Edit vault integration configuration via Edge CLI
Important This feature is available only in the latest UI.
You can inspect and update the configuration of your vault integration and rotate the vault credentials using the Edge CLI tool.
Available vaults
Select your Kubernetes cluster:
|
You can use a vault to add your data source information to your site connection. AWS Secrets Manager
Azure Key Vault
CyberArk Vault
Google Secret Manager
HashiCorp Vault
|
Select your authentication method: |
|
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update cyber tls <name> \
--desc <description> \
--appId <appID> \
--url <url>
--caPath <caPath> \
--certPath <certPath> \
--keyPath <keyPath>
./edgecli vault update cyber tls <name> \
--desc <description> \
--appId <appID> \
--url <url>
--caPath <caPath> \
--certPath <certPath> \
--keyPath <keyPath>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
|
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<appId> (required) |
The application ID configured on the CyberArk server. |
<url> (required) |
The URL of your CyberArk Vault . |
<caPath> (required) |
The file containing the Certificate Authority. If you use a --caPath , it must be in the X.509 format (PEM encoded). |
<certPath> (required) |
The file containing the Client Certificate. If you use a --certPath , it must be in the X.509 format (PEM encoded). |
<keyPath> (required) |
The file containing the Client Private Key. If you use a --keyPath , it must be in the PKCS#8 format (PEM encoded). |
caPath
certPath
keyPath
sudo ./edgecli vault update cyber tls "Edge CyberArk Vault mTLS" \
--appId "edge" \
--caPath "./certs/ca.crt" \
--certPath "./certs/aimws.crt" \
--keyPath "./certs/aimws-pkcs8.key"
sudo ./edgecli vault update cyber allow-list <name> \
--desc <description> \
--appId <appId> \
--url <url> \
--caPath <caPath>
./edgecli vault update cyber allow-list <name> \
--desc <description> \
--appId <appId> \
--url <url> \
--caPath <caPath>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
|
<description> (optional) |
The description of the vault instance. |
<appId> (required) |
The application ID configured on the CyberArk server. |
<url> (required) |
The URL of your CyberArk Vault . |
<caPath> (required) |
The file containing the Certificate Authority. If you use a --caPath , it must be in the X.509 format (PEM encoded). |
sudo ./edgecli vault update cyber allow-list "Edge CyberArk allowlist" \
--appId "edge" \
--caPath "./certs/ca.crt"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update hashicorp user-pass <name>/
--desc <description> \
--user <username> \
--pass <password> \
--caPath <caPath> \
--url <url>
./edgecli vault update hashicorp user-pass <name>/
--desc <description> \
--user <username> \
--pass <password> \
--caPath <caPath> \
--url <url>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<user> (required) |
The username for your vault. |
<pass> (required) |
The password for your vault. |
<caPath> (optional) |
The file containing the Certificate Authority. If you use --caPath it must be in the PKCS#8 format. Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the Username/Password authentication. The HTTP endpoint is used for the Username/Password authentication. |
<url> (required) |
The URL of the HashiCorp Vault. |
<vaultNamespace> (optional) |
A unique namespace in your vault. |
sudo ./edgecli vault update hashicorp user-pass "Hasicorp vault user-pass AuthN"/
--user "my-edge-site" \
--pass "EdgePass123" \
--url "https://hashicorp-vault.edge.collibra.dev:8210/"
sudo ./edgecli vault update hashicorp tls <name>/
--authName <authName>
--desc <description> \
--caPath <caPath> \
--certPath <certPath> \
--keyPath <keyPath> \
--url <url>
./edgecli vault update hashicorp tls <name>/
--authName <authName>
--desc <description> \
--caPath <caPath> \
--certPath <certPath> \
--keyPath <keyPath> \
--url <url>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<user> (required) |
The username for your vault. |
<pass> (required) |
The password for your vault. |
<caPath> (optional) |
The file containing the Certificate Authority. If you use --caPath it must be in the PKCS#8 format. Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the Username/Password authentication. The HTTP endpoint is used for the Username/Password authentication. |
<url> (required) |
The URL of the HashiCorp Vault. |
<vaultNamespace> (optional) |
A unique namespace in your vault. |
sudo ./edgecli vault update hashicorp tls "tls-vault-auth"/
--authName "tls-vault-auth" \
--certPath "~/hashicorp/vault/edge-site.crt" \
--keyPath "~/hashicorp/vault/edge-site.key" \
--url "https://hashicorp-vault.edge.collibra/"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update azure managed-identity <name> \
--desc <description> \
--dnsSuffix <dnsSuffix>
./edgecli vault update azure managed-identity <name> \
--desc <description> \
