KeeperPAM Commands
Management of KeeperPAM functionality including Discovery, Rotation, Connections and Tunneling.
Overview
KeeperPAM functionality including discovery, password rotation, PAM Configuration, Keeper Gateway configuration can be controlled and operated through Commander using the pam command and sub-commands.
pam Command
command: pam
Detail: Perform KeeperPAM controls.
My Vault> pam
pam command [--options]
Command Description
---------- -----------------------------------------
gateway Manage Gateways
config Manage PAM Configurations
rotation Manage Rotations
action Execute action on the Gateway
tunnel Manage Tunnels
split Split credentials from legacy PAM Machine
legacy Switch to legacy PAM commands
connection Manage Connections
rbi Manage Remote Browser Isolation
project PAM Project Import/ExportSub Commands
Sub-Command: gateway
Detail: View, create and remove Keeper Gateway services. To learn more about the Keeper Gateway click here.
My Vault> pam gateway help
pam command [--options]
Command Description
--------- ------------------
list List Gateways
new Create new Gateway
remove Remove Gatewaynew
My Vault> pam gateway new -h
usage: dr-create-gateway [-h] --name GATEWAY_NAME --application KSM_APP [--token-expires-in-min TOKEN_EXPIRE_IN_MIN]
[--return_value] [--config-init {json,b64}]
options:
-h, --help show this help message and exit
--name GATEWAY_NAME, -n GATEWAY_NAME
Name of the Gateway
--application KSM_APP, -a KSM_APP
KSM Application name or UID. Use command `sm app list` to view available KSM Applications.
--token-expires-in-min TOKEN_EXPIRE_IN_MIN, -e TOKEN_EXPIRE_IN_MIN
Time for the one time token to expire. Maximum 1440 minutes (24 hrs). Default: 60
--return_value, -r Return value from the command for automation purposes
--config-init {json,b64}, -c {json,b64}
Initialize client config and return configuration string.Sub-Command: config
Detail: View, create, edit and remove Keeper PAM Configurations. To learn more about PAM Configurations click here.
My Vault> pam config help
pam command [--options]
Command Description
--------- -------------------------------------------------------------
new Create new PAM Configuration
edit Edit PAM Configuration
list List available PAM Configurations associated with the Gateway
remove Remove a PAM Configurationnew
My Vault> pam config new -h
usage: pam config new [-h] [--environment {local,aws,azure}] [--title TITLE] [--gateway GATEWAY_UID]
[--shared-folder SHARED_FOLDER_UID] [--schedule DEFAULT_SCHEDULE] [--port-mapping PORT_MAPPING]
[--network-id NETWORK_ID] [--network-cidr NETWORK_CIDR] [--aws-id AWS_ID]
[--access-key-id ACCESS_KEY_ID] [--access-secret-key ACCESS_SECRET_KEY] [--region-name REGION_NAMES]
[--azure-id AZURE_ID] [--client-id CLIENT_ID] [--client-secret CLIENT_SECRET]
[--subscription_id SUBSCRIPTION_ID] [--tenant-id TENANT_ID] [--resource-group RESOURCE_GROUP]
[--connections {on,off,default}] [--tunneling {on,off,default}] [--rotation {on,off,default}]
[--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}]
[--typescript-recording {on,off,default}]
options:
-h, --help show this help message and exit
--environment {local,aws,azure}, -env {local,aws,azure}
PAM Configuration Type
--title TITLE, -t TITLE
Title of the PAM Configuration
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID or Name
--shared-folder SHARED_FOLDER_UID, -sf SHARED_FOLDER_UID
Share Folder where this PAM Configuration is stored. Should be one of the folders to which the
gateway has access to.
