Create a Self-Registering Relay with Chef

While our Nodes Guide walks you through setting up an individual relay, you might want to have a self-managed set of relays/gateways that will spin up and down without you needing to generate a token for each one. This Chef recipe will walk you through generating a reusable admin token, which you can reuse, that brings up its own relay or gateway token to register itself to your StrongDM organization.

Generating the Token

You can generate an admin token that has only one function: creating relay/gateway tokens. Do this in the Admin UI under Settings / Admin Tokens. Select Create under Relays then click the Create button. Copy the token that is printed to screen as you will need it later, and you cannot get it back.

For more detailed information on creating admin tokens, check out the admin token guide.

Create the Recipe

The recipe requires a folder structure like this:

strong-dm
├── recipes
│   └── default.rb
└── templates
    └── default
        └── init.sh.erb

There are two files in there, which we'll look at in turn.

default.rb

template '/usr/local/bin/sdm-init.sh' do
  source 'init.sh.erb'
  variables(
    myip: node['ec2']['local_ipv4'],
    admin_token: Chef::EncryptedDataBagItem.load('strongdm', 'admin-token')['content']
  )
  mode '0500'
  owner 'ubuntu'
  notifies :run, 'execute[sdm-init]', :immediately
  action :create_if_missing
end

execute 'sdm-init' do
  command '/usr/local/bin/sdm-init.sh'
  action :nothing
end

Note here that you'll need to have the admin token generated above located in a Chef encrypted data bag.

init.sh.erb

#!/bin/sh
sudo -i
cd /tmp
mkdir sdm
cd sdm
curl -J -O -L https://app.strongdm.com/releases/cli/linux
unzip *.zip

export SDM_ADMIN_TOKEN=<%= @admin_token %>
export SDM_RELAY_TOKEN=`./sdm relay create-gateway <%= @myip %>:5000 0.0.0.0:5000`
rm /root/.sdm/*
unset SDM_ADMIN_TOKEN
export SUDO_USER=ubuntu
export SUDO_UID=1000
export USERNAME=root
export USER=root
export HOME=/root
export LOGNAME=root
export SUDO_GID=1000
./sdm install --node

This script creates a gateway. To make a relay instead, change the SDM_RELAY_TOKEN line to ./sdm relay create.

Of note here:

Set the correct unprivileged user under SUDO_USER and SUDO_UID
Set the correct port for the gateway to listen on under SDM_RELAY_TOKEN.
You can optionally name the relay/gateway by adding the --name <name> flag to the sdm relay command.
If your organization uses a control plane located in a region other than the default, add a --region yourdomain flag to the install commands, such as:
```
./sdm install --region app.uk.strongdm.com --node --token=$SDM_RELAY_TOKEN --user $TARGET_USER
```

Verify Your New Node

Log into the Admin UI. In that section, the relay or gateway you created should appear with the online status and a heartbeat.

Last updated 5 months ago

Was this helpful?

hashtagGenerating the Token

hashtagCreate the Recipe

hashtagdefault.rb

hashtaginit.sh.erb

hashtagVerify Your New Node

Generating the Token

Create the Recipe

default.rb

init.sh.erb

Verify Your New Node