1SALT-KEY(1) Salt SALT-KEY(1)
2
6 salt-key - salt-key Documentation
7
9 salt-key [ options ]
10
12 Salt-key executes simple management of Salt server public keys used for
13 authentication.
14 On initial connection, a Salt minion sends its public key to the Salt
16 master. This key must be accepted using the salt-key command on the
17 Salt master.
18 Salt minion keys can be in one of the following states:
20 · unaccepted: key is waiting to be accepted.
22 · accepted: key was accepted and the minion can communicate with the
24 Salt master.
25 · rejected: key was rejected using the salt-key command. In this state
27 the minion does not receive any communication from the Salt master.
28 · denied: key was rejected automatically by the Salt master. This
30 occurs when a minion has a duplicate ID, or when a minion was rebuilt
31 or had new keys generated and the previous key was not deleted from
32 the Salt master. In this state the minion does not receive any commu‐
33 nication from the Salt master.
34 To change the state of a minion key, use -d to delete the key and then
36 accept or reject the key.
37
39 --version
40 Print the version of Salt that is running.
41 --versions-report
43 Show program's dependencies and version number, and then exit
44 -h, --help
46 Show the help message and exit
47 -c CONFIG_DIR, --config-dir=CONFIG_dir
49 The location of the Salt configuration directory. This directory
50 contains the configuration files for Salt master and minions.
51 The default location on most systems is /etc/salt.
52 -u USER, --user=USER
54 Specify user to run salt-key
55 --hard-crash
57 Raise any original exception rather than exiting gracefully.
58 Default is False.
59 -q, --quiet
61 Suppress output
62 -y, --yes
64 Answer 'Yes' to all questions presented, defaults to False
65 --rotate-aes-key=ROTATE_AES_KEY
67 Setting this to False prevents the master from refreshing the
68 key session when keys are deleted or rejected, this lowers the
69 security of the key deletion/rejection operation. Default is
70 True.
71 Logging Options
73 Logging options which override any settings defined on the configura‐
74 tion files.
75 --log-file=LOG_FILE
77 Log file path. Default: /var/log/salt/minion.
78 --log-file-level=LOG_LEVEL_LOGFILE
80 Logfile logging log level. One of all, garbage, trace, debug,
81 info, warning, error, quiet. Default: warning.
82 Output Options
84 --out Pass in an alternative outputter to display the return of data.
85 This outputter can be any of the available outputters:
86 grains, highstate, json, key, overstatestage, pprint, raw,
87 txt, yaml
88 Some outputters are formatted only for data returned from spe‐
90 cific functions; for instance, the grains outputter will not
91 work for non-grains data.
92 If an outputter is used that does not support the data passed
94 into it, then Salt will fall back on the pprint outputter and
95 display the return data using the Python pprint standard library
96 module.
97 NOTE:
99 If using --out=json, you will probably want --static as well.
100 Without the static option, you will get a separate JSON
101 string per minion which makes JSON output invalid as a whole.
102 This is due to using an iterative outputter. So if you want
103 to feed it to a JSON parser, use --static as well.
104 --out-indent OUTPUT_INDENT, --output-indent OUTPUT_INDENT
106 Print the output indented by the provided value in spaces. Nega‐
107 tive values disable indentation. Only applicable in outputters
108 that support indentation.
109 --out-file=OUTPUT_FILE, --output-file=OUTPUT_FILE
111 Write the output to the specified file.
112 --out-file-append, --output-file-append
114 Append the output to the specified file.
115 --no-color
117 Disable all colored output
118 --force-color
120 Force colored output
121 NOTE:
123 When using colored output the color codes are as follows:
124 green denotes success, red denotes failure, blue denotes
126 changes and success and yellow denotes a expected future
127 change in configuration.
128 --state-output=STATE_OUTPUT, --state_output=STATE_OUTPUT
130 Override the configured state_output value for minion output.
131 One of 'full', 'terse', 'mixed', 'changes' or 'filter'. Default:
132 'none'.
133 --state-verbose=STATE_VERBOSE, --state_verbose=STATE_VERBOSE
135 Override the configured state_verbose value for minion output.
136 Set to True or False. Default: none.
137 Actions
139 -l ARG, --list=ARG
140 List the public keys. The args pre, un, and unaccepted will list
141 unaccepted/unsigned keys. acc or accepted will list
142 accepted/signed keys. rej or rejected will list rejected keys.
143 Finally, all will list all keys.
144 -L, --list-all
146 List all public keys. (Deprecated: use --list all)
147 -a ACCEPT, --accept=ACCEPT
149 Accept the specified public key (use --include-all to match
150 rejected keys in addition to pending keys). Globs are supported.
151 -A, --accept-all
153 Accepts all pending keys.
154 -r REJECT, --reject=REJECT
156 Reject the specified public key (use --include-all to match
157 accepted keys in addition to pending keys). Globs are supported.
158 -R, --reject-all
160 Rejects all pending keys.
161 --include-all
163 Include non-pending keys when accepting/rejecting.
164 -p PRINT, --print=PRINT
166 Print the specified public key.
167 -P, --print-all
169 Print all public keys
170 -d DELETE, --delete=DELETE
172 Delete the specified key. Globs are supported.
173 -D, --delete-all
175 Delete all keys.
176 -f FINGER, --finger=FINGER
178 Print the specified key's fingerprint.
179 -F, --finger-all
181 Print all keys' fingerprints.
182 Key Generation Options
184 --gen-keys=GEN_KEYS
185 Set a name to generate a keypair for use with salt
186 --gen-keys-dir=GEN_KEYS_DIR
188 Set the directory to save the generated keypair. Only works
189 with 'gen_keys_dir' option; default is the current directory.
190 --keysize=KEYSIZE
192 Set the keysize for the generated key, only works with the
193 '--gen-keys' option, the key size must be 2048 or higher, other‐
194 wise it will be rounded up to 2048. The default is 2048.
195 --gen-signature
197 Create a signature file of the master's public-key named mas‐
198 ter_pubkey_signature. The signature can be sent to a minion in
199 the master's auth-reply and enables the minion to verify the
200 master's public-key cryptographically. This requires a new sign‐
201 ing-key-pair which can be auto-created with the --auto-create
202 parameter.
203 --priv=PRIV
205 The private-key file to create a signature with
206 --signature-path=SIGNATURE_PATH
208 The path where the signature file should be written
209 --pub=PUB
211 The public-key file to create a signature for
212 --auto-create
214 Auto-create a signing key-pair if it does not yet exist
215
217 salt(7) salt-master(1) salt-minion(1)
218
220 Thomas S. Hatch <thatch45@gmail.com> and many others, please see the
221 Authors file
2222019.2.0 Jan 08, 2019 SALT-KEY(1)