--schedule DEFAULT_SCHEDULE, -sc DEFAULT_SCHEDULE
Default Schedule: Use CRON syntax
--port-mapping PORT_MAPPING, -pm PORT_MAPPING
Port Mapping
--connections {on,off,default}, -c {on,off,default}
Set connections permissions
--tunneling {on,off,default}, -u {on,off,default}
Set tunneling permissions
--rotation {on,off,default}, -r {on,off,default}
Set rotation permissions
--remote-browser-isolation {on,off,default}, -rbi {on,off,default}
Set remote browser isolation permissions
--connections-recording {on,off,default}, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording {on,off,default}, -tr {on,off,default}
Set TypeScript recording permissions for the resource
network:
Local network configuration
--network-id NETWORK_ID
Network ID
--network-cidr NETWORK_CIDR
Network CIDR
aws:
AWS configuration
--aws-id AWS_ID AWS ID
--access-key-id ACCESS_KEY_ID
Access Key Id
--access-secret-key ACCESS_SECRET_KEY
Access Secret Key
--region-name REGION_NAMES
Region Names
azure:
Azure configuration
--azure-id AZURE_ID Azure Id
--client-id CLIENT_ID
Client Id
--client-secret CLIENT_SECRET
Client Secret
--subscription_id SUBSCRIPTION_ID
Subscription Id
--tenant-id TENANT_ID
Tenant Id
--resource-group RESOURCE_GROUP
Resource Groupedit
My Vault> pam config edit -h
usage: pam config edit [-h] [--environment {local,aws,azure,domain,oci}] [--title TITLE] [--gateway GATEWAY_UID] [--shared-folder SHARED_FOLDER_UID]
[--schedule DEFAULT_SCHEDULE] [--port-mapping PORT_MAPPING] [--network-id NETWORK_ID] [--network-cidr NETWORK_CIDR]
[--aws-id AWS_ID] [--access-key-id ACCESS_KEY_ID] [--access-secret-key ACCESS_SECRET_KEY] [--region-name REGION_NAMES]
[--azure-id AZURE_ID] [--client-id CLIENT_ID] [--client-secret CLIENT_SECRET] [--subscription_id SUBSCRIPTION_ID]
[--tenant-id TENANT_ID] [--resource-group RESOURCE_GROUPS] [--domain-id DOMAIN_ID] [--domain-hostname DOMAIN_HOSTNAME]
[--domain-port DOMAIN_PORT] [--domain-use-ssl {true,false}] [--domain-scan-dc-cidr {true,false}]
[--domain-network-cidr DOMAIN_NETWORK_CIDR] [--domain-admin DOMAIN_ADMINISTRATIVE_CREDENTIAL] [--oci-id OCI_ID]
[--oci-admin-id OCI_ADMIN_ID] [--oci-admin-public-key OCI_ADMIN_PUBLIC_KEY] [--oci-admin-private-key OCI_ADMIN_PRIVATE_KEY]
[--oci-tenancy OCI_TENANCY] [--oci-region OCI_REGION] [--remove-resource-record REMOVE_RECORDS]
[--connections {on,off,default}] [--tunneling {on,off,default}] [--rotation {on,off,default}]
[--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}]
[--typescript-recording {on,off,default}]
uid
positional arguments:
uid The Config UID to edit
options:
-h, --help show this help message and exit
--environment, -env {local,aws,azure,domain,oci}
PAM Configuration Type
--title, -t TITLE Title of the PAM Configuration
--gateway, -g GATEWAY_UID
Gateway UID or Name
--shared-folder, -sf SHARED_FOLDER_UID
Share Folder where this PAM Configuration is stored. Should be one of the folders to which the gateway has access to.
