Edit vault integration configuration via Edge CLI

Important  This feature is available only in the latest UI.

You can inspect and update the configuration of your vault integration and rotate the vault credentials using the Edge CLI tool.

Available vaults

Tip 

Select your Kubernetes cluster:

You can use a vault to add your data source information to your site connection.

AWS Secrets Manager
Azure Key Vault
CyberArk Vault
Google Secret Manager
HashiCorp Vault

Select your authentication method:

 

Before you begin

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the mTLSAllow-list authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update cyber mtls <name> \
  --desc <description> \
  --appId <appID> \
  --url <url>
  --caPath <caPath> \
  --certPath <certPath> \
  --keyPath <keyPath>
Copy
./edgecli vault update cyber mtls <name> \
  --desc <description> \
  --appId <appID> \
  --url <url>
  --caPath <caPath> \
  --certPath <certPath> \
  --keyPath <keyPath>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description>(optional) The description of the vault instance. The maximum character length is 150.
<appID> (required) The application ID configured on the CyberArk server.
<url>(optional) The URL of the CyberArk Vault .
<caPath> (required) The file containing the Certificate Authority.
If you use a --caPath, it must be in the X.509 format (PEM encoded).
<certPath>(required) The file containing the Client Certificate.
If you use a --certPath, it must be in the X.509 format (PEM encoded).
<keyPath>(required) The file containing the Client Private Key.
Note When using the mTLS authentication method, you must always include the following three variables, even if you are only updating one variable, such as the name of the vault integration:
  • caPath
  • certPath
  • keyPath

Example: Rotate credentials for mTLS authentication:

sudo ./edgecli vault update cyber tls "Edge CyberArk Vault mTLS" \
  --appId "edge" \
  --caPath "./certs/ca.crt" \
  --certPath "./certs/aimws.crt" \
  --keyPath "./certs/aimws-pkcs8.key"
Copy
sudo ./edgecli vault update cyber allow-list <name> \
  --desc <description> \
  --appId <appId> \
  --url <url> \
  --caPath <caPath>
Copy
./edgecli vault update cyber allow-list <name> \
  --desc <description> \
  --appId <appId> \
  --url <url> \
  --caPath <caPath>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description>(optional) The description of the vault instance. The maximum character length is 150.
<appId> (required) The application ID configured on the CyberArk server.
<url>(optional) The URL of the CyberArk Vault .
<caPath> (required) The file containing the Certificate Authority.
If you use a --caPath, it must be in the X.509 format (PEM encoded).
Note When using the allow-list authentication method, you only need to include the vault integration variable that you want to update.

Example: Rotate credentials for allow-list authentication:

sudo ./edgecli vault update cyber allow-list "Edge CyberArk allowlist" \
--appId "edge" \
--caPath "./certs/ca.crt"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the Username and passwordTLS authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update hashicorp user-pass <name>/
  --desc <description> \
  --user <username> \
  --pass <password> \
  --caPath <caPath> \
  --url <url>
Copy
./edgecli vault update hashicorp user-pass <name>/
  --desc <description> \
  --user <username> \
  --pass <password> \
  --caPath <caPath> \
  --url <url>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<user> (required) The username for your vault.
<pass> (required) The password for your vault.
<caPath> (optional) The file containing the Certificate Authority.
If you use a --caPath, it must be in the X.509 format (PEM encoded).
Note A caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the username and password authentication method. The HTTP endpoint is used for the username and password authentication method.
<url> (required) The URL of the HashiCorp Vault.

