Standard Install SaltStack Config Integration with vRA

In the previous post I discussed the SaltStack Config Standard Install. This is the recommended manual installation method for production environments. The standard install gives you a standalone SaltStack Config environment. As opposed to the vRealize Lifecycle Manager installation where you get a fully integrated SaltStack Config environment. What does integrated mean in this case? It means SaltStack Config is connected to vRealize Automation and Workspace ONE Access. This integration allows you to set the appropriate access rights and to seamlessly log in to SaltStack Config from vRealize Automation. It also lets you configure your Cloud Templates for use with SaltStack Config. Non of this is done automatically when doing a standard install of SaltStack Config. In this post I will go through the steps to do the integration between SaltStack Config and vRealize Automation and Workspace ONE Access.

vRA Integration

Let’s start with the easy part. After you install the SaltStack environment you can directly integrate it with Cloud Assembly in vRA. To do this navigate to Cloud Assembly->Infrastructure->Connections->Integrations->Add Integration. Click on the SaltStack tile.

Fill out the details needed. Make sure to use the RaaS/eAPI node as Hostname. After filling in the username and password click validate, if all is green, click save.

A short word on the running environment parameter. This is only needed if you plan to use the SaltStack Config resource element in your Cloud Templates. There is still the option to use the older way by adding the SaltStack configuration in the your Cloud Template and use the SaltConfiguration property group. Starting from vRA 8.8 using the SaltStack Config resource element (and the Running environment) is the most recommended way. More information van be found here.

Full integration with vRA and Workspace ONE Access

Now, we continue with the hard(er) part. This is where we integrate the SaltStack Config environment with vRA an WS1A. The tricky part is that this is only possible through the SaltStack Config API. For that reason I suggest to get an application like Postman installed so you can do these REST API calls easily.

First we have to log in to the vRA appliance through SSH so we can run a vracli command from the command line. This command registers and creates the oauth client in Workspace ONE Access.

For this we need two things.

Tenant ID:

This can be retrieved from vRA. After logging in to vRA look at the top right corner it should display your account name and the organization name. In my case this is “VIDM-L-01A“.

RaaS Hostname:

This is the FQDN of your RaaS appliance. In my case this is “raas-01a.corp.local“.

Now we can run this command:

vracli ssc register --tenant VIDM-L-01A --host raas-01a.corp.local

Which should return something like this:

  "tenant": "vidm-l-01a",
  "sscHost": "https://raas-01a.corp.local",
  "clientId": "ssc-zmqCUzsOEV",
  "clientSecret": "jZHtkO12IN"

Next we have to gather some more information so we can prepare for the final step.


This is the URL of you vRA environment. In my case this is “https://vra-l-01a.corp.local/“.


This can also be retrieved from vRA. In the top right click on your name and select View Organization. On the next screen copy the Long Organization ID. In my case this is “ca620954-ed8a-4d4a-85c9-df431ca69079“.


You just got this from the vracli scc command. In my case this is “ssc-zmqCUzsOEV“.


You just got this from the vracli scc command. In my case this is “jZHtkO12IN“.

Redirect URI:

For this you need to log in to Workspace ONE access and go to Administration Console->Catalog->Settings->Remote App Access and find the newly created oauth client (ssc-zmqCUzsOEV). Click on the client and there you will see the redirect URI. In my case this is “https://raas-01a.corp.local/identity/api/core/authn/csp“.

Now that we have all this information we can start crafting the JSON body we are going to send to the SaltStack Config REST API.

  "resource": "admin",
  "method": "save_vra_params",
  "kwarg": {
      "url": "https://vra-l-01a.corp.local",
	"extra_params": {
		"tenantId": "VIDM-L-01A",
		"orgId": "ca620954-ed8a-4d4a-85c9-df431ca69079",
		"clientId": "ssc-zmqCUzsOEV",
		"clientSecret": "jZHtkO12IN",
		"redirectUri": "https://raas01a.corp.local/identity/api/core/authn/csp"

The final step is to make the appropriate call to the SaltStack REST API. I will be using Postman which I have prepared with a SaltStack Config collection. Set up the collection with username root and the root password. After that we can authenticate with SaltStack Config. For this I use the GET XsrfToken() method which is also included in the collection. If al goes well you should be able to obtain a XsrfToken and we can move on to the configuration using the JSON body we just created.

To send the configuration to SaltStack Config we use the POST save_vra_params() method and the JSON body we just created. Note that the URI is https://raas-01a.corp.loca/rpc.

This was the final step of setting up the full integration between a standard SaltStack Config installation and vRealize Automation and Workspace ONE Access.

Roles and SSO now that we have an integrated solution

Now that we have integrated all products we are able to manage who has access to SaltStack Config through vRA. Go to Identity and Access Management in vRA and setup your users and group with access to SaltStack Config like I did here for the Salt Admin user:

This user is now able to switch between vRA and SaltStack Config the same way as he can switch between Cloud Assembly and Service Broker.

Note: If you are updating you own roles (the user you are logged in with) you have to completely sign out of vRA/WOA and close your browser for the permissions to work within SaltStack Config.

There is a caveat though

Normally you are able to log in to SaltStack config with a local user, by default this is ‘salt’. Once you integrate with Workspace ONE Access you loose the option to log in locally. There is also no magic or secret URL that you can use to force a local login (at least I haven’t found it yet).


That wraps it up, now you know how to integrate vRealize Automation, Workspace ONE Access and SaltStack config in a non-vRealize Lifecycle Manager situation after you set up SaltStack Config with the standard installation.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.