How to Use the Command 'salt-key' (with Examples)
The salt-key
command is an integral part of SaltStack, a powerful configuration management tool used to automate the administrative tasks of system deployment and management. Specifically, salt-key
is utilized to manage authentication keys between the Salt master and the Salt minions. By managing these keys, the Salt master ensures the secure communication and authorization of minions within the infrastructure. This command is typically executed on the Salt master server, often requiring root permissions or the use of sudo. Here, we explore the practical applications of salt-key
through several use cases.
Use Case 1: List All Accepted, Unaccepted, and Rejected Minion Keys
Code:
salt-key -L
Motivation:
Listing all accepted, unaccepted, and rejected keys is crucial for system administrators to assess the state of their Salt infrastructure quickly. Understanding which minion keys are accepted, pending, or rejected allows for prompt action—be it troubleshooting connectivity issues or verifying that only authorized systems are incorporated into the managed environment.
Explanation:
salt-key
: The base command used to interact with Salt minion keys.-L
: This flag is a command option that directssalt-key
to list all keys, segregated by status—accepted, unaccepted (pending), and rejected. This categorization helps in immediately identifying the trust relationship status of each minion with the master.
Example Output:
Accepted Keys:
minion1
minion2
Unaccepted Keys:
minion3
Rejected Keys:
minion4
Use Case 2: Accept a Minion Key by Name
Code:
salt-key -a MINION_ID
Motivation:
Accepting a minion key is an essential step when a new minion is added to the infrastructure. This action establishes a trust relationship between the Salt master and the minion, allowing for remote management and configuration. Identifying and accepting keys by name ensures the correct minion is authorized, preventing accidental acceptance of unauthorized devices.
Explanation:
salt-key
: As before, this is the command for managing Salt minion keys.-a
: Stands for “accept.” This option tells the command to accept a specific minion’s key.MINION_ID
: This represents the unique identifier associated with the minion whose key you wish to accept. Using a specific ID ensures that only the correct minion’s key is accepted.
Example Output:
Key for minion: minion3 accepted.
Use Case 3: Reject a Minion Key by Name
Code:
salt-key -r MINION_ID
Motivation:
Rejecting a minion key is required when a minion should not be allowed to connect to the Salt master. This could be due to security concerns, such as when a device is no longer trusted or should be removed from management. By rejecting specific minion keys, system administrators can maintain a secure SaltStack environment.
Explanation:
salt-key
: The command remains consistent for key management.-r
: This option stands for “reject.” It instructs the command to deny a specific minion’s key, preventing it from establishing a connection with the master.MINION_ID
: Denotes the identifier of the minion whose key you want to reject. Providing an explicit ID avoids mistakenly rejecting unauthorized devices.
Example Output:
Key for minion: minion4 rejected.
Use Case 4: Print Fingerprints of All Public Keys
Code:
salt-key -F
Motivation:
Fingerprinting is an essential technique for verifying the integrity and authenticity of keys. Printing the fingerprints of all public keys allows administrators to cross-verify and ensure that the keys they are handling are indeed those generated by the intended minions. This adds a layer of security, preventing any potential key spoofing.
Explanation:
salt-key
: This command forms the foundation for managing minion keys interactively.-F
: This flag instructssalt-key
to output the fingerprints of all the public keys. Fingerprints help in providing a human-readable summary of a public key, useful for verifying key authenticity.
Example Output:
Unaccepted Keys:
minion3: ab:cd:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78:90
Accepted Keys:
minion1: 12:34:56:78:90:ab:cd:ef:12:34:56:78:90:ab:cd:ef
minion2: de:ad:be:ef:12:34:56:78:90:ab:cd:ef:12:34:56:78
Conclusion
The salt-key
command is a powerful utility within the SaltStack ecosystem, essential for administrating the authentication keys of Salt minions. By allowing administrators to list, accept, reject, and verify minion keys, salt-key
ensures a trusted and secure communication channel between the Salt master and its minions. Understanding these use cases and their respective commands is vital for any system administrator managing a SaltStack deployment.