Example: Rotate credentials for username and Password authentication:

sudo ./edgecli vault update hashicorp user-pass "Hasicorp vault user-pass AuthN"/
  --user "my-edge-site" \
  --pass "EdgePass123" \
  --url "https://hashicorp-vault.edge.collibra.dev:8210/"
Copy
sudo ./edgecli vault update hashicorp tls <name>/
  --authName <authName>
  --desc <description> \
  --caPath <caPath> \
  --certPath <certPath> \
  --keyPath <keyPath> \
  --url <url>
Copy
./edgecli vault update hashicorp tls <name>/
  --authName <authName>
  --desc <description> \
  --caPath <caPath> \
  --certPath <certPath> \
  --keyPath <keyPath> \
  --url <url>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<authName> (required) The name of the HashiCorp vault authentication endpoint.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<caPath> (optional) The file containing the Certificate Authority.
If you use a --caPath, it must be in the X.509 format (PEM encoded).
Note A --caPathfile is optionally included for the creation of the authentication endpoint. It will not be required if the HTTPS certificate used for the SSL/TLS endpoint termination has a certificate chain supplied and the root certificate is in a Java trust store.
<certPath> (required) The file containing the Client Certificate.
If you use a certPath, it must be in the X.509 format (PEM encoded).
<keyPath> (required) The file containing the Client Private Key.
If you use a --keyPath, it must be in the PKCS#8 format (PEM encoded).
<url> (required) The URL of the HashiCorp Vault.
Example: Rotate credentials for TLS authentication:
sudo ./edgecli vault update hashicorp tls "tls-vault-auth"/
  --authName "tls-vault-auth" \
  --certPath "~/hashicorp/vault/edge-site.crt" \
  --keyPath "~/hashicorp/vault/edge-site.key" \
  --url "https://hashicorp-vault.edge.collibra/"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the Managed Identity assigned to Azure VMService Principal SecretService Principal with PEM certificateService Principal with PFX certificate authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update azure managed-identity <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix>
Copy
./edgecli vault update azure managed-identity <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<dnsSuffix> The data-plane endpoint for your vault.
Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net.

Otherwise, Edge uses the default value: ."<vault>".azure.net.

Example: Rotate credentials for Managed Identity assigned to Azure VM authentication method:

sudo ./edgecli vault update azure managed-identity "Azure-managed-identity" \
  --dnsSuffix "Azure-managed-identity.azure.net"
Copy
sudo ./edgecli vault update azure sp-secret <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --clientSecret <clientSecret>
Copy
./edgecli vault update azure sp-secret <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --clientSecret <clientSecret>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<dnsSuffix> The data-plane endpoint for your vault.
Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net.

Otherwise, Edge uses the default value: ."<vault>".azure.net.
<tenantId> (required) The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
<clientId> (required) The identifier of the service principal client.
<clientSecret> (required) The secret of the service principal client.
Example: Rotate credentials for Service Principal Secret authentication method:
sudo ./edgecli vault update azure sp-secret "Azure-service-principal" \
  --tenantId "165" \
  --clientId "AZ_22" \
  --clientSecret "Secret123"
Copy
sudo ./edgecli vault update azure sp-pem <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath>
Copy
./edgecli vault update azure sp-pem <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<dnsSuffix> The data-plane endpoint for your vault.
Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net.

Otherwise, Edge uses the default value: ."<vault>".azure.net.
<tenantId> (required) The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
<clientId> (required) The identifier of the service principal client.
<certPath> (required) The file containing the Client Certificate.
Example: Rotate credentials for Service Principal with PEM certificate authentication method:
sudo ./edgecli vault update azure sp-secret "Azure-service-principal-PEM" \
  --tenantId "165" \
  --clientId "AZ_22" \
  --certPath "~/azurekey/vault/edge-site.crt"
Copy
sudo ./edgecli vault update azure sp-pfx <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath> \
  --certPassword <certPassword>
Copy
./edgecli vault update azure sp-pfx <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath> \
  --certPassword <certPassword>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<dnsSuffix> The data-plane endpoint for your vault.
Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net.

