amazon-web-servicessalt-projectsalt-cloud

Configuration of access to aws services for salt-master/salt-minion


I have created small study aws infrastructure to learn SaltStack. There are three ec2 instances already running. (Master and two Minions). One minion is iam-role-less, one minion has role that enables him to access ec2 and s3 actions. (Roles settings purely for testing purposes.)

What I am trying to discover is how to configure salt-master (or salt-minion?) so it has access to aws services. For now, I can access the second minion with SSH and using boto3 i have acess to the ec2 and ss3. But if I use boto_ec2 execution module from salt-master => salt-minion, access error occur. I know that there is /etc/salt/cloud.providers and /etc/salt/cloud.profiles configuration that should be used. Most examples I saw were expecting that salt-minions will be created by salt, so I am a bit confused how to do it with pre-existing instances.

So the question is: "What is the right and correct way to configure master and minions to be able to use boto_ec2 module (or any other) from salt-master and orchestrate minions. Where and how should AWS credentials (keys) be set? Which config files has to be modified/added, what commands has to be run? Instances are already up."

I have found this link: https://salt-cloud.readthedocs.org/en/latest/topics/aws.html but there are places, where it says:

"The following settings are always required for EC2:"

# Set the EC2 login data
my-ec2-config:
  id: HJGRYCILJLKJYG
  key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn'
  keyname: test
  securitygroup: quick-start
  private_key: /root/test.pem
  provider: ec2

But it is not said where this config should be. On master/minion? Which file? And when I run the command:

# salt '*142*' boto_ec2.exists Master
: 'boto_ec2' __virtual__ returned False
ERROR: Minions returned with non-zero exit code

it's not working.


Solution

  • Bare in mind that cloud support are not integrated tightly inside saltstack.

    How to do it with pre-existing instances. Say you have 3 EC2 instances. S1 (salt master), M1 & M2 is where you want to deploy salt minion.

    Method 1 : Install salt-cloud inside your salt master, use saltify method

    # filename : /etc/cloud.providers.d/sality-driver.conf
    aws-saltify:
      minion:
        master: <ip_address_of_your_salt_master> 
      driver: saltify    
    
    # filename : /etc/cloud.profiles.d/salt-minion.conf
    minion1: 
      ssh_host: <M1-ip>
      ssh_username: <your_aws_instance_user_name>
      key_filename: "<full private_key_file path use to connect to minion>"
      provider: aws-saltify
    
    minion2: 
      ssh_host: <M2-ip>
      ssh_username: <your_aws_instance_user_name>
      key_filename: "<full private_key_file path use to connect to minion2>"
      provider: aws-saltify
    
    # run the command to saltify those host
    
    sudo salt-cloud saltify -p minion1 <minion1-host-name>
    sudo salt-cloud saltify -p minion2 <minion2-host-name>
    

    Finger-crossing if it works.

    **Method 2 : Use salt-ssh **

    IMPORTANT NOTE : salt.state.boto_ec2 is not complete under 2015.8.8(March 2016). So you really cannot deploy salt-minion into those machine using boto_ec2, perhaps you may give boto_lc a try or wait for new features.

    #Create a folder just for salt-ssh deployment
    mkdir ~/saltme
    
    # master file for salt-ssh  ~/saltme/master 
    file_roots:
      base:
      # Replace the "~" with you $HOME full path.  
        - ~/saltme/master
    
    #create a roster file ~/saltme/minion-roster
    my-bare-M1: 
      host: <to-be-minion-1-host-ip-address>
      user: <ami-default >
      sudo: True
    
    my-bare-M2: 
      host: <to-be-minion-2-host-ip-address>
      user: <ami-default >
      sudo: True
    
    # create your top file   ~/saltme/top.sls
    base:
      '*':
        - saltify-minion
    
    # create the state file ~/saltme/saltify-minion.sls
    salt-minion:
      pkg.installed
    
    
    # Now , inside the ~/saltme , run this against each to-be-minion-ec2
    salt-ssh --roster-file roster --config-dir $HOME/saltme  -i --priv saltminion-1.pem  'my-bare-M1'  state.highsatte
    
    salt-ssh --roster-file roster --config-dir $HOME/saltme  -i --priv saltminion-1.pem  'my-bare-M2'  state.highsatte
    #Now accept the salt-minion key 
    sudo salt-key -A