b\u3089\u53d6\u5f97\u3057\u305f\u6697\u53f7\u5316\u30ad\u30fc\u3067\u5fa9\u53f7\u3057\u3066\u5229\u7528\u3057\u307e\u3059\u3002<br \/>\n\u6697\u53f7\u5316\u3055\u308c\u305f\u6587\u5b57\u5217\u306a\u306e\u3067\u3001git repository\u306b\u4e0a\u3052\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true \">$KmsClient = new Aws\\Kms\\KmsClient([\n    'profile' =&gt; 'default',\n    'version' =&gt; '2014-11-01',\n    'region' =&gt; 'ap-northeast-1'\n]);\n\n$ciphertext = 'xxxxxxxxxxxxx\/xxxxxxxxxxxxxxxx\/xxxxxxxxxxx\/xxxxxxxxxxxxxx';\n\ntry {\n    $result = $KmsClient-&gt;decrypt([\n        'CiphertextBlob' =&gt; $ciphertext,\n    ]);\n    $plaintext = $result['Plaintext'];\n    var_dump($plaintext);\n} catch (AwsException $e) {\n    \/\/ Output error message if fails\n    echo $e-&gt;getMessage();\n    echo \"\\n\";\n}<\/pre>\n<h2>\u307e\u3068\u3081<\/h2>\n<p>KMS\u3092\u4f7f\u3063\u3066\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5b89\u5168\u306b\u6271\u3046\u65b9\u6cd5\u3092\u7d39\u4ecb\u3057\u307e\u3057\u305f\u3002<br \/>\n\u7c21\u5358\u3067\u3059\u304c\u56f0\u308b\u3053\u3068\u304c\u591a\u3044\u8981\u4ef6\u3067\u3059\u306e\u3067\u3001\u304a\u5f79\u306b\u7acb\u3066\u305f\u306e\u306a\u3089\u5e78\u3044\u3067\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4f4f\u307e\u3044\u66ae\u3089\u3057\u30e1\u30c7\u30a3\u30a2LIMIA\u3067\u958b\u767a\u3092\u62c5\u5f53\u3057\u3066\u3044\u308b\u6a0b\u53e3(@mahiguch1)\u3067\u3059\u3002 LIMIA\u3067\u306fWeb\u30b5\u30fc\u30d3\u30b9\u306e\u4e00\u90e8\u3092PHP\u3092\u4f7f\u3063\u3066\u5b9f\u88c5\u3057\u3066\u3044\u307e\u3059\u3002 EC2\u3067\u52d5\u304fPHP\u30b3\u30fc\u30c9\u3067\u30d1\u30b9\u30ef\u30fc\u30c9\u3092KMS\u3092\u4f7f\u3063\u3066\u5b89\u5168\u306b\u6271\u3046\u5b9f\u88c5 [&hellip;]<\/p>\n","protected":false},"author":195,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9],"tags":[114,161,8],"class_list":["post-17847","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-info","tag-aws","tag-kms","tag-php"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/posts\/17847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/users\/195"}],"replies":[{"embeddable":true,"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/comments?post=17847"}],"version-history":[{"count":3,"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/posts\/17847\/revisions"}],"predecessor-version":[{"id":17971,"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/posts\/17847\/revisions\/17971"}],"wp:attachment":[{"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/media?parent=17847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/categories?post=17847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/labs.gree.jp\/blog\/wp-json\/wp\/v2\/tags?post=17847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}