--dnsSuffix <dnsSuffix>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<dnsSuffix>
|
The data-plane endpoint for your vault. Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net .Otherwise, Edge uses the default value: .vault.azure.net . |
sudo ./edgecli vault update azure managed-identity "Azure-managed-identity" \
--dnsSuffix "Azure-managed-identity.azure.net"
sudo ./edgecli vault update azure sp-secret <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--clientSecret <clientSecret>
./edgecli vault update azure sp-secret <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--clientSecret <clientSecret>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<dnsSuffix>
|
The data-plane endpoint for your vault. Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net .Otherwise, Edge uses the default value: .vault.azure.net . |
<tenantId> (required) |
The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. |
<clientId> (required) |
The identifier of the service principal client. |
<clientSecret> (required) |
The secret of the service principal client. |
sudo ./edgecli vault update azure sp-secret "Azure-service-principal" \
--tenantId "165" \
--clientId "AZ_22" \
--clientSecret "Secret123"
sudo ./edgecli vault update azure sp-pem <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath>
./edgecli vault update azure sp-pem <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<dnsSuffix>
|
The data-plane endpoint for your vault. Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net .Otherwise, Edge uses the default value: .vault.azure.net . |
<tenantId> (required) |
The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. |
<clientId> (required) |
The identifier of the service principal client. |
<certPath> (required) |
The file containing the Client Certificate. |
sudo ./edgecli vault update azure sp-secret "Azure-service-principal-PEM" \
--tenantId "165" \
--clientId "AZ_22" \
--certPath "~/azurekey/vault/edge-site.crt"
sudo ./edgecli vault update azure sp-pfx <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath> \
--certPassword <certPassword>
./edgecli vault update azure sp-pfx <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath> \
--certPassword <certPassword>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<dnsSuffix>
|
The data-plane endpoint for your vault. Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net .Otherwise, Edge uses the default value: .vault.azure.net . |
<tenantId> (required) |
The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. |
<clientId> (required) |
The identifier of the service principal client. |
<certPath> (required) |
The file containing the Client Certificate. |
<certPassword> (required) |
The password used to protect the PFX certificate. |
sudo ./edgecli vault update azure sp-secret "Azure-service-principal-PFX" \
--tenantId "165" \
--clientId "AZ_22" \
--certPath "~/azurekey/vault/edge-site.crt" \
--certPassword "AZ_PFX_password1"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update aws key-secret <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride> \
--accessKeyId <accessKeyId> \
--accessKey <accessKey>
./edgecli vault update aws key-secret <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride> \
--accessKeyId <accessKeyId> \
--accessKey <accessKey>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<region>
|
The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if:
|
<endpointOverride>
|
The URL of the entry point for your AWS Secrets Manager vault. Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com .Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com |
<accessKeyId> (required) |
The ID of the IAM key you want to authenticate with. |
<accessKey> (required) |
The IAM key you want to authenticate with. |
sudo ./edgecli vault update aws key-secret "AWS-IAM" \
--accessKeyId "1234" \
--accessKey "abcd"
sudo ./edgecli vault update aws key-secret "AWS-IAM" \
--accessKeyId "1234" \
--accessKey "abcd"
sudo ./edgecli vault update aws instance-profile <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride>
./edgecli vault update aws instance-profile <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<region>
|
The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if:
|
<endpointOverride>
|
The URL of the entry point for your AWS Secrets Manager. Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com .Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com |
sudo ./edgecli vault update aws instance-profile "AWS-Instance" \
--desc "AWS vault with Instant Profile authentication" \
--region "eu-west-1" \
--endpointOverride "http://my-secret-vault.aws.com"
sudo ./edgecli vault update aws instance-profile <name> \
--desc <description> \
--roleArn <roleArn>"
--roleSessionName <roleSessionName>
--region <region>"\
--endpointOverride <endpointOverride>
./edgecli vault update aws instance-profile <name> \