--schedule, -sc DEFAULT_SCHEDULE
Default Schedule: Use CRON syntax
--port-mapping, -pm PORT_MAPPING
Port Mapping
--remove-resource-record, -rrr REMOVE_RECORDS
Resource Record UID to remove
--connections, -c {on,off,default}
Set connections permissions
--tunneling, -u {on,off,default}
Set tunneling permissions
--rotation, -r {on,off,default}
Set rotation permissions
--remote-browser-isolation, -rbi {on,off,default}
Set remote browser isolation permissions
--connections-recording, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording, -tr {on,off,default}
Set TypeScript recording permissions for the resource
network:
Local network configuration
--network-id NETWORK_ID
Network ID
--network-cidr NETWORK_CIDR
Network CIDR
aws:
AWS configuration
--aws-id AWS_ID AWS ID
--access-key-id ACCESS_KEY_ID
Access Key Id
--access-secret-key ACCESS_SECRET_KEY
Access Secret Key
--region-name REGION_NAMES
Region Names
azure:
Azure configuration
--azure-id AZURE_ID Azure Id
--client-id CLIENT_ID
Client Id
--client-secret CLIENT_SECRET
Client Secret
--subscription_id SUBSCRIPTION_ID
Subscription Id
--tenant-id TENANT_ID
Tenant Id
--resource-group RESOURCE_GROUPS
Resource Group
domain:
Domain configuration
--domain-id DOMAIN_ID
Domain ID
--domain-hostname DOMAIN_HOSTNAME
Domain hostname
--domain-port DOMAIN_PORT
Domain port
--domain-use-ssl {true,false}
Domain use SSL flag
--domain-scan-dc-cidr {true,false}
Domain scan DC CIDR flag
--domain-network-cidr DOMAIN_NETWORK_CIDR
Domain Network CIDR
--domain-admin DOMAIN_ADMINISTRATIVE_CREDENTIAL
Domain administrative credential
oci:
OCI configuration
--oci-id OCI_ID OCI ID
--oci-admin-id OCI_ADMIN_ID
OCI Admin ID
--oci-admin-public-key OCI_ADMIN_PUBLIC_KEY
OCI admin public key
--oci-admin-private-key OCI_ADMIN_PRIVATE_KEY
OCI admin private key
--oci-tenancy OCI_TENANCY
OCI tenancy
--oci-region OCI_REGION
OCI regionlist
My Vault> pam config list -h
usage: pam config list [-h] [--config PAM_CONFIGURATION] [--verbose] [--format {table,json}]
options:
-h, --help show this help message and exit
--config, -c PAM_CONFIGURATION
Specific PAM Configuration UID
--verbose, -v Verbose
--format {table,json}
Output format (table, json)remove
My Vault> pam config remove -h
usage: pam config remove [-h] uid
positional arguments:
uid PAM Configuration UID. To view all rotation settings with their UIDs, use command `pam config list`
options:
-h, --help show this help message and exit
Sub-Command: connection
This command will edit the connection parameters and user accounts that are attached to PAM Machine and PAM Database records. The process can also be done in bulk with the run-batch command. To launch the connection, use the Keeper vault or Desktop app.
Prerequisites: Ensure that the PAM user credential, PAM Machine or PAM Database records are staged in a shared folder. Also ensure that there is a gateway configured, and everything is tied together in a PAM Configuration.
edit
usage: pam connection edit [-h] [--configuration CONFIG] [--admin-user ADMIN]
[--protocol {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}]
[--connections {on,off,default}] [--connections-recording {on,off,default}]
[--typescript-recording {on,off,default}] [--connections-override-port CONNECTIONS_OVERRIDE_PORT]
[--silent]
record
positional arguments:
record The record UID or path of the PAM resource record with network information to use for connections
options:
-h, --help show this help message and exit
--configuration, -c CONFIG
The PAM Configuration UID or path to use for connections. Use command `pam config list` to view available
PAM Configurations.
--admin-user, -a ADMIN
The record path or UID of the PAM User record to configure the admin credential on the PAM Resource
--protocol, -p {,http,kubernetes,mysql,postgresql,rdp,sql-server,ssh,telnet,vnc}
Set connection protocol
--connections, -cn {on,off,default}
Set connections permissions
--connections-recording, -cr {on,off,default}
Set recording connections permissions for the resource
--typescript-recording, -tr {on,off,default}
Set TypeScript recording permissions for the resource
--connections-override-port, -cop CONNECTIONS_OVERRIDE_PORT
Port to use for connections. If not provided, the port from the record will be used.examples:
1. My Vault> pam connection edit "/Share Folder Name/Record Name" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=rdp -cn=on -cr=on -cop=3389
2. My Vault> pam connection edit "/{{ Email }}/{{ Email }} SSH" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=ssh -cn=on -cr=on -cop=22 -s
3. My Vault> pam connection edit "/{{ Email }}/{{ Email }} MSSQL" -c ocYDOuzwt3n0iYXuYk0lHw
-a "/Share Folder Name/Record Name" -p=sql-server -cn=on -tr=on -cop=1433example 1: Creates an RDP connection and assigns an administrative credential and PAM configuration. Activates the connection and screen recording.
