Integrate Edge with a AWS Secrets Manager Vault

Updated: March 26, 2026

You can integrate your Edge site with your existing AWS Secrets Manager Vault to more easily and securely manage your data source information and set up your Edge site connections. In this topic, we review how to set up the integration between your Edge site and your existing vault.

You can integrate your Edge site with your AWS Secrets Manager using one of the following authentication methods:

IAM Access Key
Instance Profile
Assume Role

Note

Edge sites running outside of AWS can connect to the Secrets Manager by using an access key.
Edge sites running on AWS have Instance Profiles and the Assume role.
Assume Role is similar to Instance Profile, but allows you to narrow down the access to your vault to a singe role.
Forward proxies are not supported for AWS Secrets Manager integrations. You must have a direct connection to your AWS Secrets Manager.

IAM Access Key authentication

Prerequisites

On your local server

You installed your Edge site.
You installed and configured the Edge CLI tool.
Your Edge site has network access to the AWS Secrets Manager endpoints.
You have access to the data source that will use the vault credentials.

In your Collibra environment

Ensure that your environment uses the latest user interface.
You have a global role that has the Manage Edge sites global permission.

In your vault platform

You have a AWS Secrets Manager.
You created IAM credentials with read access to the AWS Secrets Manager where your Edge site secrets will be stored.

IMDSv1 or IMDSv2 is enabled.
If you have IMDSv2 enabled, you must run the following command from an admin account to set the hop limit to 2:

Copy

aws ec2 modify-instance-metadata-options \
  --instance-id <instance-id> \
  --http-tokens required \
  --http-endpoint enabled \
  --http-put-response-hop-limit 2

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the IAM access key authentication method.

Copy

sudo ./edgecli vault create aws key-secret <name> \
  --desc=<description> \
  --region=<region> \
  --endpointOverride=<endpointOverride> \
  --accessKeyId=<accessKeyId> \
  --accessKey=<accessKey>

Show me an example…

sudo ./edgecli vault create aws key-secret AWS-IAM \
  --desc=AWS vault with IAM Access Key authentication. \
  --region=eu-west-1 \
  --endpointOverride=http://my-secret-vault.aws.com \
  --accessKeyId=1234 \
  --accessKey=abcd

Copy

./edgecli vault create aws key-secret <name> \
  --desc=<description> \
  --region=<region> \
  --endpointOverride=<endpointOverride> \
  --accessKeyId=<accessKeyId> \
  --accessKey=<accessKey>

Show me an example…

./edgecli vault create aws key-secret AWS-IAM \
  --desc=AWS vault with IAM Access Key authentication. \
  --region=eu-west-1 \
  --endpointOverride=http://my-secret-vault.aws.com \
  --accessKeyId=1234 \
  --accessKey=abcd

Command	Description
`<name>` (required)	The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
`<description>` (optional)	The description of the vault instance. The maximum character length is 150.
`<region>`	The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if: You are using `<endpointOverride>`. Your Edge site is on k3s and running in AWS. Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
`<endpointOverride>`	The URL of the entry point for your AWS Secrets Manager vault. Note `<endpointOverride>` is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: `<protocol>"://://"<service-code>"-fips.<region>.amazonaws.com`. Otherwise, Edge will use the default regional value: `<protocol>://<service-code>.<region-code>.amazonaws.com`
`<accessKeyId>` (required)	The ID of the IAM key you want to authenticate with.
`<accessKey>` (required)	The IAM key you want to authenticate with.

Go to your Edge site to confirm the new vault is available in the Vaults tab.

Instance Profile authentication

Prerequisites

On your local server

You installed your Edge site on an EC2 or EKS instance assigned to an Instance Profile with the role that has read access to the AWS Secrets Manager you want to connect to.
You installed and configured the Edge CLI tool.
Your Edge site has network access to the AWS Secrets Manager endpoints.
You have access to the data source that will use the vault credentials.

In your Collibra environment

Ensure that your environment uses the latest user interface.
You have a global role that has the Manage Edge sites global permission.

In your vault platform

You have a AWS Secrets Manager.
You created secrets in your AWS Secrets Manager.

IMDSv1 or IMDSv2 is enabled.
If you have IMDSv2 enabled, you must run the following command from an admin account to set the hop limit to 2:

Copy

aws ec2 modify-instance-metadata-options \
  --instance-id <instance-id> \
  --http-tokens required \
  --http-endpoint enabled \
  --http-put-response-hop-limit 2

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the Instance profile authentication method.