--desc <description> \
--roleArn <roleArn>"
--roleSessionName <roleSessionName>
--region <region>"\
--endpointOverride <endpointOverride>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<roleArn> (required) |
The Amazon Resource name of the role you want your Edge site to assume when accessing the AWS Secrets Manager secrets. Note In order for your Edge site to successfully assume this specified role, the Instance Profile role that is attached to the EKS cluster must be trusted by the target role. |
<roleSessionName> (optional) |
The name of the session you want this role to appear as in AWS security logs. |
<region>
|
The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if:
|
<endpointOverride>
|
The URL of the entry point for your AWS Secrets Manager. Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com .Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com |
sudo ./edgecli vault update aws instance-profile "AWS-Assume" \
--roleArn "edge-session"
--roleSessionName "edge-session"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update gcp iam-role <name> \
--desc <description> \
--projectId <projectId>
./edgecli vault update gcp iam-role <name> \
--desc <description> \
--projectId <projectId>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<projectId> (required) |
The ID of the Google Account project which contains the Google Secret Manager. |
sudo ./edgecli vault update gcp iam-role "GCP-IAM" \
--projectId="IAM_145" \
sudo ./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath>
./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<projectId> (required) |
The ID of the Google Account project which contains the Google Secret Manager. |
<keyPath> (required) |
The file containing the Client Private Key. |
sudo ./edgecli vault update gcp sa-jsone "GCP-JSON" \
--projectId="JSON_145" \
--keyPath="~/GCP/vault/edge-site.json"
sudo ./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath> \
--keyPassword <keyPassword> \
--emailAddress <emailAddress>
./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath> \
--keyPassword <keyPassword> \
--emailAddress <emailAddress>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<projectId> (required) |
The ID of the Google Account project which contains the Google Secret Manager. |
<keyPath> (required) |
The file containing the Client Private Key. |
<keyPassword>
|
The P12 password. |
<emailAddress>
|
The Google Service Account email address. |
sudo ./edgecli vault update aws instance-profile "GCP-P12" \
--projectId "P12_145" \
--keyPath "/GCP/vault/edge-site.p12" \
--keyPassword "GCP_edge_vault_password" \
--emailAddress "[email protected]"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update cyber tls <name> \
--desc <description> \
--appId <appID> \
--url <url>
--caPath <caPath> \
--certPath <certPath> \
--keyPath <keyPath>
./edgecli vault update cyber tls <name> \
--desc <description> \
--appId <appID> \
--url <url>
--caPath <caPath> \
--certPath <certPath> \
--keyPath <keyPath>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
|
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<appId> (required) |
The application ID configured on the CyberArk server. |
<url> (required) |
The URL of your CyberArk Vault . |
<caPath> (required) |
The file containing the Certificate Authority. If you use a --caPath , it must be in the X.509 format (PEM encoded). |
<certPath> (required) |
The file containing the Client Certificate. If you use a --certPath , it must be in the X.509 format (PEM encoded). |
<keyPath> (required) |
The file containing the Client Private Key. If you use a --keyPath , it must be in the PKCS#8 format (PEM encoded). |
caPath
certPath
keyPath
sudo ./edgecli vault update cyber tls "Edge CyberArk Vault mTLS" \
--appId "edge" \
--caPath "./certs/ca.crt" \
--certPath "./certs/aimws.crt" \
--keyPath "./certs/aimws-pkcs8.key"
sudo ./edgecli vault update cyber allow-list <name> \
--desc <description> \
--appId <appId> \
--url <url> \
--caPath <caPath>
./edgecli vault update cyber allow-list <name> \
--desc <description> \
--appId <appId> \
--url <url> \
--caPath <caPath>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
|
<description> (optional) |
The description of the vault instance. |
<appId> (required) |
The application ID configured on the CyberArk server. |
<url> (required) |
The URL of your CyberArk Vault . |
<caPath> (required) |
The file containing the Certificate Authority. If you use a --caPath , it must be in the X.509 format (PEM encoded). |
sudo ./edgecli vault update cyber allow-list "Edge CyberArk allowlist" \
--appId "edge" \
--caPath "./certs/ca.crt"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update hashicorp user-pass <name>/
--desc <description> \
--user <username> \
--pass <password> \
--caPath <caPath> \
--url <url>
./edgecli vault update hashicorp user-pass <name>/