Otherwise, Edge uses the default value: ."<vault>".azure.net.
<tenantId> (required) The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
<clientId> (required) The identifier of the service principal client.
<certPath> (required) The file containing the Client Certificate.
<certPassword> (required) The password used to protect the PFX certificate.
Example: Rotate credentials for Service Principal with PFX certificate authentication method:
sudo ./edgecli vault update azure sp-secret "Azure-service-principal-PFX" \
  --tenantId "165" \
  --clientId "AZ_22" \
  --certPath "~/azurekey/vault/edge-site.crt" \
  --certPassword "AZ_PFX_password1"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the IAM Access KeyInstance ProfileAssume Role authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update aws key-secret <name> \
  --desc <description> \
  --region <region> \
  --endpointOverride <endpointOverride> \
  --accessKeyId <accessKeyId> \
  --accessKey <accessKey>
Copy
./edgecli vault update aws key-secret <name> \
  --desc <description> \
  --region <region> \
  --endpointOverride <endpointOverride> \
  --accessKeyId <accessKeyId> \
  --accessKey <accessKey>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<region> The <region> of theAWS Secrets Manager you want to use.
Note <region> is optional if your Edge site and AWS Secrets Managerr are both located in the same AWS region.

Region is required if:
  • You are using <endpointOverride>.
  • Your Edge site is on k3s and running in AWS.
  • Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride> The URL of the entry point for your AWS Secrets Manager.
Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.

Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com
<accessKeyId> (required) The ID of the IAM key you want to authenticate with.
<accessKey> (required) The IAM key you want to authenticate with.

Example: Rotate credentials for IAM Access Key authentication method:

sudo ./edgecli vault update aws key-secret "AWS-IAM" \
  --accessKeyId "1234" \
  --accessKey "abcd"
Copy
sudo ./edgecli vault update aws instance-profile <name> \
  --desc <description> \
  --region <region> \
  --endpointOverride <endpointOverride>
Copy
./edgecli vault update aws instance-profile <name> \
  --desc <description> \
  --region <region> \
  --endpointOverride <endpointOverride>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<region> The region of the AWS Secrets Manager you want to use.
Note <region> is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.

<region> is required if:
  • You are using <endpointOverride>.
  • Your Edge site is on k3s and running in AWS.
  • Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride> The URL of the entry point for your AWS Secrets Manager.
Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.

Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com
Example: Rotate credentials for Instance Profile authentication method:
sudo ./edgecli vault update aws instance-profile "AWS-Instance" \
  --desc "AWS vault with Instant Profile authentication" \
  --region "eu-west-1" \
  --endpointOverride "http://my-secret-vault.aws.com"
Copy
sudo ./edgecli vault update aws instance-profile <name> \
  --desc <description> \
  --roleArn <roleArn>"
  --roleSessionName <roleSessionName>
  --region <region>"\
  --endpointOverride <endpointOverride>
Copy
./edgecli vault update aws instance-profile <name> \
  --desc <description> \
  --roleArn <roleArn>"
  --roleSessionName <roleSessionName>
  --region <region>"\
  --endpointOverride <endpointOverride>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<roleArn> (required) The Amazon Resource name of the role you want your Edge site to assume when accessing the AWS Secrets Manager secrets.
Note In order for your Edge site to successfully assume this specified role, the Instance Profile role that is attached to the EKS cluster must be trusted by the target role.
<roleSessionName> (optional) The name of the session you want this role to appear as in AWS security logs.
<region> The region of theAWS Secrets Manager you want to use.
Note <region> is optional if your Edge site and AWS Secret Manager are both located in the same AWS region.

<region> is required if:
  • You are using <endpointOverride>.
  • Your Edge site is on k3s and running in AWS.
  • Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride> The URL of the entry point for your AWS Secrets Manager.
Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.

Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com
Example: Rotate credentials for Assume Role authentication method:
sudo ./edgecli vault update aws instance-profile "AWS-Assume" \
  --roleArn "edge-session"
  --roleSessionName "edge-session"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the IAM Role assigned to the Google Cloud Engine VMService Account JSON KeyService Account P12 Key authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update gcp iam-role <name> \
  --desc <description> \
  --projectId <projectId>
Copy
./edgecli vault update gcp iam-role <name> \
  --desc <description> \
  --projectId <projectId>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<projectId> (required) The ID of the Google Account project which contains the Google Secret Manager.

