Skip to main content
SaltStack Support

Securing credentials in your SaltStack Enterprise configuration


Starting in v6.1.0, SaltStack Enterprise offers the following options for storing credentials required by the Enterprise API:

How to store credentials

Storing credentials in an encrypted file

To store credentials in the encrypted file, run the following commands and follow the prompts:

$ sudo su - raas  # become the raas user
$ raas save_creds


Alternatively, to specify the credentials without interactive prompts, modify the second command to specify the credentials on the command line:

$ raas save_creds 'postgres={"username": "root", "password": "salt"}' 'redis={"password": "redis123"}'


Encrypted credentials are saved in /etc/raas/raas.secconf.


Note: if credentials appear in both /etc/raas/raas and /etc/raas/raas.secconf, the settings in the plaintext /etc/raas/raas take precedence.


Specifying the complete database URL

To use an environment variable, use the following configurations in /etc/raas/raas for sql or redis as needed:

  url: ENV   


Then in your environment, set the variable `DATABASE_URL`, for example:

  export DATABASE_URL=postgres://user:secret@localhost:5432/raas_db_name
  url: ENV   


Then in your environment, set the corresponding variable `REDIS_URL`, for example:

  export REDIS_URL=redis://   

Saving credentials in plaintext

Saving credentials in the plaintext raas configuration file is less secure than the above options.
To save credentials in plaintext, in /etc/raas/raas, update the sql configuration to provide the username and password.
  username: salt_eapi
  password: abc123


Next, configure the location of your Redis server.

  url: redis://



  • Was this article helpful?