SaltStack Enterprise offers the following options for storing credentials required by the Enterprise API:

• securing credentials in an encrypted file (recommended)
• specifying the complete database URL in an environment variable
• saving credentials in plaintext (not recommended)

Storing credentials in an encrypted file

To store credentials in the encrypted file, run the following commands and follow the prompts:

$ sudo su - raas  # become the raas user
$ raas save_creds

Alternatively, to specify the credentials without interactive prompts, modify the second command to specify the credentials on the command line:

$ raas save_creds 'postgres={"username": "root", "password": "salt"}' 'redis={"password": "redis123"}'

Encrypted credentials are saved in /etc/raas/raas.secconf.

Note: if credentials appear in both /etc/raas/raas and /etc/raas/raas.secconf, the settings in the plaintext /etc/raas/raas take precedence.

Specifying the complete database URL

To use an environment variable, use the following configurations in /etc/raas/raas for sql or redis as needed:

SQL

     sql:
       url: ENV   

Then in your environment, set the variable `DATABASE_URL`, for example:

     export DATABASE_URL=postgres://user:secret@localhost:5432/raas_db_name

 Redis

     redis:
       url: ENV   

Then in your environment, set the corresponding variable `REDIS_URL`, for example:

       export REDIS_URL=redis://:[email protected]:6379   

Saving credentials in plaintext

Note: saving credentials in the plaintext raas configuration file is less secure than the above options.

To save credentials in plaintext, in /etc/raas/raas, update the sql configuration to provide the username and password.

sql:
  username: salt_eapi
  password: abc123

 Next, configure the location of your Redis server.

redis:
  url: redis://:[email protected]:6379