Example: Rotate credentials for IAM Role assigned to the Google Cloud Engine VM authentication method:

sudo ./edgecli vault update  gcp iam-role "GCP-IAM" \
  --projectId="IAM_145" \
Copy
sudo ./edgecli vault update  gcp sa-json <name> \
  --desc <description> \
  --projectId <projectId> \
  --keyPath <keyPath>
Copy
./edgecli vault update  gcp sa-json <name> \
  --desc <description> \
  --projectId <projectId> \
  --keyPath <keyPath>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<projectId> (required) The ID of the Google Account project which contains the Google Secret Manager.
<keyPath> (required) The file containing the Client Private Key.
Example: Rotate credentials for Service Account JSON Key authentication method:
sudo ./edgecli vault update gcp sa-jsone "GCP-JSON" \
  --projectId="JSON_145" \
  --keyPath="~/GCP/vault/edge-site.json"
Copy
sudo ./edgecli vault update gcp sa-json <name> \
  --desc <description> \
  --projectId <projectId> \
  --keyPath <keyPath> \
  --keyPassword <keyPassword> \
  --emailAddress <emailAddress>
Copy
./edgecli vault update gcp sa-json <name> \
  --desc <description> \
  --projectId <projectId> \
  --keyPath <keyPath> \
  --keyPassword <keyPassword> \
  --emailAddress <emailAddress>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<projectId> (required) The ID of the Google Account project which contains the Google Secret Manager.
<keyPath> (required) The file containing the Client Private Key.
<keyPassword> The P12 password.
<emailAddress> The Google Service Account email address.
Example: Rotate credentials for Service Account P12 Key authentication method:
sudo ./edgecli vault update aws instance-profile "GCP-P12" \
  --projectId "P12_145" \
  --keyPath "/GCP/vault/edge-site.p12" \
  --keyPassword "GCP_edge_vault_password" \
  --emailAddress "[email protected]"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the mTLSAllow-list authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update cyber mtls <name> \
  --desc <description> \
  --appId <appID> \
  --url <url>
  --caPath <caPath> \
  --certPath <certPath> \
  --keyPath <keyPath>
Copy
./edgecli vault update cyber mtls <name> \
  --desc <description> \
  --appId <appID> \
  --url <url>
  --caPath <caPath> \
  --certPath <certPath> \
  --keyPath <keyPath>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description>(optional) The description of the vault instance. The maximum character length is 150.
<appID> (required) The application ID configured on the CyberArk server.
<url>(optional) The URL of the CyberArk Vault .
<caPath> (required) The file containing the Certificate Authority.
If you use a --caPath, it must be in the X.509 format (PEM encoded).
<certPath>(required) The file containing the Client Certificate.
If you use a --certPath, it must be in the X.509 format (PEM encoded).
<keyPath>(required) The file containing the Client Private Key.
Note When using the mTLS authentication method, you must always include the following three variables, even if you are only updating one variable, such as the name of the vault integration:
  • caPath
  • certPath
  • keyPath

Example: Rotate credentials for mTLS authentication:

sudo ./edgecli vault update cyber tls "Edge CyberArk Vault mTLS" \
  --appId "edge" \
  --caPath "./certs/ca.crt" \
  --certPath "./certs/aimws.crt" \
  --keyPath "./certs/aimws-pkcs8.key"
Copy
sudo ./edgecli vault update cyber allow-list <name> \
  --desc <description> \
  --appId <appId> \
  --url <url> \
  --caPath <caPath>
Copy
./edgecli vault update cyber allow-list <name> \
  --desc <description> \
  --appId <appId> \
  --url <url> \
  --caPath <caPath>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description>(optional) The description of the vault instance. The maximum character length is 150.
<appId> (required) The application ID configured on the CyberArk server.
<url>(optional) The URL of the CyberArk Vault .
<caPath> (required) The file containing the Certificate Authority.
If you use a --caPath, it must be in the X.509 format (PEM encoded).
Note When using the allow-list authentication method, you only need to include the vault integration variable that you want to update.

