Using Salt Cloud with AWS
Amazon EC2 is a very widely used public cloud platform and one of the core platforms Salt Cloud has been built to support.
The following example illustrates some of the options that can be set. These parameters are discussed in more detail below.
Setup the Amazon cloud provider file /etc/salt/cloud.providers.d/amazon.conf
# Note: This example is for /etc/salt/cloud.providers or any file in the # /etc/salt/cloud.providers.d/ directory. my_ec2: # Set up the location of the salt master # minion: master: saltmaster.example.com # Set the EC2 access credentials (see below) # id: HJGRYCILJLKJYG key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' # Make sure this key is owned by root with permissions 0400. # private_key: /etc/salt/my_test_key.pem keyname: my_test_key securitygroup: default provider: ec2
Access Credentials
The id and key settings may be found in the Security Credentials area of the AWS Account page:
https://portal.aws.amazon.com/gp/aws/securityCredentials
Both are located in the Access Credentials area of the page, under the Access Keys tab. The id setting is labelled Access Key ID, and the key setting is labelled Secret Access Key.
Key Pairs
In order to create an instance with Salt installed and configured, a key pair will need to be created. This can be done in the EC2 Management Console, in the Key Pairs area. These key pairs are unique to a specific region. Keys in the us-east-1 region can be configured at:
https://console.aws.amazon.com/ec2/home?region=us-east-1#s=KeyPairs
Keys in the us-west-1 region can be configured at
https://console.aws.amazon.com/ec2/home?region=us-west-1#s=KeyPairs
...and so on. When creating a key pair, the browser will prompt to download a pem file. This file must be placed in a directory accessible by Salt Cloud, with permissions set to either 0400 or 0600.
Security Group
An instance on EC2 needs to belong to a security group. Like key pairs, these are unique to a specific region. These are also configured in the EC2 Management Console. Security groups for the us-east-1 region can be configured at:
https://console.aws.amazon.com/ec2/home?region=us-east-1#s=SecurityGroups
...and so on.
A security group defines firewall rules which an instance will adhere to. If the salt-master is configured outside of EC2, the security group must open the SSH port (usually port 22) in order for Salt Cloud to install Salt.
Once the provider configuration file has been created you want to create a cloud instance profile.
Cloud Instance Profile
Set up an initial profile at /etc/salt/cloud.profiles:
micro_ubuntu_12_4_ec2:
provider: amazon
image: ami-a49665cc
size: t1.micro
ssh_username: ubuntu
micro_ubuntu_14_4_ec2:
provider: amazon
image: ami-018c9568
size: t1.micro
ssh_username: ubuntu
The profile can now be realized with a salt command:
# salt-cloud -p micro_ubuntu_12_4_ec2 ami.example.com # salt-cloud -p micro_ubuntu_14_4_ec2 ami.example.com
This will create an instance named ami.example.com in EC2. The minion that is installed on this instance will have an id of ami.example.com. If the command was executed on the salt-master, its Salt key will automatically be signed on the master.
Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt:
# salt 'ami.example.com' test.ping