example 2: Creates an SSH connection and assigns and administrative credential and PAM configuration. Activates the connection and screen recording while running in silent mode without screen outputs.
example 3: Creates an MSSQL connection and assigns and administrative credential and PAM configuration. Activates the connection and typescript recording.
Sub-Command: rbi
This command provides the ability to edit remote browser isolation settings for a record.
edit
usage: pam rbi edit [-h] --record RECORD [--configuration CONFIG] [--remote-browser-isolation {on,off,default}] [--connections-recording {on,off,default}] [--key-events {on,off,default}] [--allow-url-navigation {on,off,default}]
[--ignore-server-cert {on,off,default}] [--allowed-urls ALLOWED_URLS] [--allowed-resource-urls ALLOWED_RESOURCE_URLS] [--autofill-credentials AUTOFILL] [--autofill-targets AUTOFILL_TARGETS]
[--allow-copy {on,off,default}] [--allow-paste {on,off,default}] [--disable-audio {on,off,default}] [--audio-channels AUDIO_CHANNELS] [--audio-bit-depth {8,16}] [--audio-sample-rate AUDIO_SAMPLE_RATE] [--silent]
options:
-h, --help show this help message and exit
--record, -r RECORD The record UID or path of the RBI record.
--configuration, -c CONFIG
The PAM Configuration UID or path to use for connections. Use command `pam config list` to view available PAM Configurations.
--remote-browser-isolation, -rbi {on,off,default}
Set RBI permissions
--connections-recording, -cr {on,off,default}
Set recording connections permissions for the resource
--key-events, -k {on,off,default}
Toggle Key Events settings
--allow-url-navigation, -nav {on,off,default}
Allow navigation via direct URL manipulation (on/off/default)
--ignore-server-cert, -isc {on,off,default}
Ignore server certificate errors (on/off/default)
--allowed-urls, -au ALLOWED_URLS
Allowed URL patterns (can specify multiple times)
--allowed-resource-urls, -aru ALLOWED_RESOURCE_URLS
Allowed resource URL patterns (can specify multiple times)
--autofill-credentials, -a AUTOFILL
The record UID or path of the RBI Autofill Credentials record.
--autofill-targets, -at AUTOFILL_TARGETS
Autofill target selectors (can specify multiple times)
--allow-copy, -cpy {on,off,default}
Allow copying to clipboard (on/off/default)
--allow-paste, -p {on,off,default}
Allow pasting from clipboard (on/off/default)
--disable-audio, -da {on,off,default}
Disable audio for RBI sessions (on/off/default)
--audio-channels, -ac AUDIO_CHANNELS
Number of audio channels (e.g., 1 for mono, 2 for stereo)
--audio-bit-depth, -bd {8,16}
Audio bit depth (8 or 16)
--audio-sample-rate, -sr AUDIO_SAMPLE_RATE
Audio sample rate in Hz (e.g., 44100, 48000)
--silent, -s Silent mode - don't print PAM User, PAM Config etc.
Sub-Command: rotation
Detail: View and create Keeper Rotation configuration for records.
