Manage CyberArk vault

You can use the Edge CLI tool to manage and update your Edge vault integration.

In this topic, we explore how to:

  • Access vault help flags and required parameters.
  • Review and update your vault integration

Access vault help

This feature is available only in the latest UI.

As an Edge Administrator, you can use the Edge CLI for support when setting up and managing your Vault configuration. Run one of the following commands in the Edge CLI, based on the Kubernetes cluster where your Edge site is installed to review helpful flags and required parameters for your vault intgration:

  • Bundled k3s installations:
    Copy
    sudo ./edgecli vault create <vault> <authMethod> -h
  • Managed Kubernetes installations:
    Copy
    ./edgecli vault create <vault> <authMethod> -h
Properties Description
<vault> Your vault provider. For example, CyberArk or HashiCorp.
<authMethod> The authentication method for your vault provider. For example, mTLS for a CyberArk vault.
Example 

Help command for mTLS authentication.

./edgecli vault create cyber tls -h
create CyberArk Credential Provider vault with tls authN type

Usage:
  edgecli vault create cyber tls <identifier> [flags]

Flags:
      --caPath string       path to CA certificate file [optional]
      --certPath string     path to client certificate file
      --keyPassword string  password of the client private key file [optional]
      --keyPath string      path to client private key file (PKCS8 format)

Global Flags:
      --appId string   appId for the CyberArk Credential Provider vault
      --desc string    description for the vault [optional]
  -h, --help
      --name string    name for the vault [optional]
      --url string     the url/address to reach for the vault

Edit your vault integration

Use the Edge CLI tool to inspect and update the configuration of your vault integration based on your authentication method:

mTLS authentication

Prerequisites

Steps

  1. In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
    Copy
    sudo ./edgecli vault update hashicorp user-pass <name>/
      --desc <description> \
      --user <username> \
      --pass <password> \
      --caPath <caPath> \
      --url <url>
    CommandDescription
    <name> (required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <description> (optional)The description of the vault instance. The maximum character length is 150.
    <user> (required)The username for your vault.
    <pass> (required)The password for your vault.
    <caPath> (optional)The file containing the Certificate Authority.
    If you use --caPath it must be in the PKCS#8 format.
    Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the Username/Password authentication. The HTTP endpoint is used for the Username/Password authentication.
    <url> (required) The URL of the HashiCorp Vault.
    <vaultNamespace> (optional)A unique namespace in your vault. 
    sudo ./edgecli vault update hashicorp user-pass Hasicorp vault user-pass AuthN/
  --user my-edge-site \
  --pass EdgePass123 \
  --url https://hashicorp-vault.edge.collibra.dev:8210/

  2. Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:

    Copy
    sudo ./edgecli vault get <name>
  1. In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
    Copy
    ./edgecli vault update hashicorp user-pass <name>/
      --desc <description> \
      --user <username> \
      --pass <password> \
      --caPath <caPath> \
      --url <url>
    CommandDescription
    <name> (required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <description> (optional)The description of the vault instance. The maximum character length is 150.
    <user> (required)The username for your vault.
    <pass> (required)The password for your vault.
    <caPath> (optional)The file containing the Certificate Authority.
    If you use --caPath it must be in the PKCS#8 format.
    Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTP endpoint is used for the Username/Password authentication. The HTTP endpoint is used for the Username/Password authentication.
    <url> (required) The URL of the HashiCorp Vault.
    <vaultNamespace> (optional)A unique namespace in your vault. 
    ./edgecli vault update hashicorp user-pass Hasicorp vault user-pass AuthN/
  --user my-edge-site \
  --pass EdgePass123 \
  --url https://hashicorp-vault.edge.collibra.dev:8210/

  2. Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:

    Copy
    ./edgecli vault get <name>

Allow-list authentication

Prerequisites

Steps

  1. In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
    Note When using the allow-list authentication method, you only need to include the vault integration variable that you want to update.
    Copy
    sudo ./edgecli vault update hashicorp tls <name>/
      --authName <authName>
      --desc <description> \
      --caPath <caPath> \
      --certPath <certPath> \
      --keyPassword <keyPassword> \
      --keyPath <keyPath> \
      --url <url>
    CommandDescription
    <name> (required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <authName> (required)The name of the HashiCorp Vault endpoint.
    <description> (optional)The description of the vault instance. The maximum character length is 150.
    <caPath> (optional)The file containing the Certificate Authority.
    If you use --caPath it must be in the PKCS#8 format.
    Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTPS certificate used for the SSL/TLS endpoint termination has a certificate chain supplied and the root certificate is in a Java trust store.
    <certPath> (required)The file containing the Client Certificate.
    <keyPassword> (optional)The password for the Client Private Key file.
    <keyPath> (required)The file containing the Client Private Key.
    <url> (required) The URL of the HashiCorp Vault.
    <vaultNamespace> (optional)A unique namespace in your vault. 
    sudo ./edgecli vault update hashicorp tls tls-vault-auth/
  --authName tls-vault-auth \
  --certPath ~/hashicorp/vault/edge-site.crt \
  --keyPassword filePassword123 \
  --keyPath ~/hashicorp/vault/edge-site.key \
  --url https://hashicorp-vault.edge.collibra/
  2. Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
    Copy
    ./edgecli vault get <name>
  1. In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
    Copy
    ./edgecli vault update hashicorp tls <name>/
      --authName <authName>
      --desc <description> \
      --caPath <caPath> \
      --certPath <certPath> \
      --keyPassword <keyPassword> \
      --keyPath <keyPath> \
      --url <url>
    CommandDescription
    <name> (required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.
    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <authName> (required)The name of the HashiCorp Vault endpoint.
    <description> (optional)The description of the vault instance. The maximum character length is 150.
    <caPath> (optional)The file containing the Certificate Authority.
    If you use --caPath it must be in the PKCS#8 format.
    Note A --caPath file is optionally included for the creation of the authentication endpoint. It will not be required if the HTTPS certificate used for the SSL/TLS endpoint termination has a certificate chain supplied and the root certificate is in a Java trust store.
    <certPath> (required)The file containing the Client Certificate.
    <keyPassword> (optional)The password for the Client Private Key file.
    <keyPath> (required)The file containing the Client Private Key.
    <url> (required) The URL of the HashiCorp Vault.
    <vaultNamespace> (optional)A unique namespace in your vault. 
    ./edgecli vault update hashicorp tls tls-vault-auth/
  --authName tls-vault-auth \
  --certPath ~/hashicorp/vault/edge-site.crt \
  --keyPassword filePassword123 \
  --keyPath ~/hashicorp/vault/edge-site.key \
  --url https://hashicorp-vault.edge.collibra/
  2. Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
    Copy
    ./edgecli vault get <name>

What's next