Manage AWS Secret Manager vault
You can use the Edge CLI tool to manage and update your Edge vault integration.
In this topic, we explore how to:
- Access vault help flags and required parameters.
- Review and update your vault integration
Access vault help
This feature is available only in the latest UI.
As an Edge Administrator, you can use the Edge CLI for support when setting up and managing your Vault configuration. Run one of the following commands in the Edge CLI, based on the Kubernetes cluster where your Edge site is installed to review helpful flags and required parameters for your vault intgration:
- Bundled k3s installations:Copy
sudo ./edgecli vault create <vault> <authMethod> -h - Managed Kubernetes installations:Copy
./edgecli vault create <vault> <authMethod> -h
| Properties | Description |
|---|---|
<vault>
|
Your vault provider. For example, CyberArk or HashiCorp. |
<authMethod>
|
The authentication method for your vault provider. For example, mTLS for a CyberArk vault. |
Example
Managed Kubernetes help command for IAM Access Key authentication.
./edgecli vault create aws key-secret -h
create AWS Secrets Manager vault with key/secret authN type
Usage:
edgecli vault create aws key-secret <identifier> [flags]
Flags:
--accessKey string access key itself
--accessKeyId string id of the access key
Global Flags:
--desc string description for the vault [optional]
--endpointOverride string overrides the default AWS Secrets Manager endpoint, must be used together with <region> [optional]
-h, --help
--name string name for the vault [optional]
--region string region to be used by the client, used to determine both the service endpoint and signing region [optional]Edit your vault integration
Use the Edge CLI tool to inspect and update the configuration of your vault integration based on your authentication method:
- IAM Access Key
- Instance Profile
- Assume Role
IAM Access Key authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update aws key-secret <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride> \
--accessKeyId <accessKeyId> \
--accessKey <accessKey>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <region>The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.
Region is required if:- You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride>The URL of the entry point for your AWS Secrets Manager vault. Note<endpointOverride>is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint:<protocol>"://://"<service-code>"-fips.<region>.amazonaws.com.
Otherwise, Edge will use the default regional value:<protocol>://<service-code>.<region-code>.amazonaws.com<accessKeyId>(required)The ID of the IAM key you want to authenticate with. <accessKey>(required)The IAM key you want to authenticate with. Show me an example…sudo ./edgecli vault update aws key-secret AWS-IAM \ --accessKeyId 1234 \ --accessKey abcd - You are using
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update aws key-secret <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride> \
--accessKeyId <accessKeyId> \
--accessKey <accessKey>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <region>The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.
Region is required if:- You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride>The URL of the entry point for your AWS Secrets Manager vault. Note<endpointOverride>is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint:<protocol>"://://"<service-code>"-fips.<region>.amazonaws.com.
Otherwise, Edge will use the default regional value:<protocol>://<service-code>.<region-code>.amazonaws.com<accessKeyId>(required)The ID of the IAM key you want to authenticate with. <accessKey>(required)The IAM key you want to authenticate with. Show me an example…./edgecli vault update aws key-secret AWS-IAM \ --accessKeyId 1234 \ --accessKey abcd - You are using
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>
Instance Profile authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update aws instance-profile <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <region>The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.
Region is required if:- You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride>The URL of the entry point for your AWS Secrets Manager. Note<endpointOverride>is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint:<protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.
Otherwise, Edge will use the default regional value:"<protocol>"://"<service-code>"."<region-code>".amazonaws.comShow me an example…sudo ./edgecli vault update aws instance-profile AWS-Instance \ --desc AWS vault with Instant Profile authentication \ --region eu-west-1 \ --endpointOverride http://my-secret-vault.aws.com - You are using
-
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update aws instance-profile <name> \
--desc <description> \
--region <region> \
--endpointOverride <endpointOverride>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <region>The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.
Region is required if:- You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride>The URL of the entry point for your AWS Secrets Manager. Note<endpointOverride>is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint:<protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.
Otherwise, Edge will use the default regional value:"<protocol>"://"<service-code>"."<region-code>".amazonaws.comShow me an example…./edgecli vault update aws instance-profile AWS-Instance \ --desc AWS vault with Instant Profile authentication \ --region eu-west-1 \ --endpointOverride http://my-secret-vault.aws.com - You are using
-
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>
Assume Role authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:Note When using the allow-list authentication method, you only need to include the vault integration variable that you want to update.Copy
sudo ./edgecli vault update aws instance-profile <name> \
--desc <description> \
--roleArn <roleArn>"
--roleSessionName <roleSessionName>
--region <region>"\
--endpointOverride <endpointOverride>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <roleArn>(required)The Amazon Resource name of the role you want your Edge site to assume when accessing the AWS Secrets Manager secrets. Note In order for your Edge site to successfully assume this specified role, the Instance Profile role that is attached to the EKS cluster must be trusted by the target role.<roleSessionName>(optional)The name of the session you want this role to appear as in AWS security logs. <region>The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.
Region is required if:- You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride>The URL of the entry point for your AWS Secrets Manager. Note<endpointOverride>is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint:<protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.
Otherwise, Edge will use the default regional value:"<protocol>"://"<service-code>"."<region-code>".amazonaws.comShow me an example…sudo ./edgecli vault update aws instance-profile AWS-Assume \ --roleArn edge-session --roleSessionName edge-session - You are using
- Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy
./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update aws instance-profile <name> \
--desc <description> \
--roleArn <roleArn>"
--roleSessionName <roleSessionName>
--region <region>"\
--endpointOverride <endpointOverride>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <roleArn>(required)The Amazon Resource name of the role you want your Edge site to assume when accessing the AWS Secrets Manager secrets. Note In order for your Edge site to successfully assume this specified role, the Instance Profile role that is attached to the EKS cluster must be trusted by the target role.<roleSessionName>(optional)The name of the session you want this role to appear as in AWS security logs. <region>The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.
Region is required if:- You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride>The URL of the entry point for your AWS Secrets Manager. Note<endpointOverride>is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint:<protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.
Otherwise, Edge will use the default regional value:"<protocol>"://"<service-code>"."<region-code>".amazonaws.comShow me an example…./edgecli vault update aws instance-profile AWS-Assume \ --roleArn edge-session --roleSessionName edge-session - You are using
- Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy
./edgecli vault get <name>