Manage HashiCorp vault

You can use the Edge CLI tool to manage and update your Edge vault integration.

In this topic, we explore how to:

  • Access vault help flags and required parameters.
  • Review and update your vault integration

Access vault help

This feature is available only in the latest UI.

As an Edge Administrator, you can use the Edge CLI for support when setting up and managing your Vault configuration. Run one of the following commands in the Edge CLI, based on the Kubernetes cluster where your Edge site is installed to review helpful flags and required parameters for your vault intgration:

  • Bundled k3s installations:
    Copy
    sudo ./edgecli vault create <vault> <authMethod> -h
  • Managed Kubernetes installations:
    Copy
    ./edgecli vault create <vault> <authMethod> -h
Properties Description
<vault> Your vault provider. For example, CyberArk or HashiCorp.
<authMethod> The authentication method for your vault provider. For example, mTLS for a CyberArk vault.
Example 

Help command for username and password authentication.

./edgecli vault create hashicorp user-pass -h
create HashiCorp secret vault with user-pass authN type

Usage:
  edgecli vault create hashicorp user-pass <identifier> [flags]

Flags:
      --caPath string           path to CA certificate file [optional]
      --vaultNamespace string   optional - A specific non default namespace in vault
      --pass string             password in user-pass auth
      --user string             username in user-pass auth

Global Flags:
      --desc string   description for the vault [optional]
  -h, --help
      --name string   name for the vault [optional]
      --url string    the url to reach for the vault

Edit your vault integration

Use the Edge CLI tool to inspect and update the configuration of your vault integration based on your authentication method:

Username and password authentication

Prerequisites

Steps

  1. In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
    Note When using the mTLS authentication method, you must include the following three variables, even if you are only updating one variable:
    • caPath
    • certPath
    • keyPath
    Copy
    sudo ./edgecli vault create cyber tls <name> \
      --caPath <caPath> \
      --certPath <certPath> \
      --keyPath <keyPath>
    CommandDescription
    <name> (required)

    The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.

    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <description> (optional)The description of the vault instance. The maximum character length is 150.
    <appId> (required)The application ID configured on the CyberArk server.
    <url> (required)

    The URL of your CyberArk Vault .

    Note You can specify different service paths, if you have multiple virtual applications in IIS.
    For example, if your CyberArk URL is https://1.2.3.4 but you have a virtual application in AIMWebService/api/Accounts, you would configure the URL to be: https://1.2.3.4/AIMWebService/api/Accounts

    <caPath> (required)The file containing the Certificate Authority.
    If you use a --caPath, it must be in the X.509 format (PEM encoded).
    <certPath> (required)The file containing the Client Certificate.
    If you use a --certPath, it must be in the X.509 format (PEM encoded).
    <keyPassword> (optional)The password for the Client Private Key file.
    <keyPath> (required)The file containing the Client Private Key.
    If you use a --keyPath, it must be in the PKCS#8 format (PEM encoded).
    sudo ./edgecli vault update cyber tls Edge CyberArk Vault mTLS \
  --caPath ./certs/ca.crt \
  --certPath ./certs/aimws.crt \
  --keyPassword filePassword456 \
  --keyPath ./certs/aimws-pkcs8.key

  2. Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:

    Copy
    sudo ./edgecli vault get <name>
  1. In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
    Note When using the mTLS authentication method, you must include the following three variables, even if you are only updating one variable:
    • caPath
    • certPath
    • keyPath
    Copy
    ./edgecli vault create cyber tls <name> \
      --caPath <caPath> \
      --certPath <certPath> \
      --keyPath <keyPath>
    CommandDescription
    <name> (required)

    The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.

    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <description> (optional)The description of the vault instance. The maximum character length is 150.
    <appId> (required)The application ID configured on the CyberArk server.
    <url> (required)

    The URL of your CyberArk Vault .

    Note You can specify different service paths, if you have multiple virtual applications in IIS.
    For example, if your CyberArk URL is https://1.2.3.4 but you have a virtual application in AIMWebService/api/Accounts, you would configure the URL to be: https://1.2.3.4/AIMWebService/api/Accounts

    <caPath> (required)The file containing the Certificate Authority.
    If you use a --caPath, it must be in the X.509 format (PEM encoded).
    <certPath> (required)The file containing the Client Certificate.
    If you use a --certPath, it must be in the X.509 format (PEM encoded).
    <keyPassword> (optional)The password for the Client Private Key file.
    <keyPath> (required)The file containing the Client Private Key.
    If you use a --keyPath, it must be in the PKCS#8 format (PEM encoded).
    ./edgecli vault update cyber tls Edge CyberArk Vault mTLS \
  --caPath ./certs/ca.crt \
  --certPath ./certs/aimws.crt \
  --keyPassword filePassword456 \
  --keyPath ./certs/aimws-pkcs8.key

  2. Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:

    Copy
    ./edgecli vault get <name>

TLS authentication

Prerequisites

Steps

  1. In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
    Note When using the allow-list authentication method, you only need to include the vault integration variable that you want to update.
    Copy
    sudo ./edgecli vault create cyber allow-list <name> \
    CommandDescription
    <name> (required)

    The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.

    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <description> (optional)The description of the vault instance.
    <appId> (required)The application ID configured on the CyberArk server.
    <url> (required)

    The URL of your CyberArk Vault .

    Note You can specify different service paths, if you have multiple virtual applications in IIS.
    For example, if your CyberArk URL is https://1.2.3.4 but you have a virtual application in AIMWebService/api/Accounts, you would configure the URL to be: https://1.2.3.4/AIMWebService/api/Accounts

    <caPath> (required)The file containing the Certificate Authority.
    If you use a --caPath, it must be in the X.509 format (PEM encoded).
    sudo ./edgecli vault create cyber allow-list Edge CyberArk allowlist \
--desc CyberArk2 vault with allowlist authentication. \
--url https://edge-cyberark-server2.example.com \
  2. Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
    Copy
    ./edgecli vault get <name>
  1. In the cluster where your Edge site is installed, use the Edge CLI to run the following command, including any property flags you want to update:
    Copy
    ./edgecli vault create cyber allow-list <name> \
    CommandDescription
    <name> (required)

    The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors.

    Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.
    <description> (optional)The description of the vault instance.
    <appId> (required)The application ID configured on the CyberArk server.
    <url> (required)

    The URL of your CyberArk Vault .

    Note You can specify different service paths, if you have multiple virtual applications in IIS.
    For example, if your CyberArk URL is https://1.2.3.4 but you have a virtual application in AIMWebService/api/Accounts, you would configure the URL to be: https://1.2.3.4/AIMWebService/api/Accounts

    <caPath> (required)The file containing the Certificate Authority.
    If you use a --caPath, it must be in the X.509 format (PEM encoded).
    ./edgecli vault create cyber allow-list Edge CyberArk allowlist \
--desc CyberArk vault2 with allowlist authentication. \
--url https://edge-cyberark-server2.example.com \
  2. Run the following command with your vault name to retrieve your vault information to confirm your changes are applied:
    Copy
    ./edgecli vault get <name>

What's next