Manage Google Secret Manager vault
You can use the Edge CLI tool to manage and update your Edge vault integration.
In this topic, we explore how to:
- Access vault help flags and required parameters.
- Review and update your vault integration
Access vault help
This feature is available only in the latest UI.
As an Edge Administrator, you can use the Edge CLI for support when setting up and managing your Vault configuration. Run one of the following commands in the Edge CLI, based on the Kubernetes cluster where your Edge site is installed to review helpful flags and required parameters for your vault intgration:
- Bundled k3s installations:Copy
sudo ./edgecli vault create <vault> <authMethod> -h - Managed Kubernetes installations:Copy
./edgecli vault create <vault> <authMethod> -h
| Properties | Description |
|---|---|
<vault>
|
Your vault provider. For example, CyberArk or HashiCorp. |
<authMethod>
|
The authentication method for your vault provider. For example, mTLS for a CyberArk vault. |
Example
Managed Kubernetes help command for IAM Role assigned to the Google Cloud Engine VM authentication.
./edgecli vault create gcp iam-role -h
create GCP Secret Manager vault with IAM role authN type
Usage:
edgecli vault create gcp iam-role <identifier> [flags]
Global Flags:
--address string the url/address to reach for the vault (default: https://secretmanager.googleapis.com:443) [optional]
--desc string description for the vault [optional]
-h, --help
--name string name for the vault [optional]
--projectId string project identifier associated with the GCP Secret Manager vaultEdit your vault integration
Use the Edge CLI tool to inspect and update the configuration of your vault integration based on your authentication method:
IAM Role assigned to the Google Cloud Engine VM authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update gcp iam-role <name> \
--desc <description> \
--projectId <projectId>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. Show me an example…sudo ./edgecli vault update gcp iam-role GCP-IAM \ --projectId=IAM_145 \ Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update gcp iam-role <name> \
--desc <description> \
--projectId <projectId>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. Show me an example…./edgecli vault update gcp iam-role GCP-IAM \ --projectId=IAM_145 \ Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>
Service Account JSON Key authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:Note When using the allow-list authentication method, you only need to include the vault integration variable that you want to update.Copy
sudo ./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. <keyPath>(required)The file containing the Client Private Key. Show me an example…sudo ./edgecli vault update gcp sa-jsone GCP-JSON \ --projectId=JSON_145 \ --keyPath=~/GCP/vault/edge-site.json - Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy
./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. <keyPath>(required)The file containing the Client Private Key. Show me an example…./edgecli vault update gcp sa-jsone GCP-JSON \ --projectId=JSON_145 \ --keyPath=~/GCP/vault/edge-site.json - Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy
./edgecli vault get <name>
Service Account P12 Key authentication
Prerequisites
- Ensure that your environment uses the latest user interface.
- You have added a vault in your Edge site.
- You have installed and configured the Edge CLI tool.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
sudo ./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath> \
--keyPassword <keyPassword> \
--emailAddress <emailAddress>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. <keyPath>(required)The file containing the Client Private Key. <keyPassword>The P12 password. <emailAddress>The Google Service Account email address. Show me an example…sudo ./edgecli vault update aws instance-profile GCP-P12 \ --projectId P12_145 \ --keyPath /GCP/vault/edge-site.p12 \ --keyPassword GCP_edge_vault_password \ --emailAddress [email protected] -
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copysudo ./edgecli vault get <name>
- In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
Copy
./edgecli vault update gcp sa-json <name> \
--desc <description> \
--projectId <projectId> \
--keyPath <keyPath> \
--keyPassword <keyPassword> \
--emailAddress <emailAddress>Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. <keyPath>(required)The file containing the Client Private Key. <keyPassword>The P12 password. <emailAddress>The Google Service Account email address. Show me an example…./edgecli vault update aws instance-profile GCP-P12 \ --projectId P12_145 \ --keyPath /GCP/vault/edge-site.p12 \ --keyPassword GCP_edge_vault_password \ --emailAddress [email protected] -
Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
Copy./edgecli vault get <name>