salt-key
Manage Salt minion keys
TLDR
List all accepted, unaccepted and rejected minion keys
Accept a minion key by name
Reject a minion key by name
Print fingerprints of all public keys
SYNOPSIS
salt-key [options]
PARAMETERS
-a, --accept=
Accept the specified minion-id key.
-A, --accept-all
Accept all pending keys.
-d, --delete=
Delete the specified minion-id key.
-D, --delete-all
Delete all keys (accepted, rejected, pending). Use with caution!
-r, --reject=
Reject the specified minion-id key.
-R, --reject-all
Reject all pending keys.
-l, --list
List all keys. Use with accepted, rejected, pending, all to filter the list.
-L, --list-all
List all keys (accepted, rejected, pending).
-p, --pending
Show pending keys only.
-P, --print=
Print the key for the specified minion-id.
-F, --finger
Display the fingerprint of the key
-y, --yes
Answer yes to all questions (non-interactive mode).
-h, --help
Show help message and exit.
-g, --gen-keys=
Generate keys for the specified minion-id.
-f, --force
Force the operation. May override confirmations.
-q, --quiet
Suppress non-error output.
-c, --config-dir=
Specify the salt configuration directory.
DESCRIPTION
The `salt-key` command is a utility used to manage Salt minion keys on the Salt master. It allows you to accept, reject, delete, and pre-generate keys. Keys are used to authenticate minions with the master, ensuring secure communication. Without proper key management, a Salt environment is vulnerable to unauthorized access.
This command allows for interactive key management through the command line. It can also be used in automated scripting scenarios. Key management is crucial for maintaining the security and integrity of your Salt infrastructure. A common workflow involves minions requesting a key from the salt-master. The administrator of the master must then accept the key using this tool. Minions whose keys have not been accepted are not managed by the salt-master.
Understanding how to use `salt-key` is essential for any Salt administrator.
CAVEATS
Deleting all keys with `-D` can be extremely dangerous and should only be used with extreme caution. Ensure proper backups are in place before performing this action.
The `-y` flag disables prompts. This is useful for automation, but requires careful consideration as it bypasses confirmations for potentially destructive operations.
KEY STORAGE
Salt keys are stored in the `/etc/salt/pki/master/minions` directory for accepted keys, `/etc/salt/pki/master/minions_pre` for pre-generated keys, `/etc/salt/pki/master/minions_rejected` for rejected keys, and `/etc/salt/pki/master/minions_denied` for denied keys.
EXIT CODES
`salt-key` returns 0 on success and a non-zero exit code on failure.
SEE ALSO
salt-master(1), salt-minion(1), salt(1)