Create a Self-Registering Relay with Chef

Last modified on October 4, 2023

While our Nodes Guide walks you through setting up an individual relay, you might want to have a self-managed set of relays/gateways that will spin up and down without you needing to generate a token for each one. This Chef recipe will walk you through generating a reusable admin token, which you can reuse, that brings up its own relay or gateway token to register itself to your StrongDM organization.

Generating the token

You can generate an admin token that has only one function: creating relay/gateway tokens. Do this in the Admin UI under Settings / Admin Tokens. Select Create under Relays then click the Create button. Copy the token that is printed to screen as you will need it later, and you cannot get it back.

Creating the recipe

The recipe requires a folder structure like this:

strong-dm
├── recipes
│   └── default.rb
└── templates
    └── default
        └── init.sh.erb

There are two files in there, which we’ll look at in turn.

default.rb

template '/usr/local/bin/sdm-init.sh' do
  source 'init.sh.erb'
  variables(
    myip: node['ec2']['local_ipv4'],
    admin_token: Chef::EncryptedDataBagItem.load('strongdm', 'admin-token')['content']
  )
  mode '0500'
  owner 'ubuntu'
  notifies :run, 'execute[sdm-init]', :immediately
  action :create_if_missing
end

execute 'sdm-init' do
  command '/usr/local/bin/sdm-init.sh'
  action :nothing
end

Note here that you’ll need to have the admin token generated above located in a Chef encrypted data bag.

init.sh.erb

#!/bin/sh
sudo -i
cd /tmp
mkdir sdm
cd sdm
curl -J -O -L https://app.strongdm.com/releases/cli/linux
unzip *.zip

export SDM_ADMIN_TOKEN=<%= @admin_token %>
export SDM_RELAY_TOKEN=`./sdm relay create-gateway <%= @myip %>:5000 0.0.0.0:5000`
rm /root/.sdm/*
unset SDM_ADMIN_TOKEN
export SUDO_USER=ubuntu
export SUDO_UID=1000
export USERNAME=root
export USER=root
export HOME=/root
export LOGNAME=root
export SUDO_GID=1000
./sdm install --relay

Of note here:

  • set the correct unprivileged user under SUDO_USER and SUDO_UID
  • set the correct port for the gateway to listen on under SDM_RELAY_TOKEN.
  • you can optionally name the relay/gateway by adding the --name <name> flag to the sdm relay command.

Verify your new relay/gateway

Log into the Admin UI. In that section, the relay or gateway you created should appear with the online status and a heartbeat.