edbctl credential v1.3.3

The December 2025 Innovation Release of EDB Postgres AI is available. For more information, see the release notes.

This command creates and manages authentication credentials that allow users to access the resources. It allows you to import an Access API key as a login credential or set the environment variable HCP_ACCESS_KEY.

Commands

The edbctl credential command has following options:

edbctl credential add-tde-key - Add a TDE key.
edbctl credential list - Shows the credentials.
edbctl credential list-tde-key - List TDE keys in the project.
edbctl credential import-access-key - Imports an Access API key for authentication.
edbctl credential delete - Deletes the credentials.

edbctl credential add-tde-key

The edbctl credential add-tde-key command registers a master key from an external Key Management Service (KMS) to be used for Transparent Data Encryption (TDE). TDE provides an additional layer of security by encrypting database files at rest, and is supported for EDB Postgres Advanced Server and EDB Postgres Extended Server (version 15 and later).

edbctl credential add-tde-key [options]

Where options are:

    --location-id string        Location ID (required). The location where the TDE key will be stored.
    --kms-provider string       Key provider (required). The provider of the TDE key. Valid values: `aws`, `hashicorp-vault`.
    --hc-vault-address string   HashiCorp Vault address (required if key provider is `hashicorp-vault`).
    --hc-vault-role string      HashiCorp Vault role (required if key provider is `hashicorp-vault`).
    --hc-vault-key string       HashiCorp Vault key (required if key provider is `hashicorp-vault`).
    --aws-kms-arn string        AWS KMS ARN (required if key provider is aws). The Amazon Resource Name (ARN) of the AWS KMS key.
    --friendly-name string      Friendly name for the TDE key (optional). A human-readable name for the TDE key.
-c, --credential string         The credential which you created via `credential create` command, the default is fetched from `context_credential`.
-y, --yes                       Auto-confirm all confirmations.
-P, --project string            The project that groups your clusters and other resources, the default is taken from `context_project`.
-h, --help                      help for `add-tde-key.`

This example shows how to add a TDE key from AWS KMS:

edbctl credential add-tde-key \
  --location-id "loc_123" \
  --kms-provider aws \
  --aws-kms-arn "arn:aws:kms:us-east-1:123456789012:key/abcd1234-56ef-78gh-90ij" \
  --friendly-name "AWS-Prod-Key"

This example shows how to add a TDE key from HashiCorp Vault:

edbctl credential add-tde-key \
  --location-id "loc_456" \
  --kms-provider hashicorp-vault \
  --hc-vault-address "https://vault.example.com" \
  --hc-vault-role "db-encryption-role" \
  --hc-vault-key "customer-data-key" \
  --friendly-name "Vault-Security-Key"

edbctl credential list

This command shows all the credentials. Optionally, use the --name option to list a specific credential.

edbctl credential list [options]

Where options are:

-h, --help            Help for list.
-n, --name string     Credential name (optional). Specify the name of the credential to list.
-o, --output string   [table json yaml xml] \(default "table")

These examples show how to list the credentials:

# List all the credentials
edbctl credential list

# List a specific credential
edbctl credential list -n <credential_name>

edbctl credential list-tde-key

The edbctl credential list-tde-key command allows you to view and manage the Transparent Data Encryption (TDE) keys registered within your project. It provides a way to verify key registration, retrieve specific Key IDs for cluster configurations, and audit which keys are available at specific deployment locations.

This command displays a list of TDE keys associated with a specific location. You can further narrow down the results by providing a specific Key ID or changing the output format for programmatic use.

edbctl credential list-tde-key [options]

Where options are:

    --location-id string    Location ID (required). The location to filter TDE keys.
    --id string             Filter the list to display details for a specific TDE key.
-P, --project string        The project that groups your clusters and other resources, the default is taken from `context_project`.
-o, --output string         Output format: `table` (default), `json`, `yaml`, `xml`, `json-raw`.
-h, --help                  Displays help information for the list-tde-key command.

These examples show how to use the list-tde-key command:

# List all TDE keys for a specific location:
edbctl credential list-tde-key --location-id "loc_123"

# List a specific TDE key by ID:
edbctl credential list-tde-key --location-id "loc_123" --id "key_456"

# Export list to JSON:
edbctl credential list-tde-key --location-id "loc_123" --output json

edbctl credential import-access-key

This command is used to import an Access API key. You can get the Access API key from the server portal to authenticate. You can also use this credential for further operations.

edbctl credential import-access-key [--name --access-key --address] [options]

Where, options are:

-n, --name string         Credential name (required). The unique name for the credential.
-k, --access-key string   Access key (required). The API key used for authentication.
-a, --address string      Authenticator host address (required).
-I, --interactive         Execute command interactively.
-h, --help                Help for import-access-key.

These examples show how to use the import-access-key command:

# Import the Access API key:
edbctl credential import-access-key

# Import the specific Access API key using the name, access-key, and address:
edbctl credential import-access-key --name cred1 --access-key <your-key-here> --address <authenticator-host-address-here format: [http|https]://host:port example: http://localhost:8080 and https://secure.portal.net:443>
>

edbctl credential import-access-key -n cred1 -k <your-key-here> -a <authenticator-host-address-here format: [http|https]://host:port example: http://localhost:8080 and https://secure.portal.net:443>

edbctl credential delete

This command deletes the specific credential with name.

edbctl credential delete <credential_name> [options]

Where options are:

-h, --help          Help for delete.
-I, --interactive   Execute command interactively.
-y, --yes           Auto-confirm all confirmations

This example shows how to delete the credential:

# Delete the credential with <credential_name> name:
edbctl credential delete <credential_name>

On this page
Commands

← Prev

edbctl config

↑ Up

Hybrid Manager CLI - edbctl

edbctl image-pull-secret

edbctl credential v1.3.3

Commands

edbctl credential add-tde-key

edbctl credential list

edbctl credential list-tde-key

edbctl credential import-access-key

edbctl credential delete

← Prev

↑ Up

Next →