Skip to main content
SaltStack Support

Securing credentials in your SaltStack Enterprise configuration

Overview

Starting in v6.1.0, SaltStack Enterprise offers the following options for storing credentials required by the Enterprise API:

How to store credentials

Storing credentials in an encrypted file

To store credentials in the encrypted file, run the following commands and follow the prompts:

$ sudo su - raas  # become the raas user
$ raas save_creds

 

Alternatively, to specify the credentials without interactive prompts, modify the second command to specify the credentials on the command line:

$ raas save_creds 'postgres={"username": "root", "password": "salt"}' 'redis={"password": "redis123"}'

 

Encrypted credentials are saved in /etc/raas/raas.secconf.

 

Note: if credentials appear in both /etc/raas/raas and /etc/raas/raas.secconf, the settings in the plaintext /etc/raas/raas take precedence.

 

Specifying the complete database URL

To use an environment variable, use the following configurations in /etc/raas/raas for sql or redis as needed:

SQL
sql:
  url: ENV   

 

Then in your environment, set the variable `DATABASE_URL`, for example:

  export DATABASE_URL=postgres://user:secret@localhost:5432/raas_db_name
 Redis
redis:
  url: ENV   

 

Then in your environment, set the corresponding variable `REDIS_URL`, for example:

  export REDIS_URL=redis://:secret@example.com:6379   

Saving credentials in plaintext

Saving credentials in the plaintext raas configuration file is less secure than the above options.
To save credentials in plaintext, in /etc/raas/raas, update the sql configuration to provide the username and password.
sql:
  username: salt_eapi
  password: abc123

 

Next, configure the location of your Redis server.

redis:
  url: redis://:secret@example.com:6379

 

 

  • Was this article helpful?