Example: Rotate credentials for allow-list authentication:

sudo ./edgecli vault update cyber allow-list "Edge CyberArk allowlist" \
--appId "edge" \
--caPath "./certs/ca.crt"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the Username and passwordTLS authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update hashicorp user-pass <name>/
  --desc <description> \
  --user <username> \
  --pass <password> \
  --caPath <caPath> \
  --url <url>
Copy
./edgecli vault update hashicorp user-pass <name>/
  --desc <description> \
  --user <username> \
  --pass <password> \
  --caPath <caPath> \
  --url <url>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<user> (required) The username for your vault.
<pass> (required) The password for your vault.
<caPath> (optional) The file containing the Certificate Authority.
If you use a --caPath, it must be in the X.509 format (PEM encoded).
Note A caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the username and password authentication method. The HTTP endpoint is used for the username and password authentication method.
<url> (required) The URL of the HashiCorp Vault.

Example: Rotate credentials for username and Password authentication:

sudo ./edgecli vault update hashicorp user-pass "Hasicorp vault user-pass AuthN"/
  --user "my-edge-site" \
  --pass "EdgePass123" \
  --url "https://hashicorp-vault.edge.collibra.dev:8210/"
Copy
sudo ./edgecli vault update hashicorp tls <name>/
  --authName <authName>
  --desc <description> \
  --caPath <caPath> \
  --certPath <certPath> \
  --keyPath <keyPath> \
  --url <url>
Copy
./edgecli vault update hashicorp tls <name>/
  --authName <authName>
  --desc <description> \
  --caPath <caPath> \
  --certPath <certPath> \
  --keyPath <keyPath> \
  --url <url>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<authName> (required) The name of the HashiCorp vault authentication endpoint.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<caPath> (optional) The file containing the Certificate Authority.
If you use a --caPath, it must be in the X.509 format (PEM encoded).
Note A --caPathfile is optionally included for the creation of the authentication endpoint. It will not be required if the HTTPS certificate used for the SSL/TLS endpoint termination has a certificate chain supplied and the root certificate is in a Java trust store.
<certPath> (required) The file containing the Client Certificate.
If you use a certPath, it must be in the X.509 format (PEM encoded).
<keyPath> (required) The file containing the Client Private Key.
If you use a --keyPath, it must be in the PKCS#8 format (PEM encoded).
<url> (required) The URL of the HashiCorp Vault.
Example: Rotate credentials for TLS authentication:
sudo ./edgecli vault update hashicorp tls "tls-vault-auth"/
  --authName "tls-vault-auth" \
  --certPath "~/hashicorp/vault/edge-site.crt" \
  --keyPath "~/hashicorp/vault/edge-site.key" \
  --url "https://hashicorp-vault.edge.collibra/"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the Managed Identity assigned to Azure VMService Principal SecretService Principal with PEM certificateService Principal with PFX certificate authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update azure managed-identity <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix>
Copy
./edgecli vault update azure managed-identity <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<dnsSuffix> The data-plane endpoint for your vault.
Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net.

Otherwise, Edge uses the default value: ."<vault>".azure.net.

Example: Rotate credentials for Managed Identity assigned to Azure VM authentication method:

sudo ./edgecli vault update azure managed-identity "Azure-managed-identity" \
  --dnsSuffix "Azure-managed-identity.azure.net"
Copy
sudo ./edgecli vault update azure sp-secret <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --clientSecret <clientSecret>
Copy
./edgecli vault update azure sp-secret <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --clientSecret <clientSecret>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<dnsSuffix> The data-plane endpoint for your vault.
Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net.

Otherwise, Edge uses the default value: ."<vault>".azure.net.
<tenantId> (required) The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
<clientId> (required) The identifier of the service principal client.
<clientSecret> (required) The secret of the service principal client.
Example: Rotate credentials for Service Principal Secret authentication method:
sudo ./edgecli vault update azure sp-secret "Azure-service-principal" \
  --tenantId "165" \
  --clientId "AZ_22" \
  --clientSecret "Secret123"
Copy
sudo ./edgecli vault update azure sp-pem <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath>
Copy
./edgecli vault update azure sp-pem <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<dnsSuffix> The data-plane endpoint for your vault.
Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net.