My Vault> pam rotation help
pam command [--options]
Command Description
--------- -----------------------------------
edit Edits Record Rotation configuration
list List Record Rotation configuration
info Get Rotation Info
script Add, delete, or edit script fieldedit
My Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG]
[--iam-aad-config IAM_AAD_CONFIG_UID] [--resource RESOURCE] [--schedulejson SCHEDULE_JSON_DATA |
--schedulecron SCHEDULE_CRON_DATA | --on-demand | --schedule-config] [--complexity PWD_COMPLEXITY]
[--admin-user ADMIN] [--enable | --disable]
options:
-h, --help show this help message and exit
--record, -r RECORD_NAME
Record UID, name, or pattern to be rotated manually or via schedule
--folder, -fd FOLDER_NAME
Used for bulk rotation setup. The folder UID or name that holds records to be configured
--force, -f Do not ask for confirmation
--config, -c CONFIG UID or path of the configuration record.
--iam-aad-config, -iac IAM_AAD_CONFIG_UID
UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
--resource, -rs RESOURCE
UID or path of the resource record.
--schedulejson, -sj SCHEDULE_JSON_DATA
JSON of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY",
"intervalCount": 1}'
--schedulecron, -sc SCHEDULE_CRON_DATA
Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17
* * *"
--on-demand, -od Schedule On Demand
--schedule-config, -sf
Schedule from Configuration
--schedule-only, -so Only update the rotation schedule without changing other settings
--complexity, -x PWD_COMPLEXITY
Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5[,SPECIAL CHARS]
--admin-user, -a ADMIN
UID or path for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when
rotating
--enable, -e Enable rotation
--disable, -d Disable rotationExample - Set the rotation schedule using JSON
The --schedulejsonor -sj params are used to set the schedule via JSON.
Rotate the PAM User record every month, on the 1st, at 4:00AM my time.
pam rotation edit -r XXXX -sj '{"type": "MONTHLY_BY_DAY", "monthDay": 1, "time": "04:00", "tz": "America/Chicago"}'Rotate the PAM User record every week on a Saturday, at 10:00PM my time.
pam rotation edit -r XXXX -sj '{"type": "WEEKLY", "weekday": "SATURDAY", "time": "22:00", "tz": "America/New_York"}'codeThe following are the valid schedule types.
ON DEMAND
The job is triggered manually on demand.
pam rotation edit -r XXXX --on-demandDAILY
The job is triggered every day.
type- DAILYtime- A 24 hours formatted time when the jobs should be triggered.tz- You local IANA time zone. (i.e., America/Chicago)intervalCount- Optional; The number of days between triggers. Allows ability to skip days.
WEEKLY
The job is triggered every week.
type- WEEKLYweekday- Week day name. Must be the full name, all in uppercase.SUNDAY
MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
time- A 24 hours formatted time when the jobs should be triggered.tz- You local IANA time zone. (i.e., America/Chicago)intervalCount- Optional; If set to a value greater than 1,weekdaywill be ignored. The job will be triggers the multiple times per week starting on Sunday. The day will be based on the value ofintervalCount.
MONTHLY_BY_DAY
The job is triggered every month on a specific month day.
type- MONTHLY_BY_DAYmonthDay- Day of the month. Starts at 1 and goes to max number of days per month. Remeber that 29 can be a leap year day.time- A 24 hours formatted time when the jobs should be triggered.tz- You local IANA time zone. (i.e., America/Chicago)intervalCount- Optional; If set to a value greater than 1, the job will trigger on themonthDayand will re-trigger everyintervalCountdays.
MONTHLY_BY_WEEKDAY
The job is triggered every month on a specific week day and time.
type- MONTHLY_BY_WEEKDAYweekday- Week day name. Must be the full name, in all uppercase.SUNDAY
MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
occurrence- Which week to trigger. If fifth week, useLAST.FIRST
SECOND
THIRD
FOURTH
LAST
time- A 24 hours formatted time when the jobs should be triggered.tz- You local IANA time zone. (i.e., America/Chicago)intervalCount- Optional; If set, and set to value other than 1, the trigger will start on theweekdayand then trigger everyintervalCountweeks.
