Integrate Edge with a AWS Secrets Manager Vault
You can integrate your Edge site with your existing AWS Secrets Manager Vault to more easily and securely manage your data source information and set up your Edge site connections. In this topic, we review how to set up the integration between your Edge site and your existing vault.
You can integrate your Edge site with your AWS Secrets Manager using one of the following authentication methods:
Note
- Edge sites running outside of AWS can connect to the Secrets Manager by using an access key.
- Edge sites running on AWS have Instance Profiles and the Assume role.
- Assume Role is similar to Instance Profile, but allows you to narrow down the access to your vault to a singe role.
- Forward proxies are not supported for AWS Secrets Manager integrations. You must have a direct connection to your AWS Secrets Manager.
IAM Access Key authentication
Prerequisites
On your local server
- You installed your Edge site.
- You installed and configured the Edge CLI tool.
- Your Edge site has network access to the AWS Secrets Manager endpoints.
- You have access to the data source that will use the vault credentials.
In your Collibra environment
- Ensure that your environment uses the latest user interface.
- You have a global role that has the Manage Edge sites global permission.
In your vault platform
- You have a AWS Secrets Manager.
- You created IAM credentials with read access to the AWS Secrets Manager where your Edge site secrets will be stored.
- IMDSv1 or IMDSv2 is enabled.
If you have IMDSv2 enabled, you must run the following command from an admin account to set the hop limit to 2:Copyaws ec2 modify-instance-metadata-options \
--instance-id <instance-id> \
--http-tokens required \
--http-endpoint enabled \
--http-put-response-hop-limit 2
Steps
- In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the IAM access key authentication method.
Copy
sudo ./edgecli vault create aws key-secret <name> \
--desc=<description> \
--region=<region> \
--endpointOverride=<endpointOverride> \
--accessKeyId=<accessKeyId> \
--accessKey=<accessKey>Show me an example…sudo ./edgecli vault create aws key-secret AWS-IAM \ --desc=AWS vault with IAM Access Key authentication. \ --region=eu-west-1 \ --endpointOverride=http://my-secret-vault.aws.com \ --accessKeyId=1234 \ --accessKey=abcdCopy./edgecli vault create aws key-secret <name> \
--desc=<description> \
--region=<region> \
--endpointOverride=<endpointOverride> \
--accessKeyId=<accessKeyId> \
--accessKey=<accessKey>Show me an example…./edgecli vault create aws key-secret AWS-IAM \ --desc=AWS vault with IAM Access Key authentication. \ --region=eu-west-1 \ --endpointOverride=http://my-secret-vault.aws.com \ --accessKeyId=1234 \ --accessKey=abcd - You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
- Go to your Edge site to confirm the new vault is available in the Vaults tab.
| Command | Description |
|---|---|
<name> (required) |
The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?. |
<description> (optional) |
The description of the vault instance. The maximum character length is 150. |
<region>
|
The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region. Region is required if: |
<endpointOverride>
|
The URL of the entry point for your AWS Secrets Manager vault. Note <endpointOverride> is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint: <protocol>"://://"<service-code>"-fips.<region>.amazonaws.com.Otherwise, Edge will use the default regional value: <protocol>://<service-code>.<region-code>.amazonaws.com |
<accessKeyId> (required) |
The ID of the IAM key you want to authenticate with. |
<accessKey> (required) |
The IAM key you want to authenticate with. |
Instance Profile authentication
Prerequisites
On your local server
- You installed your Edge site on an EC2 or EKS instance assigned to an Instance Profile with the role that has read access to the AWS Secrets Manager you want to connect to.
- You installed and configured the Edge CLI tool.
- Your Edge site has network access to the AWS Secrets Manager endpoints.
- You have access to the data source that will use the vault credentials.
In your Collibra environment
- Ensure that your environment uses the latest user interface.
- You have a global role that has the Manage Edge sites global permission.
In your vault platform
- You have a AWS Secrets Manager.
- You created secrets in your AWS Secrets Manager.
- IMDSv1 or IMDSv2 is enabled.
If you have IMDSv2 enabled, you must run the following command from an admin account to set the hop limit to 2:Copyaws ec2 modify-instance-metadata-options \
--instance-id <instance-id> \
--http-tokens required \
--http-endpoint enabled \
--http-put-response-hop-limit 2
Steps
- In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the Instance profile authentication method.
