SaltStack Support

Using Salt Cloud with AWS

Amazon EC2 is a very widely used public cloud platform and one of the core platforms Salt Cloud has been built to support.

The following example illustrates some of the options that can be set. These parameters are discussed in more detail below.

Setup the Amazon cloud provider file /etc/salt/cloud.providers.d/amazon.conf

# Note: This example is for /etc/salt/cloud.providers or any file in the
# /etc/salt/cloud.providers.d/ directory.

my_ec2:
  # Set up the location of the salt master
  #
  minion:
    master: saltmaster.example.com

  # Set the EC2 access credentials (see below)
  #
  id: HJGRYCILJLKJYG
  key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn'

  # Make sure this key is owned by root with permissions 0400.
  #
  private_key: /etc/salt/my_test_key.pem
  keyname: my_test_key
  securitygroup: default

  provider: ec2

Access Credentials

The id and key settings may be found in the Security Credentials area of the AWS Account page:

https://portal.aws.amazon.com/gp/aws/securityCredentials

Both are located in the Access Credentials area of the page, under the Access Keys tab. The id setting is labelled Access Key ID, and the key setting is labelled Secret Access Key.

Key Pairs

In order to create an instance with Salt installed and configured, a key pair will need to be created. This can be done in the EC2 Management Console, in the Key Pairs area. These key pairs are unique to a specific region. Keys in the us-east-1 region can be configured at:

https://console.aws.amazon.com/ec2/home?region=us-east-1#s=KeyPairs

Keys in the us-west-1 region can be configured at

https://console.aws.amazon.com/ec2/home?region=us-west-1#s=KeyPairs

...and so on. When creating a key pair, the browser will prompt to download a pem file. This file must be placed in a directory accessible by Salt Cloud, with permissions set to either 0400 or 0600.

Security Group

An instance on EC2 needs to belong to a security group. Like key pairs, these are unique to a specific region. These are also configured in the EC2 Management Console. Security groups for the us-east-1 region can be configured at:

https://console.aws.amazon.com/ec2/home?region=us-east-1#s=SecurityGroups

...and so on.

A security group defines firewall rules which an instance will adhere to. If the salt-master is configured outside of EC2, the security group must open the SSH port (usually port 22) in order for Salt Cloud to install Salt.

Once the provider configuration file has been created you want to create a cloud instance profile.

Cloud Instance Profile

Set up an initial profile at /etc/salt/cloud.profiles:

micro_ubuntu_12_4_ec2:
 provider: amazon
 image: ami-a49665cc
 size: t1.micro
 ssh_username: ubuntu

micro_ubuntu_14_4_ec2:
 provider: amazon
 image: ami-018c9568
 size: t1.micro
 ssh_username: ubuntu

The profile can now be realized with a salt command:

# salt-cloud -p micro_ubuntu_12_4_ec2 ami.example.com
# salt-cloud -p micro_ubuntu_14_4_ec2 ami.example.com

This will create an instance named ami.example.com in EC2. The minion that is installed on this instance will have an id of ami.example.com. If the command was executed on the salt-master, its Salt key will automatically be signed on the master.

Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt:

# salt 'ami.example.com' test.ping

Related articles