After you receive access to your SaltStack Config Cloud instance, you can connect your Salt masters to SaltStack Config Cloud. You can connect Salt masters that are on-premises or in the cloud.

Each Salt master must be authorized to connect to your SaltStack Config Cloud instance. To authorize your Salt master, you must generate an API token from your account page in the VMware Cloud Services Platform (CSP). Then you export the API token as an environment variable on your Salt master and run a command to connect your Salt master to SaltStack Config Cloud.

Before you start

  • You must have an existing Salt environment, consisting of one Salt master and at least one Salt minion. Each Salt minion must already be connected to a Salt master. See Install or upgrade Salt (pre-installation) for information about installing the Salt master and Salt minion services on your nodes.
  • You must install version 8.10.1.2 or later of the Master Plugin on each Salt master.
  • You must install the PyJWT and Pika Python libraries on your Salt master using the following commands:
    pip3 install pika==1.2.0
    pip3 install pyjwt==2.3.0
  • You must have the following CSP roles:
    • Organization role: Organization Owner or Organization Admin
    • Service role: Superuser for the SaltStack Config service in CSP
  • Set your default organization to the organization with access to the SaltStack Config Cloud service.

Generate an API token

Before you can connect your Salt master to SaltStack Config Cloud, you must generate an API token using the CSP console. This token is used to authenticate your Salt master with CSP.

To generate an API token:

  1. On the Cloud Services Console toolbar, click your user name and select My Account > API Tokens.
  2. Click Generate Token.

    API tokens page in CSP

  3. Complete the form.

    Generate token form in CSP

    1. Enter a name for the token.
    2. Select the token's Time to Live (TTL). The default duration is six months.
      Note: A non-expiring token can be a security risk if compromised. If this happens, you must revoke the token.
    3. Define scopes for the token.
      Scope Description
      Organization roles

      Organization roles determine a user's access to the organization's resources.

      To access the SaltStack Config Cloud service, you must select the Organization Admin or Organization Owner roles.

      The Organization Admin role selected on the Generate New API Token page
      Service roles

      Service roles are built-in, pre-defined sets of permissions that grant access to VMware Cloud services.

      To access the SaltStack Config Cloud service, search for the SaltStack Config service, and select the Salt Master service role.

      The Salt master service role selected for the SaltStack Config service
    4. (Optional) Set an email preference to receive a reminder when your token is about to expire.
    5. Click Generate.

      The newly generated API token appears in the Token Generated window.

  4. Save the token credentials to a secure location.

    After you generate the token, you will only be able to see the token's name on the API Tokens page, not the credentials. To regenerate the token, click Regenerate.

  5. Click Continue.

Connect your Salt master to SaltStack Config Cloud

After you generate an API token, you can use it to connect your Salt master to SaltStack Config Cloud.

To connect your Salt master:

  1. Log in to your Salt master and verify that the /etc/salt/master.d/raas.conf file exists.

    If it does not exist, you must install and configure the Master Plugin.

  2. In the Salt master's terminal, save your API token as an environment variable.
    export CSP_API_TOKEN=<api token value>
  3. If your Salt master is running version 8.9.0 or earlier of the Master Plugin, you must re-register your Salt master with SaltStack Config Cloud. See How do I reconnect Salt masters to SaltStack Config Cloud for more information.
  4. If your Salt master is running version 8.9.1 or later of the Master Plugin, run the following command to connect your Salt master to SaltStack Config Cloud, replacing the ssc-url and csp-url values with your region-specific URLs.
    sseapi-config join --ssc-url <SSC URL> --csp-url <CSP URL>
    Region name SSC URL CSP URL
    US https://ssc-gateway.mgmt.cloud.vmware.com https://console.cloud.vmware.com
    DE (Germany) https://de.ssc-gateway.mgmt.cloud.vmware.com https://console.cloud.vmware.com
    IN (India) https://in.ssc-gateway.mgmt.cloud.vmware.com https://console.cloud.vmware.com

    The following code sample shows an example successful response in the US region.