--desc <description> \
--user <username> \
--pass <password> \
--caPath <caPath> \
--url <url>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<user> (required) |
The username for your vault. |
<pass> (required) |
The password for your vault. |
<caPath> (optional) |
The file containing the Certificate Authority. If you use --caPath it must be in the PKCS#8 format. Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the Username/Password authentication. The HTTP endpoint is used for the Username/Password authentication. |
<url> (required) |
The URL of the HashiCorp Vault. |
<vaultNamespace> (optional) |
A unique namespace in your vault. |
sudo ./edgecli vault update hashicorp user-pass "Hasicorp vault user-pass AuthN"/
--user "my-edge-site" \
--pass "EdgePass123" \
--url "https://hashicorp-vault.edge.collibra.dev:8210/"
sudo ./edgecli vault update hashicorp tls <name>/
--authName <authName>
--desc <description> \
--caPath <caPath> \
--certPath <certPath> \
--keyPath <keyPath> \
--url <url>
./edgecli vault update hashicorp tls <name>/
--authName <authName>
--desc <description> \
--caPath <caPath> \
--certPath <certPath> \
--keyPath <keyPath> \
--url <url>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<user> (required) |
The username for your vault. |
<pass> (required) |
The password for your vault. |
<caPath> (optional) |
The file containing the Certificate Authority. If you use --caPath it must be in the PKCS#8 format. Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the Username/Password authentication. The HTTP endpoint is used for the Username/Password authentication. |
<url> (required) |
The URL of the HashiCorp Vault. |
<vaultNamespace> (optional) |
A unique namespace in your vault. |
sudo ./edgecli vault update hashicorp tls "tls-vault-auth"/
--authName "tls-vault-auth" \
--certPath "~/hashicorp/vault/edge-site.crt" \
--keyPath "~/hashicorp/vault/edge-site.key" \
--url "https://hashicorp-vault.edge.collibra/"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update azure managed-identity <name> \
--desc <description> \
--dnsSuffix <dnsSuffix>
./edgecli vault update azure managed-identity <name> \
--desc <description> \
--dnsSuffix <dnsSuffix>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<dnsSuffix>
|
The data-plane endpoint for your vault. Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net .Otherwise, Edge uses the default value: .vault.azure.net . |
sudo ./edgecli vault update azure managed-identity "Azure-managed-identity" \
--dnsSuffix "Azure-managed-identity.azure.net"
sudo ./edgecli vault update azure sp-secret <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--clientSecret <clientSecret>
./edgecli vault update azure sp-secret <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--clientSecret <clientSecret>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<dnsSuffix>
|
The data-plane endpoint for your vault. Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net .Otherwise, Edge uses the default value: .vault.azure.net . |
<tenantId> (required) |
The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. |
<clientId> (required) |
The identifier of the service principal client. |
<clientSecret> (required) |
The secret of the service principal client. |
sudo ./edgecli vault update azure sp-secret "Azure-service-principal" \
--tenantId "165" \
--clientId "AZ_22" \
--clientSecret "Secret123"
sudo ./edgecli vault update azure sp-pem <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath>
./edgecli vault update azure sp-pem <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<dnsSuffix>
|
The data-plane endpoint for your vault. Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net .Otherwise, Edge uses the default value: .vault.azure.net . |
<tenantId> (required) |
The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. |
<clientId> (required) |
The identifier of the service principal client. |
<certPath> (required) |
The file containing the Client Certificate. |
sudo ./edgecli vault update azure sp-secret "Azure-service-principal-PEM" \
--tenantId "165" \
--clientId "AZ_22" \
--certPath "~/azurekey/vault/edge-site.crt"
sudo ./edgecli vault update azure sp-pfx <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath> \
--certPassword <certPassword>
./edgecli vault update azure sp-pfx <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath> \
--certPassword <certPassword>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<dnsSuffix>
|
The data-plane endpoint for your vault. Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net .Otherwise, Edge uses the default value: .vault.azure.net . |
<tenantId> (required) |
The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. |
<clientId> (required) |
The identifier of the service principal client. |
<certPath> (required) |
The file containing the Client Certificate. |
<certPassword> (required) |
