How to access help for Vaults

Important  This feature is available only in the latest UI.

Important This topic uses the Edge CLI. If you still use the deprecated Edge tool, go to the Edge Tool documentation to review the relevant commands. Keep in mind that the Edge Tool will be end of life with the February 2025.02 release.

If you need any help with the vault command parameters, run one of the following commands in the Edge CLI, based on the Kubernetes cluster where your Edge site is installed:

  • Bundled k3s installations:
    Copy
    sudo ./edgecli vault create <vault> <authMethod> -h
  • Managed Kubernetes installations:
    Copy
    ./edgecli vault create <vault> <authMethod> -h
Properties Description
<vault> The type of vault application you use, for example, CyberArk or HashiCorp.
<authMethod> The authentication method you use to connect to your vault.

Example

Available vaults

Tip 

Select your Kubernetes cluster:

You can use a vault to add your data source information to your site connection.

AWS Secrets Manager
Azure Key Vault
CyberArk Vault
Google Secret Manager
HashiCorp Vault

Select your authentication method:

 
CyberArk Vault with mTLS authentication:
./edgecli vault create cyber tls -h
create CyberArk Credential Provider vault with tls authN type

Usage:
  edgecli vault create cyber tls <identifier> [flags]

Flags:
      --caPath string     path to CA certificate file [optional]
      --certPath string   path to client certificate file
      --keyPath string    path to client private key file (PKCS8 format)

Global Flags:
      --appId string   appId for the CyberArk Credential Provider vault
      --desc string    description for the vault [optional]
  -h, --help
      --name string    name for the vault [optional]
      --url string     the url/address to reach for the vault
CyberArk Vault with allow-list authentication:
./edgecli vault create cyber allow-list -h
create CyberArk Credential Provider vault with allow-list authN type

Usage:
  edgecli vault create cyber allow-list <identifier> [flags]

Flags:
      --caPath string     path to CA certificate file [optional]

Global Flags:
      --appId string   appId for the CyberArk Credential Provider vault
      --desc string    description for the vault [optional]
  -h, --help
      --name string    name for the vault [optional]
      --url string     the url/address to reach for the vault
HashiCorp Vault with username and password authentication method:
./edgecli vault create hashicorp user-pass -h
create HashiCorp secret vault with user-pass authN type

Usage:
  edgecli vault create hashicorp user-pass <identifier> [flags]

Flags:
      --caPath string           path to CA certificate file [optional]
      --vaultNamespace string   optional - A specific non default namespace in vault
      --pass string             password in user-pass auth
      --user string             username in user-pass auth

Global Flags:
      --desc string   description for the vault [optional]
  -h, --help
      --name string   name for the vault [optional]
      --url string    the url to reach for the vault
HashiCorp Vault with TLS authentication method:
./edgecli vault create hashicorp tls -h
create HashiCorp Vault vault with tls authN type

Usage:
  edgecli vault create hashicorp tls <identifier> [flags]

Flags:
      --authName string         name of the HashiCorp Vault authentication endpoint
      --caPath string           path to CA certificate file [optional]
      --certPath string         path to client certificate file
      --keyPath string          path to client private key file (PKCS8 format)
      --vaultNamespace string   optional - A specific non default namespace in vault

Global Flags:
      --desc string   description for the vault [optional]
  -h, --help
      --name string   name for the vault [optional]
      --url string    the url to reach for the vault
Azure Key Vault with Managed Identity assigned to Azure VM authentication method:
./edgecli vault create azure managed-identity -h
create Azure Key Vault vault with managed identity authN type

Usage:
  edgecli vault create azure managed-identity <identifier> [flags]

Global Flags:
      --desc string        description for the vault [optional]
      --dnsSuffix string   (default: .vault.azure.net) [optional]
  -h, --help
      --name string        name for the vault [optional]
Azure Key Vault with Service Principal Secret authentication method:
./edgecli vault create azure sp-secret -h
create Azure Key Vault vault with service principal secret authN type

Usage:
  edgecli vault create azure sp-secret <identifier> [flags]

Flags:
      --clientId string       identifier of the service principal client
      --clientSecret string   secret of the service principal client
      --tenantId string       unique identifier of the Azure AD instance the Azure Key Vault vault belongs to

Global Flags:
      --desc string        description for the vault [optional]
      --dnsSuffix string   (default: .vault.azure.net) [optional]
  -h, --help
      --name string        name for the vault [optional]
Azure Key Vault with Service Principal with PEM certificate authentication method:
./edgecli vault create azure sp-pem -h
create Azure Key Vault vault with service principal PEM certificate authN type

Usage:
  edgecli vault create azure sp-pem <identifier> [flags]