    2022-08-16 21:28:26 [INFO] SSEAPE joining SSC Cloud... v8.9.1.1 2022-08-16T15:28:12
    2022-08-16 21:28:26 [INFO] Retrieving CSP auth token.
    2022-08-16 21:28:27 [INFO] Creating new oauth app.
    2022-08-16 21:28:27 [INFO] Finished with oauth app [Salt Master App for master id:my-salt-master] in org [6bh70973-b1g2-716c-6i21-i9974a6gdc85].
    2022-08-16 21:28:29 [INFO] Added service role [saltstack:master] for oauth app [Salt Master App for master id:my-salt-master].
    2022-08-16 21:28:29 [INFO] Created pillar [CSP_AUTH_TOKEN].
    2022-08-16 21:28:29 [INFO] Updated master config. Please restart master for config changes to take effect.
    2022-08-16 21:28:29 [INFO] Updated master cloud.conf.
    2022-08-16 21:28:29 [INFO] Validating connectivity to SaltStack Cloud instance [https://ssc-gateway.mgmt.cloud.vmware.com]
    2022-08-16 21:28:29 [INFO] Successfully validated connectivity to SaltStack Cloud instance [https://ssc-gateway.mgmt.cloud.vmware.com]. Response: {'version': 'v8.9.0.5', 'vipVersion': '8.9.0'}
    2022-08-16 21:28:29 [INFO] Finished SSEAPE joining SSC Cloud... v8.9.1.1 2022-08-16T15:28:12
    
  5. Restart the Salt master service.
    systemctl restart salt-master
  6. Repeat this process for each Salt master.
Note: After you connect each Salt master to SaltStack Config Cloud, you can delete the API token. It is only required for connecting your Salt master to SaltStack Config Cloud.

After you run the sseapi-config command, an OAuth app is created in your CSP organization for each Salt master. Salt masters use the OAuth app to get a CSP access token which is appended to every request to SaltStack Config Cloud. You can view the details of the OAuth app by selecting Organization > OAuth Apps.

The command also creates pillar data called CSP_AUTH_TOKEN on the Salt master. Pillars are structures of data stored on the Salt master and passed through to one or more minions that have been authorized to access that data. The pillar data is stored in /srv/pillar/csp.sls and contains the client ID, the secret, your organization ID, and CSP URL.

Example pillar data:
CSP_AUTH_TOKEN:
   csp_client_id: kH8wIvNxMJEGGmk7uCx4MBfPswEw7PpLaDh
   csp_client_secret: ebH9iuXnZqUOkuWKwfHXPjyYc5Umpa00mI9Wx3dpEMlrUWNy95
   csp_org_id: 6bh70973-b1g2-716c-6i21-i9974a6gdc85
   csp_url: https://console.cloud.vmware.com

If you need to rotate your secret, you can re-run the sseapi-config join command.

To learn more about pillar data, see How do I create state files and pillar data.

Accept the Salt master key

During the Salt master startup (unless using password authentication), a public key file will be generated. The master will start running but communication with SaltStack Config Cloud will fail until the key is accepted.

To accept the Salt master key:

  1. Log in to the SaltStack Config user interface.
  2. From the top left navigation bar, click the Menu menu icon, then select Administration to access the Administration workspace. Click the Master Keys tab.
  3. From the side menu, click Pending to show a list of all pending master keys.

    If you do not see the master key, see Troubleshooting SaltStack Config Cloud.

  4. Check the box next to the master key to select it. Then, click Accept Key.
  5. After you accept the master key, an alert appears indicating you have pending keys to accept. To accept these minion keys, go to Minion Keys > Pending.
  6. Check the boxes next to your minions to select them. Then, click Accept key.
  7. Click Accept in the confirmation dialog.

The key is now accepted. After several seconds, the minion appears under the Accepted tab and in the Targets workspace.

You can verify that your Salt master and Salt minions are communicating by running a test.ping command in the SaltStack Config user interface. See Running an ad-hoc job from the Targets workspace for more information.

What's next

After you run a successful test.ping command, you can start using SaltStack Config Cloud to provision, configure, and deploy software to your virtual machines at any scale using event-driven automation.

You can also integrate SaltStack Config Cloud with Cloud Assembly to deploy Salt minions and state files using cloud templates.

The following table lists some helpful resources for more information.

To learn about... See
Managing user access for SaltStack Config Cloud
Integrating SaltStack Config Cloud with Cloud Assembly Configure a SaltStack Config integration in vRealize Automation Cloud
Key features in SaltStack Config Getting Started with SaltStack Config