In my post about SaltStack external auth I wrote about how to configure the salt master and cli to use ldap authentication. Wouldn’t it be neat to have remote access to salt to run commands?
There’s a nice tool/library called pepper which fills this gap. It’s easy to install via pip:

pip3 install salt-pepper

To have nice formatted output like with salt cli make sure that the salt libs are installed (either by installing the package via pkg_add or via pip too). Make sure to add “~/.local/bin” to your PATH. Pepper talks to the salt api so make sure you configured it properly at the salt master server, eg.
/etc/salt/master.d/api.conf (I use tornado because it seems faster than rest_cherrypy):

rest_tornado:
  port: 8001
  address: 0.0.0.0
  backlog: 128
  disable_ssl: True # for testing only!
  ipc_mode: tcp

We have to tell the api service to use also “ipc_mode: tcp” otherwise the api can’t talk to the master which uses unix sockets per default. Now enable and start the api daemon at the master server:

rcctl enable salt_api
rcctl start salt_api

Like with salt cli I’m quite lazy so I’ve created a ~/.pepperrc:

[main]
SALTAPI_URL=http://salt.my.domain:8001
SALTAPI_USER=uwe
SALTAPI_EAUTH=ldap

Pepper supports different profiles like “main”. You can also add additional profiles into the ini-like config. Now you should be able to obtain a session ticket with:

salt:~$ pepper -T salt.my.domain test.ping

It should give something like:

salt.my.domain:
 True

Unfortunately one has to use “-T” switch to make use of the session token because there’s no config option to always use the token. When the salt-api service get’s restarted sometimes a new token is required or in case of token problems simply remove the old one:

rm ~/.peppercache

Now have fun with your personalized remote access to your salt master.