Flags:
      --certPath string   path to the PEM certificate file used for authenticating against the Azure Key Vault vault
      --clientId string   identifier of the service principal client
      --tenantId string   unique identifier of the Azure AD instance the Azure Key Vault vault belongs to

Global Flags:
      --desc string        description for the vault [optional]
      --dnsSuffix string   (default: .vault.azure.net) [optional]
  -h, --help
      --name string        name for the vault [optional]
Azure Key Vault with Service Principal with PFX certificate authentication method:
./edgecli vault create azure sp-pfx -h
create Azure Key Vault vault with service principal PFX certificate authN type

Usage:
  edgecli vault create azure sp-pfx <identifier> [flags]

Flags:
      --certPassword string   password used to protect the PFX certificate [optional]
      --certPath string       path to the PFX certificate file used for authenticating against the Azure Key Vault vault
      --clientId string       identifier of the service principal client
      --tenantId string       unique identifier of the Azure AD instance the Azure Key Vault vault belongs to

Global Flags:
      --desc string        description for the vault [optional]
      --dnsSuffix string   (default: .vault.azure.net) [optional]
  -h, --help
      --name string        name for the vault [optional]
AWS Secrets Manager with IAM Access Key authentication method:
./edgecli vault create aws key-secret -h
create AWS Secrets Manager vault with key/secret authN type

Usage:
  edgecli vault create aws key-secret <identifier> [flags]

Flags:
      --accessKey string     access key itself
      --accessKeyId string   id of the access key

Global Flags:
      --desc string               description for the vault [optional]
      --endpointOverride string   overrides the default AWS Secrets Manager endpoint, must be used together with <region> [optional]
  -h, --help
      --name string               name for the vault [optional]
      --region string             region to be used by the client, used to determine both the service endpoint and signing region [optional]
AWS Secrets Manager with Instance Profile authentication method:
./edgecli vault create aws instance-profile -h
create AWS Secrets Manager with instance profile authN type

Usage:
  edgecli vault create aws key-secret <identifier> [flags]

Global Flags:
      --desc string               description for the vault [optional]
      --endpointOverride string   overrides the default AWS Secrets Manager endpoint, must be used together with <region> [optional]
  -h, --help
      --name string               name for the vault [optional]
      --region string             region to be used by the client, used to determine both the service endpoint and signing region [optional]
AWS Secrets Manager with Assume Role authentication method:
./edgecli vault create aws assume-role -h
create AWS Secrets Manager vault with assume role authN type

Usage:
  edgecli vault create aws assume-role <identifier> [flags]

Flags:
      --roleArn string           ARN of role to assume
      --roleSessionName string   name to give the temp token session

Global Flags:
      --desc string               description for the vault [optional]
      --endpointOverride string   overrides the default AWS Secrets Manager endpoint, must be used together with <region> [optional]
  -h, --help
      --name string               name for the vault [optional]
      --region string             region to be used by the client, used to determine both the service endpoint and signing region [optional]
Google Secret Manager with IAM Role assigned to the Google Cloud Engine VM authentication method:
./edgecli vault create gcp iam-role -h
create GCP Secret Manager vault with IAM role authN type

Usage:
  edgecli vault create gcp iam-role <identifier> [flags]

Global Flags:
      --address string     the url/address to reach for the vault (default: https://secretmanager.googleapis.com:443) [optional]
      --desc string        description for the vault [optional]
  -h, --help
      --name string        name for the vault [optional]
      --projectId string   project identifier associated with the GCP Secret Manager vault
Google Secret Manager with Service Account JSON Key authentication method:
./edgecli vault create gcp sa-json -h
create GCP Secret Manager vault with JSON service account key authN type

Usage:
  edgecli vault create gcp sa-json <identifier> [flags]

Flags:
      --keyPath string   path to JSON key file

Global Flags:
      --address string     the url/address to reach for the vault (default: https://secretmanager.googleapis.com:443) [optional]
      --desc string        description for the vault [optional]
  -h, --help
      --name string        name for the vault [optional]
      --projectId string   project identifier associated with the GCP Secret Manager vault
Google Secret Manager with Service Account P12 Key authentication method:
./edgecli vault create gcp sa-p12 -h
create GCP Secret Manager vault with P12 service account key authN type


Usage:
  edgecli vault create gcp sa-p12 <identifier> [flags]


Flags:
      --emailAddress string   e-mail address of the client
      --keyPassword string    password for the private P12 key file
      --keyPath string        path to client private key file (PKCS8 format)

Global Flags:
      --address string     the url/address to reach for the vault (default: https://secretmanager.googleapis.com:443) [optional]
      --desc string        description for the vault [optional]
  -h, --help
      --name string        name for the vault [optional]
      --projectId string   project identifier associated with the GCP Secret Manager vault