Otherwise, Edge uses the default value: ."<vault>".azure.net.
<tenantId> (required) The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
<clientId> (required) The identifier of the service principal client.
<certPath> (required) The file containing the Client Certificate.
Example: Rotate credentials for Service Principal with PEM certificate authentication method:
sudo ./edgecli vault update azure sp-secret "Azure-service-principal-PEM" \
  --tenantId "165" \
  --clientId "AZ_22" \
  --certPath "~/azurekey/vault/edge-site.crt"
Copy
sudo ./edgecli vault update azure sp-pfx <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath> \
  --certPassword <certPassword>
Copy
./edgecli vault update azure sp-pfx <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath> \
  --certPassword <certPassword>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<dnsSuffix> The data-plane endpoint for your vault.
Note <dnsSuffix> is required if you use a private version of Azure for security purposes. For example, for FedRAMP you would need to specify the Azure US Government DNS suffix: vault.usgovcloudapi.net.

Otherwise, Edge uses the default value: ."<vault>".azure.net.
<tenantId> (required) The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
<clientId> (required) The identifier of the service principal client.
<certPath> (required) The file containing the Client Certificate.
<certPassword> (required) The password used to protect the PFX certificate.
Example: Rotate credentials for Service Principal with PFX certificate authentication method:
sudo ./edgecli vault update azure sp-secret "Azure-service-principal-PFX" \
  --tenantId "165" \
  --clientId "AZ_22" \
  --certPath "~/azurekey/vault/edge-site.crt" \
  --certPassword "AZ_PFX_password1"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the IAM Access KeyInstance ProfileAssume Role authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update aws key-secret <name> \
  --desc <description> \
  --region <region> \
  --endpointOverride <endpointOverride> \
  --accessKeyId <accessKeyId> \
  --accessKey <accessKey>
Copy
./edgecli vault update aws key-secret <name> \
  --desc <description> \
  --region <region> \
  --endpointOverride <endpointOverride> \
  --accessKeyId <accessKeyId> \
  --accessKey <accessKey>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<region> The <region> of theAWS Secrets Manager you want to use.
Note <region> is optional if your Edge site and AWS Secrets Managerr are both located in the same AWS region.

Region is required if:
  • You are using <endpointOverride>.
  • Your Edge site is on k3s and running in AWS.
  • Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride> The URL of the entry point for your AWS Secrets Manager.
Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.

Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com
<accessKeyId> (required) The ID of the IAM key you want to authenticate with.
<accessKey> (required) The IAM key you want to authenticate with.

Example: Rotate credentials for IAM Access Key authentication method:

sudo ./edgecli vault update aws key-secret "AWS-IAM" \
  --accessKeyId "1234" \
  --accessKey "abcd"
Copy
sudo ./edgecli vault update aws instance-profile <name> \
  --desc <description> \
  --region <region> \
  --endpointOverride <endpointOverride>
Copy
./edgecli vault update aws instance-profile <name> \
  --desc <description> \
  --region <region> \
  --endpointOverride <endpointOverride>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<region> The region of the AWS Secrets Manager you want to use.
Note <region> is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.

<region> is required if:
  • You are using <endpointOverride>.
  • Your Edge site is on k3s and running in AWS.
  • Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride> The URL of the entry point for your AWS Secrets Manager.
Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.

Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com
Example: Rotate credentials for Instance Profile authentication method:
sudo ./edgecli vault update aws instance-profile "AWS-Instance" \
  --desc "AWS vault with Instant Profile authentication" \
  --region "eu-west-1" \
  --endpointOverride "http://my-secret-vault.aws.com"
Copy
sudo ./edgecli vault update aws instance-profile <name> \
  --desc <description> \
  --roleArn <roleArn>"
  --roleSessionName <roleSessionName>
  --region <region>"\
  --endpointOverride <endpointOverride>
Copy
./edgecli vault update aws instance-profile <name> \
  --desc <description> \
  --roleArn <roleArn>"
  --roleSessionName <roleSessionName>
  --region <region>"\
  --endpointOverride <endpointOverride>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<roleArn> (required) The Amazon Resource name of the role you want your Edge site to assume when accessing the AWS Secrets Manager secrets.
Note In order for your Edge site to successfully assume this specified role, the Instance Profile role that is attached to the EKS cluster must be trusted by the target role.
<roleSessionName> (optional) The name of the session you want this role to appear as in AWS security logs.
<region> The region of theAWS Secrets Manager you want to use.
Note <region> is optional if your Edge site and AWS Secret Manager are both located in the same AWS region.

<region> is required if:
  • You are using <endpointOverride>.
  • Your Edge site is on k3s and running in AWS.
  • Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride> The URL of the entry point for your AWS Secrets Manager.
Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.

Otherwise, Edge will use the default regional value: "<protocol>"://"<service-code>"."<region-code>".amazonaws.com
Example: Rotate credentials for Assume Role authentication method:
sudo ./edgecli vault update aws instance-profile "AWS-Assume" \
  --roleArn "edge-session"
  --roleSessionName "edge-session"

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the IAM Role assigned to the Google Cloud Engine VMService Account JSON KeyService Account P12 Key authentication method to inspect or update all or any of the vault configuration settings.

Copy
sudo ./edgecli vault update gcp iam-role <name> \
  --desc <description> \
  --projectId <projectId>
Copy
./edgecli vault update gcp iam-role <name> \
  --desc <description> \
  --projectId <projectId>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<projectId> (required) The ID of the Google Account project which contains the Google Secret Manager.

Example: Rotate credentials for IAM Role assigned to the Google Cloud Engine VM authentication method:

sudo ./edgecli vault update  gcp iam-role "GCP-IAM" \
  --projectId="IAM_145" \
Copy
sudo ./edgecli vault update  gcp sa-json <name> \
  --desc <description> \
  --projectId <projectId> \
  --keyPath <keyPath>
Copy
./edgecli vault update  gcp sa-json <name> \
  --desc <description> \
  --projectId <projectId> \
  --keyPath <keyPath>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<projectId> (required) The ID of the Google Account project which contains the Google Secret Manager.
<keyPath> (required) The file containing the Client Private Key.
Example: Rotate credentials for Service Account JSON Key authentication method:
sudo ./edgecli vault update gcp sa-jsone "GCP-JSON" \
  --projectId="JSON_145" \
  --keyPath="~/GCP/vault/edge-site.json"
Copy
sudo ./edgecli vault update gcp sa-json <name> \
  --desc <description> \
  --projectId <projectId> \
  --keyPath <keyPath> \
  --keyPassword <keyPassword> \
  --emailAddress <emailAddress>
Copy
./edgecli vault update gcp sa-json <name> \
  --desc <description> \
  --projectId <projectId> \
  --keyPath <keyPath> \
  --keyPassword <keyPassword> \
  --emailAddress <emailAddress>
Properties Description
<name> (required) The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
Note You can to choose provide <vaultId> instead of <name> . If you don't have the vault ID, you can get it by retrieving all vault integrations.
<description> (optional) The description of the vault instance. The maximum character length is 150.
<projectId> (required) The ID of the Google Account project which contains the Google Secret Manager.
<keyPath> (required) The file containing the Client Private Key.
<keyPassword> The P12 password.
<emailAddress> The Google Service Account email address.
Example: Rotate credentials for Service Account P12 Key authentication method:
sudo ./edgecli vault update aws instance-profile "GCP-P12" \
  --projectId "P12_145" \
  --keyPath "/GCP/vault/edge-site.p12" \
  --keyPassword "GCP_edge_vault_password" \
  --emailAddress "[email protected]"