Pillar: secure per-minion data
Targeted, private configuration data.
Pillar is Salt’s system for secure, targeted, per-minion data. Where states are shared code, pillar is the private data those states consume — a database password, a per-environment setting, a license key — and critically, the master only sends a given pillar value to the minions entitled to it. So a secret in pillar for the db group never reaches web minions. Pillar is defined on the master and assembled via its own top file.
# pillar/top.sls — who gets what database:'db*':- db_secrets---# pillar/db_secrets.slsdb:password: 'S3cr3t!' # only db* minions receive thishost: 'db1.acme.internal'
db_config:file.managed:- name: /etc/app/db.conf- contents: |password={{ pillar['db']['password'] }}- show_changes: False # keep the secret out of the change output
Why pillar matters for security
Two properties make pillar the right home for sensitive config. It is targeted, so data is only delivered to the minions that need it (least exposure), and it is separate from state code, so your logic stays generic and reusable while the secrets and per-node values live in controlled data. Combined with encryption (the GPG renderer, later) pillar is how you keep secrets out of your state tree and out of the wrong minions.