LinuxCommandLibrary

salt-key

Manage Salt minion keys

TLDR

List all accepted, unaccepted and rejected minion keys

$ salt-key [[-L|--list-all]]
copy

Accept a minion key by name
$ salt-key [[-a|--accept-all]] [MINION_ID]
copy

Reject a minion key by name
$ salt-key [[-r|--reject]] [MINION_ID]
copy

Print fingerprints of all public keys
$ salt-key [[-F|--finger-all]]
copy

SYNOPSIS

salt-key [options]

PARAMETERS

-a, --accept=
    Accept the specified minion-id key.

-A, --accept-all
    Accept all pending keys.

-d, --delete=
    Delete the specified minion-id key.

-D, --delete-all
    Delete all keys (accepted, rejected, pending). Use with caution!

-r, --reject=
    Reject the specified minion-id key.

-R, --reject-all
    Reject all pending keys.

-l, --list
    List all keys. Use with accepted, rejected, pending, all to filter the list.

-L, --list-all
    List all keys (accepted, rejected, pending).

-p, --pending
    Show pending keys only.

-P, --print=
    Print the key for the specified minion-id.

-F, --finger
    Display the fingerprint of the key

-y, --yes
    Answer yes to all questions (non-interactive mode).

-h, --help
    Show help message and exit.

-g, --gen-keys=
    Generate keys for the specified minion-id.

-f, --force
    Force the operation. May override confirmations.

-q, --quiet
    Suppress non-error output.

-c, --config-dir=
    Specify the salt configuration directory.

DESCRIPTION

The `salt-key` command is a utility used to manage Salt minion keys on the Salt master. It allows you to accept, reject, delete, and pre-generate keys. Keys are used to authenticate minions with the master, ensuring secure communication. Without proper key management, a Salt environment is vulnerable to unauthorized access.

This command allows for interactive key management through the command line. It can also be used in automated scripting scenarios. Key management is crucial for maintaining the security and integrity of your Salt infrastructure. A common workflow involves minions requesting a key from the salt-master. The administrator of the master must then accept the key using this tool. Minions whose keys have not been accepted are not managed by the salt-master.

Understanding how to use `salt-key` is essential for any Salt administrator.

CAVEATS

Deleting all keys with `-D` can be extremely dangerous and should only be used with extreme caution. Ensure proper backups are in place before performing this action.

The `-y` flag disables prompts. This is useful for automation, but requires careful consideration as it bypasses confirmations for potentially destructive operations.

KEY STORAGE

Salt keys are stored in the `/etc/salt/pki/master/minions` directory for accepted keys, `/etc/salt/pki/master/minions_pre` for pre-generated keys, `/etc/salt/pki/master/minions_rejected` for rejected keys, and `/etc/salt/pki/master/minions_denied` for denied keys.

EXIT CODES

`salt-key` returns 0 on success and a non-zero exit code on failure.

SEE ALSO

salt-master(1), salt-minion(1), salt(1)

Copied to clipboard