Managing Salt Minion Keys with salt-key (with examples)
Introduction
SaltStack is a powerful open-source automation tool used for managing infrastructure and configuration. One of its main components is the Salt Master, which communicates with Salt Minions on remote machines. To establish a secure connection, Salt Minions need to present their public keys to the Salt Master for acceptance. This is where the salt-key command comes into play.
The salt-key command allows Salt Masters to manage the keys of Salt Minions. This article explores various use cases of the salt-key command, providing code examples, motivations, explanations for each argument, and example outputs.
Use Case 1: Listing all minion keys
To list all minion keys, including accepted, unaccepted, and rejected keys, we can use the -L option with the salt-key command.
Code Example:
salt-key -L
Motivation:
Listing all minion keys allows Salt Masters to have an overview of the current key status. This is particularly useful when managing a large number of Salt Minions.
Explanation:
- The
-Lflag is used to list all minion keys.
Example Output:
Accepted Keys:
unaccepted_key
rejected_key
Unaccepted Keys:
pending_key1
pending_key2
Rejected Keys:
Use Case 2: Accepting a minion key
To accept a minion key, we can use the -a option followed by the MINION_ID of the key to be accepted.
Code Example:
salt-key -a unaccepted_key
Motivation:
Accepting a minion key is necessary for establishing a secure connection between the Salt Master and Salt Minion. By accepting a key, the Salt Master acknowledges the authenticity and trustworthiness of the Salt Minion.
Explanation:
- The
-aflag is used to accept a minion key. MINION_IDrefers to the identifier of the key to be accepted. This can be the minion’s hostname or any custom identifier associated with the Salt Minion.
Example Output:
The following key was accepted:
unaccepted_key
Use Case 3: Rejecting a minion key
To reject a minion key, we can use the -r option followed by the MINION_ID of the key to be rejected.
Code Example:
salt-key -r rejected_key
Motivation:
Rejecting a minion key is useful when the Salt Master determines that a key is no longer valid or trustworthy. This ensures that the Salt Minion is no longer allowed to communicate with the Salt Master.
Explanation:
- The
-rflag is used to reject a minion key. MINION_IDrefers to the identifier of the key to be rejected. This can be the minion’s hostname or any custom identifier associated with the Salt Minion.
Example Output:
The following key was rejected:
rejected_key
Use Case 4: Printing fingerprints of public keys
To obtain the fingerprints of all public keys, the -F option can be used with the salt-key command.
Code Example:
salt-key -F
Motivation:
Fingerprints can be used to verify the identity and integrity of public keys. Printing the fingerprints of all public keys allows Salt Masters to keep track of the keys being used by Salt Minions.
Explanation:
- The
-Fflag is used to print the fingerprints of all public keys.
Example Output:
unaccepted_key (RSA):
ae:5b:85:4d:4f:3c:18:5a:7e:9e:9f:f7:42:51:d0:6b
rejected_key (RSA):
34:b4:c9:86:7e:f0:c2:bf:6f:46:aa:f2:b6:5e:64:01
pending_key1 (DSA):
41:e5:bb:03:47:1b:ce:2d:41:25:62:ed:3a:4f:1e:84
pending_key2 (ECDSA):
fb:cc:61:63:2b:41:9f:6a:aa:0f:05:2e:34:82:4e:a0
Conclusion
The salt-key command is a powerful tool for managing Salt Minion keys on the Salt Master. It allows administrators to list, accept, reject, and obtain fingerprints of minion keys. By understanding and utilizing these different use cases, Salt Masters can ensure the secure and efficient configuration management of their infrastructure.
