Integrate Edge with a Azure Key Vault

Updated: March 26, 2026

You can integrate your Edge site with your existing Azure Key Vault to more easily and securely manage your data source information and set up your Edge site connections. In this topic, we review how to set up the integration between your Edge site and your existing vault.

You can integrate your Edge site with your Azure Key Vault using one of the following authentication methods:

Managed Identity assigned to Azure Virtual Machine
Service Principal Secret
Service Principal with PEM certificate
Service Principal with PFX certificate

Note There are a few limitations with the Azure Key Vault integration:

Forward proxies are not supported for Azure Key Vault integrations. You must have a direct connection to your Azure Key Vault.
Only scalar values are accepted for the Azure Key Vault. Each secret needs to resolve a single plain value or file.
Only the latest version of secrets can be accessed by your Edge site. You cannot set up and choose from different secret versions.

Managed Identity assigned to Azure Virtual Machine authentication

Prerequisites

On your local server

You installed your Edge site inside of the Azure Virtual Machine or AKS.
You installed and configured the Edge CLI tool.
You have access to the data source that will use the vault credentials.

In your Collibra environment

Ensure that your environment uses the latest user interface.
You have a global role that has the Manage Edge sites global permission.

In your vault platform

You have an Azure Key Vault.
You have the following Azure Key Vault roles or permissions:
- If you use Access Policies, you must have the Get and List Secret permissions.
- If you use Access Control (IAM), you must have the Key Vault Secrets User role, or a role with similar permissions.
You assigned the managed identity to the Azure VM.
You created secrets in your Azure Key Vault.

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the managed identity assigned to the Azure VM authentication method.

Copy

sudo ./edgecli vault create azure managed-identity <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix>

Show me an example…

sudo ./edgecli vault create azure managed-identity Azure-managed-identity \
  --desc Azure Key vault with managed identity authentication. \
  --dnsSuffix vault.azure.net

Copy

./edgecli vault create azure managed-identity <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix>

Show me an example…

./edgecli vault create azure managed-identity Azure-managed-identity \
  --desc Azure Key vault with managed identity authentication. \
  --dnsSuffix vault.azure.net

Command	Description
`<name>` (required)	The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
`<description>` (optional)	The description of the vault instance. The maximum character length is 150.
`<dnsSuffix>`	The data-plane endpoint for your vault. Note `<dnsSuffix>` is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: `vault.usgovcloudapi.net`. Otherwise, Edge uses the default value: `.vault.azure.net`.

Go to your Edge site to confirm the new vault is available in the Vaults tab.

Service Principal Secret authentication

Prerequisites

On your local server

You installed your Edge site.
You installed and configured the Edge CLI tool.
You have access to the data source that will use the vault credentials.

In your Collibra environment

Ensure that your environment uses the latest user interface.
You have a global role that has the Manage Edge sites global permission.

In your vault platform

You have an Azure Key Vault.
You have the following Azure Key Vault roles or permissions:
- If you use Access Policies, you must have the Get and List Secret permissions.
- If you use Access Control (IAM), you must have the Key Vault Secrets User role, or a role with similar permissions.
You generated a client secret for the Azure Service Principal.
You created secrets in your Azure Key Vault.

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the service principal secret authentication method.

Copy

sudo ./edgecli vault create azure sp-secret <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --clientSecret <clientSecret>

Show me an example…

sudo ./edgecli vault create azure sp-secret Azure-service-principal \
  --desc Azure Key vault with service principal secret authentication. \
  --dnsSuffix vault.azure.net \
  --tenantId 165 \
  --clientId AZ_22 \
  --clientSecret Secret123

Copy

./edgecli vault create azure sp-secret <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --clientSecret <clientSecret>

Show me an example…

./edgecli vault create azure sp-secret Azure-service-principal \
  --desc Azure Key vault with service principal secret authentication. \
  --dnsSuffix vault.azure.net \
  --tenantId 165 \
  --clientId AZ_22 \
  --clientSecret Secret123

Command	Description
`<name>` (required)	The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
`<description>` (optional)	The description of the vault instance. The maximum character length is 150.
`<dnsSuffix>`	The data-plane endpoint for your vault. Note `<dnsSuffix>` is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: `vault.usgovcloudapi.net`. Otherwise, Edge uses the default value: `.vault.azure.net`.
`<tenantId>` (required)	The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
`<clientId>` (required)	The identifier of the service principal client.
`<clientSecret>` (required)	The secret of the service principal client.

Go to your Edge site to confirm the new vault is available in the Vaults tab.

Service Principal with PEM authentication

Prerequisites

On your local server

You installed your Edge site.
You installed and configured the Edge CLI tool.
You have access to the data source that will use the vault credentials.