Copy

sudo ./edgecli vault create aws instance-profile <name> \
  --desc=<description> \
  --region=<region> \
  --endpointOverride=<endpointOverride>

Show me an example…

sudo ./edgecli vault create aws instance-profile AWS-Instance \
  --desc=AWS vault with Instant Profile authentication \
  --region=eu-west-1 \
  --endpointOverride=http://my-secret-vault.aws.com

Copy

./edgecli vault create aws instance-profile <name> \
  --desc=<description> \
  --region=<region> \
  --endpointOverride=<endpointOverride>

Show me an example…

./edgecli vault create aws instance-profile AWS-Instance \
  --desc=AWS vault with Instant Profile authentication \
  --region=eu-west-1 \
  --endpointOverride=http://my-secret-vault.aws.com

Command	Description
`<name>` (required)	The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
`<description>` (optional)	The description of the vault instance. The maximum character length is 150.
`<region>`	The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if: You are using `<endpointOverride>`. Your Edge site is on k3s and running in AWS. Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
`<endpointOverride>`	The URL of the entry point for your AWS Secrets Manager. Note `<endpointOverride>` is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: `<protocol>"://://"<service-code>"-fips."<region>".amazonaws.com`. Otherwise, Edge will use the default regional value: `"<protocol>"://"<service-code>"."<region-code>".amazonaws.com`

Go to your Edge site to confirm the new vault is available in the Vaults tab.

Assume Role authentication

Prerequisites

On your local server

You installed your Edge site on an EC2 or EKS instance assigned to an Instance Profile with the role that has read access to the AWS Secrets Manager you want to connect to.
You installed and configured the Edge CLI tool.
Your Edge site has network access to the AWS Secrets Manager endpoints.
You have access to the data source that will use the vault credentials.

In your Collibra environment

Ensure that your environment uses the latest user interface.
You have a global role that has the Manage Edge sites global permission.

In your vault platform

You have a AWS Secrets Manager.
You created secrets in your AWS Secrets Manager.

IMDSv1 or IMDSv2 is enabled.

If you have IMDSv2 enabled, you must run the following command from an AWS Secrets Manager admin account to set the hop limit to 2:

Copy

aws ec2 modify-instance-metadata-options \
  --instance-id <instance-id> \
  --http-tokens required \
  --http-endpoint enabled \
  --http-put-response-hop-limit 2

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the Assume role authentication method.

Copy

sudo ./edgecli vault create aws assume-role <name> \
  --desc=<description> \
  --roleArn=<roleArn> \
  --roleSessionName=<roleSessionName> \
  --region=<region> \
  --endpointOverride=<endpointOverride>

Show me an example…

sudo ./edgecli vault create aws instance-profile AWS-Assume \
  --desc=AWS vault with Assume Role authentication \
  --roleArn=edge-session \
  --roleSessionName=edge-session \
  --region=eu-west-1 \
  --endpointOverride=http://my-secret-vault.aws.com

Copy

./edgecli vault create aws assume-role <name> \
  --desc=<description> \
  --roleArn=<roleArn> \
  --roleSessionName=<roleSessionName> \
  --region=<region> \
  --endpointOverride=<endpointOverride>

Show me an example…

./edgecli vault create aws instance-profile AWS-Assume \
  --desc=AWS vault with Assume Role authentication \
  --roleArn=edge-session \
  --roleSessionName=edge-session \
  --region=eu-west-1 \
  --endpointOverride=http://my-secret-vault.aws.com

Command	Description
`<name>` (required)	The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
`<description>` (optional)	The description of the vault instance. The maximum character length is 150.
`<roleArn>` (required)	The Amazon Resource name of the role you want your Edge site to assume when accessing the AWS Secrets Manager secrets. Note In order for your Edge site to successfully assume this specified role, the Instance Profile role that is attached to the EKS cluster must be trusted by the target role.
`<roleSessionName>` (optional)	The name of the session you want this role to appear as in AWS security logs.
`<region>`	The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if: You are using `<endpointOverride>`. Your Edge site is on k3s and running in AWS. Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
`<endpointOverride>`	The URL of the entry point for your AWS Secrets Manager. Note `<endpointOverride>` is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: `<protocol>"://://"<service-code>"-fips."<region>".amazonaws.com`. Otherwise, Edge will use the default regional value: `"<protocol>"://"<service-code>"."<region-code>".amazonaws.com`

Go to your Edge site to confirm the new vault is available in the Vaults tab.

What's next

You can now set up an Edge connection with your AWS Secrets Manager .
You can retrieve and review the configuration details of your vault integrations.
You can edit your vault integration configuration.