Copy
sudo ./edgecli vault create aws instance-profile <name> \
--desc=<description> \
--region=<region> \
--endpointOverride=<endpointOverride>Show me an example…sudo ./edgecli vault create aws instance-profile AWS-Instance \ --desc=AWS vault with Instant Profile authentication \ --region=eu-west-1 \ --endpointOverride=http://my-secret-vault.aws.comCopy./edgecli vault create aws instance-profile <name> \
--desc=<description> \
--region=<region> \
--endpointOverride=<endpointOverride>Show me an example…./edgecli vault create aws instance-profile AWS-Instance \ --desc=AWS vault with Instant Profile authentication \ --region=eu-west-1 \ --endpointOverride=http://my-secret-vault.aws.comCommand Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <region>The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.
Region is required if:- You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride>The URL of the entry point for your AWS Secrets Manager. Note<endpointOverride>is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint:<protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.
Otherwise, Edge will use the default regional value:"<protocol>"://"<service-code>"."<region-code>".amazonaws.com - You are using
- Go to your Edge site to confirm the new vault is available in the Vaults tab.
Assume Role authentication
Prerequisites
On your local server
- You installed your Edge site on an EC2 or EKS instance assigned to an Instance Profile with the role that has read access to the AWS Secrets Manager you want to connect to.
- You installed and configured the Edge CLI tool.
- Your Edge site has network access to the AWS Secrets Manager endpoints.
- You have access to the data source that will use the vault credentials.
In your Collibra environment
- Ensure that your environment uses the latest user interface.
- You have a global role that has the Manage Edge sites global permission.
In your vault platform
- You have a AWS Secrets Manager.
- You created secrets in your AWS Secrets Manager.
- IMDSv1 or IMDSv2 is enabled.
- If you have IMDSv2 enabled, you must run the following command from an AWS Secrets Manager admin account to set the hop limit to 2:
Copy
aws ec2 modify-instance-metadata-options \
--instance-id <instance-id> \
--http-tokens required \
--http-endpoint enabled \
--http-put-response-hop-limit 2
- If you have IMDSv2 enabled, you must run the following command from an AWS Secrets Manager admin account to set the hop limit to 2:
Steps
- In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the Assume role authentication method.
Copy
sudo ./edgecli vault create aws assume-role <name> \
--desc=<description> \
--roleArn=<roleArn> \
--roleSessionName=<roleSessionName> \
--region=<region> \
--endpointOverride=<endpointOverride>Show me an example…sudo ./edgecli vault create aws instance-profile AWS-Assume \ --desc=AWS vault with Assume Role authentication \ --roleArn=edge-session \ --roleSessionName=edge-session \ --region=eu-west-1 \ --endpointOverride=http://my-secret-vault.aws.comCopy./edgecli vault create aws assume-role <name> \
--desc=<description> \
--roleArn=<roleArn> \
--roleSessionName=<roleSessionName> \
--region=<region> \
--endpointOverride=<endpointOverride>Show me an example…./edgecli vault create aws instance-profile AWS-Assume \ --desc=AWS vault with Assume Role authentication \ --roleArn=edge-session \ --roleSessionName=edge-session \ --region=eu-west-1 \ --endpointOverride=http://my-secret-vault.aws.comCommand Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <roleArn>(required)The Amazon Resource name of the role you want your Edge site to assume when accessing the AWS Secrets Manager secrets. Note In order for your Edge site to successfully assume this specified role, the Instance Profile role that is attached to the EKS cluster must be trusted by the target role.<roleSessionName>(optional)The name of the session you want this role to appear as in AWS security logs. <region>The region of the AWS Secrets Manager you want to use. Note Region is optional if your Edge site and AWS Secrets Manager are both located in the same AWS region.
Region is required if:- You are using
<endpointOverride>. - Your Edge site is on k3s and running in AWS.
- Your Edge site is running in a different region than the AWS Secrets Manager you want to connect to.
<endpointOverride>The URL of the entry point for your AWS Secrets Manager. Note<endpointOverride>is required if you use a private version of AWS for security purposes. For example, for FIPS, you would need to specify the FIPS endpoint:<protocol>"://://"<service-code>"-fips."<region>".amazonaws.com.
Otherwise, Edge will use the default regional value:"<protocol>"://"<service-code>"."<region-code>".amazonaws.com - You are using
- Go to your Edge site to confirm the new vault is available in the Vaults tab.
- You can now set up an Edge connection with your AWS Secrets Manager .
- You can retrieve and review the configuration details of your vault integrations.
- You can edit your vault integration configuration.