Manage Azure Key vault
You can use the Edge CLI tool to manage and update your Edge vault integration.
In this topic, we explore how to:
- Access vault help flags and required parameters.
- Review and update your vault integration
Access vault help
This feature is available only in the latest UI.
As an Edge Administrator, you can use the Edge CLI for support when setting up and managing your Vault configuration. Run one of the following commands in the Edge CLI, based on the Kubernetes cluster where your Edge site is installed to review helpful flags and required parameters for your vault intgration:
- Bundled k3s installations:Copy
sudo ./edgecli vault create <vault> <authMethod> -h - Managed Kubernetes installations:Copy
./edgecli vault create <vault> <authMethod> -h
| Properties | Description |
|---|---|
<vault>
|
Your vault provider. For example, CyberArk or HashiCorp. |
<authMethod>
|
The authentication method for your vault provider. For example, mTLS for a CyberArk vault. |
Example
Managed Kubernetes help command for Managed Identity assigned to Azure VM authentication.
./edgecli vault create azure managed-identity -h
create Azure Key Vault vault with managed identity authN type
Usage:
edgecli vault create azure managed-identity <identifier> [flags]
Global Flags:
--desc string description for the vault [optional]
--dnsSuffix string (default: .vault.azure.net) [optional]
-h, --help
--name string name for the vault [optional]Edit your vault integration
Use the Edge CLI tool to inspect and update the configuration of your vault integration based on your authentication method:
- Managed Identity assigned to Azure VM
- Service Principal Secret
- Service Principal with PEM certificate
- Service Principal with PFX certificate
Managed Identity assigned to Azure VM authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update azure managed-identity <name> \
--desc <description> \
--dnsSuffix <dnsSuffix>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note<dnsSuffix>is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix:vault.usgovcloudapi.net.
Otherwise, Edge uses the default value:.vault.azure.net.Show me an example…sudo ./edgecli vault update azure managed-identity Azure-managed-identity \ --dnsSuffix Azure-managed-identity.azure.net Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure managed-identity <name> \
--desc <description> \
--dnsSuffix <dnsSuffix>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note<dnsSuffix>is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix:vault.usgovcloudapi.net.
Otherwise, Edge uses the default value:.vault.azure.net.Show me an example…./edgecli vault update azure managed-identity Azure-managed-identity \ --dnsSuffix Azure-managed-identity.azure.net Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>
Service Principal Secret authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:Copy
sudo ./edgecli vault update azure sp-secret <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--clientSecret <clientSecret>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note<dnsSuffix>is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix:vault.usgovcloudapi.net.
Otherwise, Edge uses the default value:.vault.azure.net.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <clientSecret>(required)The secret of the service principal client. Show me an example…sudo ./edgecli vault update azure sp-secret Azure-service-principal \ --tenantId 165 \ --clientId AZ_22 \ --clientSecret Secret123 - Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy
./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure sp-secret <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--clientSecret <clientSecret>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note<dnsSuffix>is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix:vault.usgovcloudapi.net.
Otherwise, Edge uses the default value:.vault.azure.net.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <clientSecret>(required)The secret of the service principal client. Show me an example…./edgecli vault update azure sp-secret Azure-service-principal \ --tenantId 165 \ --clientId AZ_22 \ --clientSecret Secret123 - Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy
./edgecli vault get <name>
Service Principal with PEM certificate authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update azure sp-pem <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note<dnsSuffix>is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix:vault.usgovcloudapi.net.
Otherwise, Edge uses the default value:.vault.azure.net.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <certPath>(required)The file containing the Client Certificate. Show me an example…sudo ./edgecli vault update azure sp-secret Azure-service-principal-PEM \ --tenantId 165 \ --clientId AZ_22 \ --certPath ~/azurekey/vault/edge-site.crt -
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure sp-pem <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note<dnsSuffix>is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix:vault.usgovcloudapi.net.
Otherwise, Edge uses the default value:.vault.azure.net.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <certPath>(required)The file containing the Client Certificate. Show me an example…./edgecli vault update azure sp-secret Azure-service-principal-PEM \ --tenantId 165 \ --clientId AZ_22 \ --certPath ~/azurekey/vault/edge-site.crt -
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>
Service Principal with PFX certificate authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update azure sp-pfx <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath> \
--certPassword <certPassword>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note<dnsSuffix>is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix:vault.usgovcloudapi.net.
Otherwise, Edge uses the default value:.vault.azure.net.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <certPath>(required)The file containing the Client Certificate. <certPassword>(required)The password used to protect the PFX certificate. Show me an example…sudo ./edgecli vault update azure sp-secret Azure-service-principal-PFX \ --tenantId 165 \ --clientId AZ_22 \ --certPath ~/azurekey/vault/edge-site.crt \ --certPassword AZ_PFX_password1 -
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure sp-pfx <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath> \
--certPassword <certPassword>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note<dnsSuffix>is required if you use a private version of Azure for security purposes. For example, for FedRAMP, you would need to specify the Azure US Government DNS suffix:vault.usgovcloudapi.net.
Otherwise, Edge uses the default value:.vault.azure.net.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <certPath>(required)The file containing the Client Certificate. <certPassword>(required)The password used to protect the PFX certificate. Show me an example…./edgecli vault update azure sp-secret Azure-service-principal-PFX \ --tenantId 165 \ --clientId AZ_22 \ --certPath ~/azurekey/vault/edge-site.crt \ --certPassword AZ_PFX_password1 -
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>