The Minion Keys workspace is used to manage minion keys. A minion key allows encrypted communication between a Salt master and Salt minion. The workspace provides an overview of all minions filtered by their respective key states. On initial connection, a Salt minion sends its public key to the Salt master, which the Salt master can accept, reject, or deny.

The Minion Keys workspace is used to manage minion keys. A minion key allows encrypted communication between a Salt master and Salt minion. The workspace provides an overview of all minions filtered by their respective key states. On initial connection, a Salt minion sends its public key to the Salt master, which the Salt master can accept, reject, or deny.

Note:

SaltStack Config also provides the ability to manage Salt master keys.

On initial connection, a Salt minion sends its public key to the Salt master, which the Salt master can accept, reject, or deny. The minion keys workspace has three sections that sort and display keys by their current state:

Status Description
Accepted Key was accepted and the minion can communicate with the Salt master.
Pending Key is not accepted or denied. In this state, connections are not accepted from the minion and jobs are not executed.
Rejected Key was explicitly rejected using the Reject Key command. In this state, connections are not accepted from the minion and jobs are not executed.
Denied Key was rejected automatically by the Salt master. This occurs when a minion has a duplicate ID, or when a minion was rebuilt or had new keys generated and the previous key was not deleted from the Salt master. If this happens, delete the denied key to trigger key regeneration. In this state, connections are not accepted from the minion and jobs are not executed.

In the Minion Keys workspace, you can accept, reject, or delete minion keys. SaltStack Config also provides the ability to manage Salt master keys.

Before accepting a new minion key, you must first install the minion service on the node and configure it to communicate with the Salt master.

Deleting a minion key is useful for resetting a minion’s connection. For example, you might delete a minion key and then re-accept it.

See Overview for a description of the different key states.

Note: As part of VMware’s initiative to remove problematic terminology, the term Salt master will be replaced with a better term in SaltStack Config and related products and documentation. This terminology update may take a few release cycles before it is fully complete.

Accessing the Minion Keys workspace

To use the Minion Keys workspace, click Minion Keys in the side menu. Minion Keys expands to show the four different key states:

  • Accepted
  • Pending
  • Rejected
  • Denied

Select the state for the keys that you are interested in viewing or managing. See Overview for a description of the different key states.

Accepting a new minion key

Before you can accept a new minion key, you must first install the minion service on the new machine, and configure it to communicate with the Salt master. See Prerequisites to accepting keys for more information.

When a user logs in, the SaltStack Config user interface polls the server every 10 seconds for pending minion and Salt master keys. If a pending key is found, the Minions Key workspace displays the key as pending and alerts the user. These alerts are global, which means you are alerted as you are accessing any workspace in SaltStack Config, not just the Minions Key workspace.

Once a pending key is found, the user interface stops polling for that key type (minion or Salt master) for the duration of the user’s session.

To accept a new minion key:

  1. In the Minion Keys workspace, click Pending from the side panel.
  2. Check the box next to the minion key or keys you want to accept. Then, click Accept Key.
  3. Click Accept in the confirmation dialog.

The key is now accepted. After several seconds, the minion appears under the Accepted tab, and in the Minions Key workspace.

Note:

In a multi-Salt master scenario, you must accept keys on all Salt masters separately. For more on multi-Salt master configurations, see Multimaster Tutorial.

For more on configuring a multi-Salt master scenario with failover, see Multimaster Failover.

Rejecting minion keys

To reject minion keys:

  1. In the Minion Keys workspace on the side panel, click the key state for the key you want to reject. For example, if the key is currently pending, click Pending.
  2. Check the box next to the key or keys you want to reject. Then, click Reject Key.

The keys are now rejected and connections are not accepted from the minion.

Note:

The key appears under the Rejected tab after several seconds.

Deleting minion keys

To remove minion keys:

  1. In the Minion Keys workspace on the side panel, click the key state for the key you want to delete. For example, if the key is currently pending, click Pending.
  2. Select a key state in the left panel to locate the required keys.
  3. Select the keys you want to delete and click Delete Key.

The key is now deleted.

Note:

The key is removed after several seconds.

Searching for a minion

To find a specific minion:

  1. In the side menu under Minion Keys, click the key state of the key you are searching for. If you are unsure which key state the minion is in, you could either search different key states on the side panel or use the Targets workspace. See Minions for more information.
  2. Click the filter button filter-icon for the column you want to search.
  3. Start typing the search criteria to see the rows filter instantly. For example, you might search for a minion ID in the Minion column.
    Note:

    You can also click the column name once to sort the rows in descending order. Click again to reverse the order. See Filtering and sorting table columns for more information.

Filtering and sorting table columns

You can filter each column by selecting its filter icon filter-icon and typing your filter criteria. To clear a filter, click the Clear Filters button above the minions table.

You can also sort a column by selecting the column name. To customize which columns display in the table, click the Show columns button show-columns-icon in the lower left corner of the table.

Note:

Filters, column sorting, and column visibility settings are persistent for a given user, regardless of the device used to log in. This means that when a particular user logs in, he or she sees the same filtering, sorting, and visibility settings the next time he or she logs in until the filters are cleared or the sorting and visibility settings are changed.

Prerequisites to accepting keys

Before you can accept a new minion key, you must first complete the following on the node:

  • Install the minion service.
  • Configure the minion to communicate with the Salt master.

For more on minion installation, see Salt Installation Reference and follow instructions specific to the minion service. For more on minion configuration, see Minion Configuration Reference.