Using SDB modules

There are a number of places where SDB modules can be used. Because SDB retrieval is built into the config.get function in the config execution module, the following locations can be used to set a value for a Minion:

• Minion configuration file
• Grains
• Pillars
• Master configuration file

SDB is also supported by Salt Cloud, so you can also set SDB URIs in:

• The main cloud configuration file
• Cloud profiles
• Cloud providers
• Cloud maps

Regardless of where you set an SDB URI, the format is the same:

<setting name>: sdb://<profile name>/<key>

This can be particularly useful with cloud providers, all of which require credentials, but many of which also use more complex configuration blocks that should be checked into revision control.

Take, for example, the openstack Cloud provider:

my-openstack-config:
  identity_url: https://keystone.example.com:35357/v2.0/
  compute_region: intermountain
  compute_name: Compute
  tenant: sdb://openstack_creds/tenant
  user: sdb://openstack_creds/username
  ssh_key_name: sdb://openstack_creds/keyname

In this organization, compute_region and compute_name are probably public. And identity_url certainly is (else, how would you authenticate?). But the other information should probably be kept hidden.

If you've ever set up OpenStack in Salt Cloud, you've probably used a number of other arguments as well, many of which are probably not sensitive. However, a complex configuration file should probably be kept in a revision control system. With SDB URIs, you can do so without having to worry about exposing the data that is sensitive.