Manage Azure Key vault
You can use the Edge CLI tool to manage and update your Edge vault integration.
In this topic, we explore how to:
- Access vault help flags and required parameters.
- Review and update your vault integration
Access vault help
This feature is available only in the latest UI.
As an Edge Administrator, you can use the Edge CLI for support when setting up and managing your Vault configuration. Run one of the following commands in the Edge CLI, based on the Kubernetes cluster where your Edge site is installed to review helpful flags and required parameters for your vault intgration:
- Bundled k3s installations:Copy
sudo ./edgecli vault create <vault> <authMethod> -h - Managed Kubernetes installations:Copy
./edgecli vault create <vault> <authMethod> -h
| Properties | Description |
|---|---|
<vault>
|
Your vault provider. For example, CyberArk or HashiCorp. |
<authMethod>
|
The authentication method for your vault provider. For example, mTLS for a CyberArk vault. |
Example
Managed Kubernetes help command for Managed Identity assigned to Azure VM authentication.
./edgecli vault create azure managed-identity -h
create Azure Key Vault vault with managed identity authN type
Usage:
edgecli vault create azure managed-identity <identifier> [flags]
Global Flags:
--desc string description for the vault [optional]
--dnsSuffix string (default: .vault.azure.net) [optional]
-h, --help
--name string name for the vault [optional]Edit your vault integration
Use the Edge CLI tool to inspect and update the configuration of your vault integration based on your authentication method:
- Managed Identity assigned to Azure VM
- Service Principal Secret
- Service Principal with PEM certificate
- Service Principal with PFX certificate
- Workload Identity
Managed Identity assigned to Azure VM authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update azure managed-identity <name> \
--desc <description>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. Show me an example…sudo ./edgecli vault update azure managed-identity Azure-managed-identity Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure managed-identity <name> \
--desc <description>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. Show me an example…./edgecli vault update azure managed-identity Azure-managed-identity Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>
Service Principal Secret authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:Copy
sudo ./edgecli vault update azure sp-secret <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--clientSecret <clientSecret>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note Edge applies this value by default based on your cloud environment:- Collibra Platform Edge sites:
.vault.azure.net - Collibra Platform for Government Edge sites:
vault.usgovcloudapi.net
You can change this value if you do not use the default.<dnsSuffix>is required if you use a private version of Azure for security purposes.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <clientSecret>(required)The secret of the service principal client. Show me an example…sudo ./edgecli vault update azure sp-secret Azure-service-principal \ --tenantId 165 \ --clientId AZ_22 \ --clientSecret Secret123 - Collibra Platform Edge sites:
- Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy
./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure sp-secret <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--clientSecret <clientSecret>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note Edge applies this value by default based on your cloud environment:- Collibra Platform Edge sites:
.vault.azure.net - Collibra Platform for Government Edge sites:
vault.usgovcloudapi.net
You can change this value if you do not use the default.<dnsSuffix>is required if you use a private version of Azure for security purposes.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <clientSecret>(required)The secret of the service principal client. Show me an example…./edgecli vault update azure sp-secret Azure-service-principal \ --tenantId 165 \ --clientId AZ_22 \ --clientSecret Secret123 - Collibra Platform Edge sites:
- Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy
./edgecli vault get <name>
Service Principal with PEM certificate authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update azure sp-pem <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note Edge applies this value by default based on your cloud environment:- Collibra Platform Edge sites:
.vault.azure.net - Collibra Platform for Government Edge sites:
vault.usgovcloudapi.net
You can change this value if you do not use the default.<dnsSuffix>is required if you use a private version of Azure for security purposes.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <certPath>(required)The file containing the Client Certificate. Show me an example…sudo ./edgecli vault update azure sp-secret Azure-service-principal-PEM \ --tenantId 165 \ --clientId AZ_22 \ --certPath ~/azurekey/vault/edge-site.crt - Collibra Platform Edge sites:
-
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure sp-pem <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note Edge applies this value by default based on your cloud environment:- Collibra Platform Edge sites:
.vault.azure.net - Collibra Platform for Government Edge sites:
vault.usgovcloudapi.net
You can change this value if you do not use the default.<dnsSuffix>is required if you use a private version of Azure for security purposes.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <certPath>(required)The file containing the Client Certificate. Show me an example…./edgecli vault update azure sp-secret Azure-service-principal-PEM \ --tenantId 165 \ --clientId AZ_22 \ --certPath ~/azurekey/vault/edge-site.crt - Collibra Platform Edge sites:
-
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>
Service Principal with PFX certificate authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update azure sp-pfx <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath> \
--certPassword <certPassword>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note Edge applies this value by default based on your cloud environment:- Collibra Platform Edge sites:
.vault.azure.net - Collibra Platform for Government Edge sites:
vault.usgovcloudapi.net
You can change this value if you do not use the default.<dnsSuffix>is required if you use a private version of Azure for security purposes.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <certPath>(required)The file containing the Client Certificate. <certPassword>(required)The password used to protect the PFX certificate. Show me an example…sudo ./edgecli vault update azure sp-secret Azure-service-principal-PFX \ --tenantId 165 \ --clientId AZ_22 \ --certPath ~/azurekey/vault/edge-site.crt \ --certPassword AZ_PFX_password1 - Collibra Platform Edge sites:
-
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure sp-pfx <name> \
--desc <description> \
--dnsSuffix <dnsSuffix> \
--tenantId <tenantId> \
--clientId <clientId> \
--certPath <certPath> \
--certPassword <certPassword>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <dnsSuffix>The data-plane endpoint for your vault. Note Edge applies this value by default based on your cloud environment:- Collibra Platform Edge sites:
.vault.azure.net - Collibra Platform for Government Edge sites:
vault.usgovcloudapi.net
You can change this value if you do not use the default.<dnsSuffix>is required if you use a private version of Azure for security purposes.<tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the service principal client. <certPath>(required)The file containing the Client Certificate. <certPassword>(required)The password used to protect the PFX certificate. Show me an example…./edgecli vault update azure sp-secret Azure-service-principal-PFX \ --tenantId 165 \ --clientId AZ_22 \ --certPath ~/azurekey/vault/edge-site.crt \ --certPassword AZ_PFX_password1 - Collibra Platform Edge sites:
-
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>
Workload Identity authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update azure workload-identity <vault-name> \
--clientId <clientId> \
--tenantId <tenantId>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the workload identity client. Show me an example…sudo ./edgecli vault update azure workload-identity Azure-workload-identity \ --clientId AZ_23 --tenantId 165 -
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update azure workload-identity <vault-name> \
--clientId <clientId> \
--tenantId <tenantId>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <tenantId>(required)The unique identifier of the Azure AD instance that the Azure Key Vault belongs to. <clientId>(required)The identifier of the workload identity client. Show me an example…./edgecli vault update azure workload-identity Azure-workload-identity \ --clientId AZ_23 --tenantId 165 -
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>