YEARLY
The job is triggered yearly on a specific month, day and time.
type- YEARLYmonth- Month name. Must be the full month name, in all uppercase.JANUARY
FEBURARY
MARCH
APRIL
MAY
JUNE
JULY
AUGUST
SEPTEMBER
OCTOBER
NOVEMBER
DECEMBER
monthDay- Day of the month. Starts at 1 and goes to max number of days per month. Remeber that 29 can be a leap year day.time- A 24 hours formatted time when the jobs should be triggered.tz- You local IANA time zone. (i.e., America/Chicago)intervalCount- Optional; If set, and set to value other than 1, everyintervalCountyear will be triggered.
Example - Set the password complexity for the PAM User
The --complexity or -x params are used to set the password complexity.
Set the password complexity to create a 20 character password with a minimum of 1 uppercase letter, 4 lowercase letters, 2 digits, and 2 symbols from the symbol set .=+- .
pam rotation edit -r XXXX -x 20,1,4,2,2,.=+-The value is a comma separated value (CSV) style value with the following parts:
Overall password length
Minimum number of uppercase letters.
Minimum number of lowercase letters.
Minimum number of digits.
Minimum number of symbols.
Special set. After last comma, just type the special characters you would like. You are limited to symbols in the following set. If left blank, this symbol set will be used.
!@#$%^?();',.=+[]<>{}-_/\\*&:"`~|
list
Display a list of all resources configured for rotation
My Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]
optional arguments:
-h, --help show this help message and exit
--verbose, -v Verbose outputinfo
Display information about the rotation settings for a particular resource.
My Vault> pam rotation info --help
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotatescript
Manage post-rotation PAM scripts
My Vault> pam rotation script --help
pam command [--options]
Command Description
--------- ---------------------------------
list List script fields
add List Record Rotation Schedulers
edit Add, delete, or edit script field
delete Delete script fieldSub-Command: action
Detail: Discovery, rotation and service account management of PAM Resources
My Vault> pam action help
pam command [--options]
Command Description
------------ ---------------------
gateway-info Info command
discover Discover command
rotate Rotate command
job-info View Job details
job-cancel View Job details
service Manage services and scheduled tasks
debug PAM debug informationgateway-info
Display information about the specific Keeper Gateway.
My Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID
--verbose, -v Verbose Outputdiscover
Manage Discovery jobs
My Vault> pam action discover --help
pam command [--options]
Command Description
--------- ----------------------------------
start Start a discovery process
status Status of discovery jobs
remove Cancel or remove of discovery jobs
process Process discovered items
rule Manage discovery rulesdiscover start
Start a discovery job
My Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
[--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
[--cred-file CREDENTIAL_FILE]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--resource RESOURCE_UID, -r RESOURCE_UID
UID of the resource record. Set to discover specific resource.
--lang LANGUAGE Language
--include-machine-dir-users
Include directory users found on the machine.
--inc-azure-aadds Include Azure Active Directory Domain Service.
--skip-rules Skip running the rule engine.
--skip-machines Skip discovering machines.
--skip-databases Skip discovering databases.
--skip-directories Skip discovering directories.
--skip-cloud-users Skip discovering cloud users.
--cred CREDENTIALS List resource credentials.
--cred-file CREDENTIAL_FILE
A JSON file containing list of credentials.discover status
Display the status of a discovery job
My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Show only discovery jobs from a specific gateway.
--job-id JOB_ID, -j JOB_ID
Detailed information for a specific discovery job.
--history Show history
discover remove
Stop a running discovery job
My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job id.discover process
Process the findings of a discovery job
My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job to process.
--add-all Respond with ADD for all prompts.
--debug-gs-level DEBUG_LEVEL
GraphSync debug level. Default is 0discover rule
Manage discovery rules
My Vault> pam action discover rule --help
pam command [--options]
Command Description
--------- --------------
add Add a rule
list List all rules
remove Remove a rule
update Update a rulediscover rule add
Add a discovery rule
My Vault> pam action discover rule add --help
usage: pam-action-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case]
[--shared-folder-uid SHARED_FOLDER_UID] --statement STATEMENT
options:
-h, --help show this help message and exit
--gateway, -g GATEWAY
Gateway name of UID.