In your Collibra environment

Ensure that your environment uses the latest user interface.
You have a global role that has the Manage Edge sites global permission.

In your vault platform

You have an Azure Key Vault.
You have the following Azure Key Vault roles or permissions:
- If you use Access Policies, you must have the Get and List Secret permissions.
- If you use Access Control (IAM), you must have the Key Vault Secrets User role, or a role with similar permissions.
You generated a PEM certificate for the Azure Service Principal.
You created secrets in your Azure Key Vault.

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the service principal with PEM certificate authentication method.

Copy

sudo ./edgecli vault create azure sp-pem <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath>

Show me an example…

sudo ./edgecli vault create azure sp-secret Azure-service-principal-PEM \
  --desc Azure Key vault with service principal with PEM cert authentication. \
  --dnsSuffix vault.azure.net \
  --tenantId 165 \
  --clientId AZ_22 \
  --certPath ~/azurekey/vault/edge-site.pem

Copy

./edgecli vault create azure sp-pem <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath>

Show me an example…

./edgecli vault create azure sp-secret Azure-service-principal-PEM \
  --desc Azure Key vault with service principal with PEM cert authentication. \
  --dnsSuffix vault.azure.net \
  --tenantId 165 \
  --clientId AZ_22 \
  --certPath ~/azurekey/vault/edge-site.pem

Command	Description
`<name>` (required)	The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
`<description>` (optional)	The description of the vault instance. The maximum character length is 150.
`<dnsSuffix>`	The data-plane endpoint for your vault. Note `<dnsSuffix>` is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: `vault.usgovcloudapi.net`. Otherwise, Edge uses the default value: `.vault.azure.net`.
`<tenantId>` (required)	The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
`<clientId>` (required)	The identifier of the service principal client.
`<certPath>` (required)	The file containing the Client Certificate.

Go to your Edge site to confirm the new vault is available in the Vaults tab.

Service Principal with PFX certificate authentication

Prerequisites

On your local server

You installed your Edge site.
You installed and configured the Edge CLI tool.
You have access to the data source that will use the vault credentials.

In your Collibra environment

Ensure that your environment uses the latest user interface.
You have a global role that has the Manage Edge sites global permission.

In your vault platform

You have an Azure Key Vault.
You have the following Azure Key Vault roles or permissions:
- If you use Access Policies, you must have the Get and List Secret permissions.
- If you use Access Control (IAM), you must have the Key Vault Secrets User role, or a role with similar permissions.
You generated a PFX certificate for the Azure Service Principal.
You created secrets in your Azure Key Vault.

Steps

In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the service Principal with PFX certificate authentication method.

Copy

sudo ./edgecli vault create azure sp-pfx <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath> \
  --certPassword <certPassword>

Show me an example…

sudo ./edgecli vault create azure sp-secret Azure-service-principal-PFX \
  --desc Azure Key vault with service principal with PFX cert authentication. \
  --dnsSuffix vault.azure.net \
  --tenantId 165 \
  --clientId AZ_22 \
  --certPath ~/azurekey/vault/edge-site.pfx \
  --certPassword AZ_PFX_password1

Copy

./edgecli vault create azure sp-pfx <name> \
  --desc <description> \
  --dnsSuffix <dnsSuffix> \
  --tenantId <tenantId> \
  --clientId <clientId> \
  --certPath <certPath> \
  --certPassword <certPassword>

Show me an example…

./edgecli vault create azure sp-secret Azure-service-principal-PFX \
  --desc Azure Key vault with service principal with PFX cert authentication. \
  --dnsSuffix vault.azure.net \
  --tenantId 165 \
  --clientId AZ_22 \
  --certPath ~/azurekey/vault/edge-site.pfx \
  --certPassword AZ_PFX_password1

Command	Description
`<name>` (required)	The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
`<description>` (optional)	The description of the vault instance. The maximum character length is 150.
`<dnsSuffix>`	The data-plane endpoint for your vault. Note `<dnsSuffix>` is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix: `vault.usgovcloudapi.net`. Otherwise, Edge uses the default value: `.vault.azure.net`.
`<tenantId>` (required)	The unique identifier of the Azure AD instance that the Azure Key Vault belongs to.
`<clientId>` (required)	The identifier of the service principal client.
`<certPath>` (required)	The file containing the Client Certificate.
`<certPassword>` (required)	The password used to protect the PFX certificate.

Go to your Edge site to confirm the new vault is available in the Vaults tab.

What's next

You can now set up an Edge connection with your Azure Key Vault .
You can retrieve and review the configuration details of your vault integrations.
You can edit your vault integration configuration.