How to access help for Vaults
Important This feature is available only in the latest UI.
If you need any help with the vault command parameters, run one of the following commands in the Edge CLI, based on the Kubernetes cluster where your Edge site is installed:
- Bundled k3s installations:Copy
sudo ./edgecli vault create <vault> <authMethod> -h - Managed Kubernetes installations:Copy
./edgecli vault create <vault> <authMethod> -h
| Properties | Description |
|---|---|
<vault>
|
The type of vault application you use, for example, CyberArk or HashiCorp. |
<authMethod>
|
The authentication method you use to connect to your vault. |
Example
Available vaults
Tip
|
Select your Kubernetes cluster:
|
You can use a vault to add your data source information to your site connection. 
AWS Secrets Manager
Azure Key Vault
CyberArk Vault
Google Secret Manager
HashiCorp Vault
|
Select your authentication method: |
|
|
CyberArk Vault with mTLS authentication:
./edgecli vault create cyber tls -h
create CyberArk Credential Provider vault with tls authN type
Usage:
edgecli vault create cyber tls <identifier> [flags]
Flags:
--caPath string path to CA certificate file [optional]
--certPath string path to client certificate file
--keyPath string path to client private key file (PKCS8 format)
Global Flags:
--appId string appId for the CyberArk Credential Provider vault
--desc string description for the vault [optional]
-h, --help
--name string name for the vault [optional]
--url string the url/address to reach for the vault
CyberArk Vault with allow-list authentication:
./edgecli vault create cyber allow-list -h
create CyberArk Credential Provider vault with allow-list authN type
Usage:
edgecli vault create cyber allow-list <identifier> [flags]
Flags:
--caPath string path to CA certificate file [optional]
Global Flags:
--appId string appId for the CyberArk Credential Provider vault
--desc string description for the vault [optional]
-h, --help
--name string name for the vault [optional]
--url string the url/address to reach for the vaultHashiCorp Vault with username and password authentication method:
./edgecli vault create hashicorp user-pass -h
create HashiCorp secret vault with user-pass authN type
Usage:
edgecli vault create hashicorp user-pass <identifier> [flags]
Flags:
--caPath string path to CA certificate file [optional]
--vaultNamespace string optional - A specific non default namespace in vault
--pass string password in user-pass auth
--user string username in user-pass auth
Global Flags:
--desc string description for the vault [optional]
-h, --help
--name string name for the vault [optional]
--url string the url to reach for the vault
HashiCorp Vault with TLS authentication method:
./edgecli vault create hashicorp tls -h
create HashiCorp Vault vault with tls authN type
Usage:
edgecli vault create hashicorp tls <identifier> [flags]
Flags:
--authName string name of the HashiCorp Vault authentication endpoint
--caPath string path to CA certificate file [optional]
--certPath string path to client certificate file
--keyPath string path to client private key file (PKCS8 format)
--vaultNamespace string optional - A specific non default namespace in vault
Global Flags:
--desc string description for the vault [optional]
-h, --help
--name string name for the vault [optional]
--url string the url to reach for the vault
Azure Key Vault with Managed Identity assigned to Azure VM authentication method:
./edgecli vault create azure managed-identity -h
create Azure Key Vault vault with managed identity authN type
Usage:
edgecli vault create azure managed-identity <identifier> [flags]
Global Flags:
--desc string description for the vault [optional]
--dnsSuffix string (default: .vault.azure.net) [optional]
-h, --help
--name string name for the vault [optional]Azure Key Vault with Service Principal Secret authentication method:
./edgecli vault create azure sp-secret -h
create Azure Key Vault vault with service principal secret authN type
Usage:
edgecli vault create azure sp-secret <identifier> [flags]
Flags:
--clientId string identifier of the service principal client
--clientSecret string secret of the service principal client
--tenantId string unique identifier of the Azure AD instance the Azure Key Vault vault belongs to
Global Flags:
--desc string description for the vault [optional]
--dnsSuffix string (default: .vault.azure.net) [optional]
-h, --help
--name string name for the vault [optional]Azure Key Vault with Service Principal with PEM certificate authentication method:
./edgecli vault create azure sp-pem -h
create Azure Key Vault vault with service principal PEM certificate authN type
Usage:
edgecli vault create azure sp-pem <identifier> [flags]
Flags:
--certPath string path to the PEM certificate file used for authenticating against the Azure Key Vault vault
--clientId string identifier of the service principal client
--tenantId string unique identifier of the Azure AD instance the Azure Key Vault vault belongs to