The password used to protect the PFX certificate. |
sudo ./edgecli vault update azure sp-secret "Azure-service-principal-PFX" \
--tenantId "165" \
--clientId "AZ_22" \
--certPath "~/azurekey/vault/edge-site.crt" \
--certPassword "AZ_PFX_password1"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update aws key-secret <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride> \
--accessKeyId <accessKeyId> \
--accessKey <accessKey>
./edgecli vault update aws key-secret <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride> \
--accessKeyId <accessKeyId> \
--accessKey <accessKey>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<region>
|
The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if:
|
<endpointOverride>
|
The URL of the entry point for your AWS Secrets Manager vault. Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com .Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com |
<accessKeyId> (required) |
The ID of the IAM key you want to authenticate with. |
<accessKey> (required) |
The IAM key you want to authenticate with. |
sudo ./edgecli vault update aws key-secret "AWS-IAM" \
--accessKeyId "1234" \
--accessKey "abcd"
sudo ./edgecli vault update aws key-secret "AWS-IAM" \
--accessKeyId "1234" \
--accessKey "abcd"
sudo ./edgecli vault update aws instance-profile <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride>
./edgecli vault update aws instance-profile <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<region>
|
The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if:
|
<endpointOverride>
|
The URL of the entry point for your AWS Secrets Manager. Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com .Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com |
sudo ./edgecli vault update aws instance-profile "AWS-Instance" \
--desc "AWS vault with Instant Profile authentication" \
--region "eu-west-1" \
--endpointOverride "http://my-secret-vault.aws.com"
sudo ./edgecli vault update aws instance-profile <name> \
--desc <description> \
--roleArn <roleArn>"
--roleSessionName <roleSessionName>
--region <region>"\
--endpointOverride <endpointOverride>
./edgecli vault update aws instance-profile <name> \
--desc <description> \
--roleArn <roleArn>"
--roleSessionName <roleSessionName>
--region <region>"\
--endpointOverride <endpointOverride>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<roleArn> (required) |
The Amazon Resource name of the role you want your Edge site to assume when accessing the AWS Secrets Manager secrets. Note In order for your Edge site to successfully assume this specified role, the Instance Profile role that is attached to the EKS cluster must be trusted by the target role. |
<roleSessionName> (optional) |
The name of the session you want this role to appear as in AWS security logs. |
<region>
|
The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if:
|
<endpointOverride>
|
The URL of the entry point for your AWS Secrets Manager. Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com .Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com |
sudo ./edgecli vault update aws instance-profile "AWS-Assume" \
--roleArn "edge-session"
--roleSessionName "edge-session"
Steps
In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the
sudo ./edgecli vault update gcp iam-role <name> \
--desc <description> \
--projectId <projectId>
./edgecli vault update gcp iam-role <name> \
--desc <description> \
--projectId <projectId>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<projectId> (required) |
The ID of the Google Account project which contains the Google Secret Manager. |
sudo ./edgecli vault update gcp iam-role "GCP-IAM" \
--projectId="IAM_145" \
sudo ./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath>
./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<projectId> (required) |
The ID of the Google Account project which contains the Google Secret Manager. |
<keyPath> (required) |
The file containing the Client Private Key. |
sudo ./edgecli vault update gcp sa-jsone "GCP-JSON" \
--projectId="JSON_145" \
--keyPath="~/GCP/vault/edge-site.json"
sudo ./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath> \
--keyPassword <keyPassword> \
--emailAddress <emailAddress>
./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath> \
--keyPassword <keyPassword> \
--emailAddress <emailAddress>
Command | Description |
---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<projectId> (required) |
The ID of the Google Account project which contains the Google Secret Manager. |
<keyPath> (required) |
The file containing the Client Private Key. |
<keyPassword>
|
The P12 password. |
<emailAddress>
|
The Google Service Account email address. |
sudo ./edgecli vault update aws instance-profile "GCP-P12" \
--projectId "P12_145" \
--keyPath "/GCP/vault/edge-site.p12" \
--keyPassword "GCP_edge_vault_password" \
--emailAddress "[email protected]"