Integrate Edge with a Google Secret Manager Vault
You can integrate your Edge site with your existing Google Secret Manager Vault to more easily and securely manage your data source information and set up your Edge site connections. In this topic, we review how to set up the integration between your Edge site and your existing vault.
Note There are a few limitations with the Google Secret Manager integration:
- Forward proxies are not supported for Google Secret Manager integrations. You must have a direct connection to your Google Secret Manager.
- Only scalar values are accepted for the Google Secret Manager. Each secret needs to resolve a single plain value or file.
- Only the latest version of secrets can be accessed by your Edge site. You cannot set up and choose from different secret versions.
Use the steps below based on your vault authentication method for Edge sites installed on bunlded k3s.
You can integrate your Edge site with your Google Secret Manager using one of the following authentication methods:
IAM Role assigned to the Google Cloud Engine VM authentication
Prerequisites
On your local server
- You installed your Edge site inside of the Google Cloud Engine Virtual Machine or GKE.
- You installed and configured the Edge CLI tool.
- Your Edge site has network access to the Google Secret Manager endpoints.
- You have access to the data source that will use the vault credentials.
In your Collibra environment
- Ensure that your environment uses the latest user interface.
- You have a global role that has the Manage Edge sites global permission.
In your vault platform
- You have a Google Cloud account.
- Your Google Secret Manager account must have the following permissions:
- iam.serviceAccounts.getAccessToken
- resourcemanager.projects.get
- secretmanager.secrets.get
- secretmanager.secrets.getIamPolicy
- secretmanager.secrets.list
- secretmanager.versions.access
- secretmanager.versions.get
- secretmanager.versions.list
- You assigned a Google Service Account to the Google Cloud Engine VM where your Edge site secrets will be stored.
- You created secrets in your Google Secret Manager.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the IAM role assigned to the Google Cloud Engine VM authentication method.
Copy
sudo ./edgecli vault create gcp iam-role <name> \
--desc=<description> \
--projectId=<projectId>Show me an example…sudo ./edgecli vault create gcp iam-role GCP-IAM \ --desc=GCP vault with IAM Role assigned to the Google Cloud Engine VM authentication \ --projectId=IAM_145Copy./edgecli vault create gcp iam-role <name> \
--desc=<description> \
--projectId=<projectId>Show me an example…./edgecli vault create gcp iam-role GCP-IAM \ --desc=GCP vault with IAM Role assigned to the Google Cloud Engine VM authentication \ --projectId=IAM_145Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. - Go to your Edge site to confirm the new vault is available in the Vaults tab.
Service Account JSON Key authentication
Prerequisites
On your local server
- You installed your Edge site.
- You installed and configured the Edge CLI tool.
- Your Edge site has network access to the Google Secret Manager endpoints.
- You have access to the data source that will use the vault credentials.
In your Collibra environment
- Ensure that your environment uses the latest user interface.
- You have a global role that has the Manage Edge sites global permission.
In your vault platform
- You have a Google Cloud account.
- Your Google Secret Manager account must have the following permissions:
- iam.serviceAccounts.getAccessToken
- resourcemanager.projects.get
- secretmanager.secrets.get
- secretmanager.secrets.getIamPolicy
- secretmanager.secrets.list
- secretmanager.versions.access
- secretmanager.versions.get
- secretmanager.versions.list
- You generated a JSON key for the Google Service Account.
- You created secrets in your Google Secret Manager.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the JSON key authentication method.
Copy
sudo ./edgecli vault create gcp sa-json <name> \
--desc=<description> \
--projectId=<projectId> \
--keyPath=<keyPath>Show me an example…sudo ./edgecli vault create gcp sa-json GCP-JSON \ --desc=GCP Secret Manager vault with JSON Key authentication \ --projectId=JSON_145 \ --keyPath=~/GCP/vault/edge-site.jsonCopy./edgecli vault create gcp sa-json <name> \
--desc=<description> \
--projectId=<projectId> \
--keyPath=<keyPath>Show me an example…./edgecli vault create gcp sa-json GCP-JSON \ --desc=GCP Secret Manager vault with JSON Key authentication \ --projectId=JSON_145 \ --keyPath=~/GCP/vault/edge-site.jsonCommand Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. <keyPath>(required)The file containing the Client Private Key. - Go to your Edge site to confirm the new vault is available in the Vaults tab.
Service Account P12 Key authentication
Prerequisites
On your local server
- You installed your Edge site.
- You installed and configured the Edge CLI tool.
- Your Edge site has network access to the Google Secret Manager endpoints.
- You have access to the data source that will use the vault credentials.
In your Collibra environment
- Ensure that your environment uses the latest user interface.
- You have a global role that has the Manage Edge sites global permission.
In your vault platform
- You have a Google Cloud account.
- Your Google Secret Manager account must have the following permissions:
- iam.serviceAccounts.getAccessToken
- resourcemanager.projects.get
- secretmanager.secrets.get
- secretmanager.secrets.getIamPolicy
- secretmanager.secrets.list
- secretmanager.versions.access
- secretmanager.versions.get
- secretmanager.versions.list
- You generated P12 key for Google Service Account.Note P12 is a deprecated key type for backwards compatibility. The steps provided in Google's documentation about creating access credentials are intended for JSON. You can still follow the same steps for P12, with the only difference being the selection of the P12 Key Type instead of JSON.
- You created secrets in your Google Secret Manager.
Steps
- In the cluster where your Edge site is installed, use the Edge CLI tool to run the command for the P12 key authentication method.
Copy
sudo ./edgecli vault create gcp sa-p12 <name> \
--desc=<description> \
--projectId=<projectId> \
--keyPath=<keyPath> \
--keyPassword=<keyPassword> \
--emailAddress=<emailAddress>Show me an example…sudo ./edgecli vault create gcp sa-p12 GCP-P12 \ --desc=GCP Secret Manager vault with Service Account P12 Key authentication \ --projectId=P12_145 \ --keyPath=/GCP/vault/edge-site.p12 \ --keyPassword=GCP_edge_vault_password \ [email protected]Copy./edgecli vault create gcp sa-p12 <name> \
--desc=<description> \
--projectId=<projectId> \
--keyPath=<keyPath> \
--keyPassword=<keyPassword> \
--emailAddress=<emailAddress>Show me an example…./edgecli vault create gcp sa-p12 GCP-P12 \ --desc=GCP Secret Manager vault with Service Account P12 Key authentication \ --projectId=P12_145 \ --keyPath=/GCP/vault/edge-site.p12 \ --keyPassword=GCP_edge_vault_password \ [email protected]Command Description <name>(required)The name of the vault instance. It is required and it must be unique within an Edge site. For Kubernetes guidelines on the required naming conventions of the <name> parameter, go to Labels and Selectors. Note The name can only contain alphanumeric, dash (-), underscore ( _ ), or period (.) characters. The name cannot include white spaces or special characters such as /, !, ?.<description>(optional)The description of the vault instance. The maximum character length is 150. <projectId>(required)The ID of the Google Account project which contains the Google Secret Manager. <keyPath>(required)The file containing the Client Private Key. <keyPassword>The P12 password. <emailAddress>The Google Service Account email address. - Go to your Edge site to confirm the new vault is available in the Vaults tab.
- You can now set up an Edge connection with your Google Secret Manager .
- You can retrieve and review the configuration details of your vault integrations.
- You can edit your vault integration configuration.