Global Flags:
--desc string description for the vault [optional]
--dnsSuffix string (default: .vault.azure.net) [optional]
-h, --help
--name string name for the vault [optional]Azure Key Vault with Service Principal with PFX certificate authentication method:
./edgecli vault create azure sp-pfx -h
create Azure Key Vault vault with service principal PFX certificate authN type
Usage:
edgecli vault create azure sp-pfx <identifier> [flags]
Flags:
--certPassword string password used to protect the PFX certificate [optional]
--certPath string path to the PFX certificate file used for authenticating against the Azure Key Vault vault
--clientId string identifier of the service principal client
--tenantId string unique identifier of the Azure AD instance the Azure Key Vault vault belongs to
Global Flags:
--desc string description for the vault [optional]
--dnsSuffix string (default: .vault.azure.net) [optional]
-h, --help
--name string name for the vault [optional]AWS Secrets Manager with IAM Access Key authentication method:
./edgecli vault create aws key-secret -h
create AWS Secrets Manager vault with key/secret authN type
Usage:
edgecli vault create aws key-secret <identifier> [flags]
Flags:
--accessKey string access key itself
--accessKeyId string id of the access key
Global Flags:
--desc string description for the vault [optional]
--endpointOverride string overrides the default AWS Secrets Manager endpoint, must be used together with <region> [optional]
-h, --help
--name string name for the vault [optional]
--region string region to be used by the client, used to determine both the service endpoint and signing region [optional]AWS Secrets Manager with Instance Profile authentication method:
./edgecli vault create aws instance-profile -h
create AWS Secrets Manager with instance profile authN type
Usage:
edgecli vault create aws key-secret <identifier> [flags]
Global Flags:
--desc string description for the vault [optional]
--endpointOverride string overrides the default AWS Secrets Manager endpoint, must be used together with <region> [optional]
-h, --help
--name string name for the vault [optional]
--region string region to be used by the client, used to determine both the service endpoint and signing region [optional]AWS Secrets Manager with Assume Role authentication method:
./edgecli vault create aws assume-role -h
create AWS Secrets Manager vault with assume role authN type
Usage:
edgecli vault create aws assume-role <identifier> [flags]
Flags:
--roleArn string ARN of role to assume
--roleSessionName string name to give the temp token session
Global Flags:
--desc string description for the vault [optional]
--endpointOverride string overrides the default AWS Secrets Manager endpoint, must be used together with <region> [optional]
-h, --help
--name string name for the vault [optional]
--region string region to be used by the client, used to determine both the service endpoint and signing region [optional]Google Secret Manager with IAM Role assigned to the Google Cloud Engine VM authentication method:
./edgecli vault create gcp iam-role -h
create GCP Secret Manager vault with IAM role authN type
Usage:
edgecli vault create gcp iam-role <identifier> [flags]
Global Flags:
--address string the url/address to reach for the vault (default: https://secretmanager.googleapis.com:443) [optional]
--desc string description for the vault [optional]
-h, --help
--name string name for the vault [optional]
--projectId string project identifier associated with the GCP Secret Manager vaultGoogle Secret Manager with Service Account JSON Key authentication method:
./edgecli vault create gcp sa-json -h
create GCP Secret Manager vault with JSON service account key authN type
Usage:
edgecli vault create gcp sa-json <identifier> [flags]
Flags:
--keyPath string path to JSON key file
Global Flags:
--address string the url/address to reach for the vault (default: https://secretmanager.googleapis.com:443) [optional]
--desc string description for the vault [optional]
-h, --help
--name string name for the vault [optional]
--projectId string project identifier associated with the GCP Secret Manager vault Google Secret Manager with Service Account P12 Key authentication method:
./edgecli vault create gcp sa-p12 -h
create GCP Secret Manager vault with P12 service account key authN type
Usage:
edgecli vault create gcp sa-p12 <identifier> [flags]
Flags:
--emailAddress string e-mail address of the client
--keyPassword string password for the private P12 key file
--keyPath string path to client private key file (PKCS8 format)
Global Flags:
--address string the url/address to reach for the vault (default: https://secretmanager.googleapis.com:443) [optional]
--desc string description for the vault [optional]
-h, --help
--name string name for the vault [optional]
--projectId string project identifier associated with the GCP Secret Manager vault