valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-07 17:09:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a7a878fea0
salt/doc/topics/tutorials/preseed_key.rst
AnneTheAgile 78bc296ec0 #9356 Add cite to IAM for EC2 credential sharing.
2014-02-24 16:28:28 -05:00

57 lines
2.0 KiB
ReStructuredText
Raw Blame History

=================================
Preseed Minion with Accepted Key
=================================
In some situations, it is not convenient to wait for a minion to start before
accepting its key on the master. For instance, you may want the minion to
bootstrap itself as soon as it comes online. You may also want to to let your
developers provision new development machines on the fly.
There is a general four step process to do this:
1. Generate the keys on the master:
.. code-block:: bash
root@saltmaster# salt-key --gen-keys=[key_name]
Pick a name for the key, such as the minion's id.
2. Add the public key to the accepted minion folder:
.. code-block:: bash
root@saltmaster# cp key_name.pub /etc/salt/pki/master/minions/[minion_id]
It is necessary that the public key file has the same name as your minion id.
This is how Salt matches minions with their keys. Also note that the pki folder
could be in a different location, depending on your OS or if specified in the
master config file.
3. Distribute the minion keys.
There is no single method to get the keypair to your minion. The difficulty is
finding a distribution method which is secure. For Amazon EC2 only, an AWS best
practice is to use IAM Roles to pass credentials. (See blog post,
http://blogs.aws.amazon.com/php/post/Tx1F82CR0ANO3ZI/Providing-credentials-to-the-AWS-SDK-for-PHP )
.. admonition:: Security Warning
Since the minion key is already accepted on the master, distributing
the private key poses a potential security risk. A malicious party
will have access to your entire state tree and other sensitive data if they
gain access to a preseeded minion key.
4. Preseed the Minion with the keys
You will want to place the minion keys before starting the salt-minion daemon:
.. code-block:: bash
/etc/salt/pki/minion/minion.pem
/etc/salt/pki/minion/minion.pub
Once in place, you should be able to start salt-minion and run
``salt-call state.highstate`` or any other salt commands that require master
authentication.
Reference in New Issue View Git Blame Copy Permalink