--action, -a {add,ignore,prompt}
Action to take if rule matches
--priority, -p PRIORITY
Rule execute priority
--ignore-case Ignore value case. Rule value must be in lowercase.
--shared-folder-uid SHARED_FOLDER_UID
Folder to place record.
--statement, -s STATEMENT
Rule statementrotate
Issue a credential rotation on the specific resource, folder of resources, or pattern in the resource title. Optionally send an email with a one-time share link through a configured email provider.
My Vault> pam action rotate --help
usage: pam action rotate [-h] [--record-uid RECORD_UID] [--folder FOLDER] [--dry-run]
options:
-h, --help show this help message and exit
--record-uid, -r RECORD_UID
Record UID to rotate
--folder, -f FOLDER Shared folder UID or title pattern to rotate
--dry-run, -n Enable dry-run mode
--email-config NAME Email configuration to use for sending (required with --send-email)
--send-email EMAIL Email address to send one-time share link after successful rotation
--email-message MESSAGE Custom message to include in notification emailjob-info
Display information about the running job
My Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway runningjob-cancel
Cancel a running job
My Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
service list
Display the services and scheduled tasks associated to a specific Keeper Gateway
My Vault> pam action service list -h
usage: pam-action-service-list [-h] --gateway GATEWAY
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UIDservice add
Add an association for a service to a specific Keeper Gateway and PAM Machine. Once associated, Keeper will update the credentials for that service, on the specific PAM Machine, and restart the service (if running).
My Vault> pam action service add -h
usage: pam-action-service-add [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to add [service, task]service remove
Remove an association for a service on a specific PAM Machine.
My Vault> pam action service remove -h
usage: pam-action-service-remove [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to remove [service, task]Sub-Command: tunnel
Detail: View and create Keeper Tunnels from the local machine to target infrastructure.
My Vault> pam tunnel help
pam command [--options]
Command Description
--------- -------------------------
start Start Tunnel
list List all Tunnels
stop Stop Tunnel to the server
tail View Tunnel Log
edit Edit Tunnel settingsstart
Start a tunnel from the local device to the target resource
My Vault> pam tunnel start -h
usage: pam tunnel start [-h] [--host HOST] [--port PORT] uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--host HOST, -o HOST The address on which the server will be accepting connections. It could be an IP address or a
hostname. Ex. set to 127.0.0.1 as default so only connections from the same machine will be accepted.
--port PORT, -p PORT The port number on which the server will be listening for incoming connections. If not set, random
open port on the machine will be used.list
Display a list of all available tunnels running
My Vault> pam tunnel list -h
usage: pam tunnel list [-h]
options:
-h, --help show this help message and exitstop
Stop a tunnel that is currently running
My Vault> pam tunnel stop -h
usage: pam tunnel stop [-h] uid
positional arguments:
uid The Tunnel UID or Record UID
options:
-h, --help show this help message and exittail
Display information in the Keeper tunnel
My Vault> pam tunnel tail -h
usage: pam tunnel tail [-h] uid
positional arguments:
uid The Tunnel UID
options:
-h, --help show this help message and exitedit
Edit the configuration of an existing Tunnel
My Vault> pam tunnel edit -h
usage: pam tunnel edit [-h] [--configuration CONFIG] [--enable-tunneling] [--tunneling-override-port TUNNELING_OVERRIDE_PORT]
[--disable-tunneling] [--remove-tunneling-override-port]
uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--configuration CONFIG, -c CONFIG
The PAM Configuration UID to use for tunneling. Use command `pam config list` to view available PAM
Configurations.
--enable-tunneling, -et
Enable tunneling on the record
--tunneling-override-port TUNNELING_OVERRIDE_PORT, -top TUNNELING_OVERRIDE_PORT
Port to use for tunneling. If not provided, the port from the record will be used.
--disable-tunneling, -dt
Disable tunneling on the record
--remove-tunneling-override-port, -rtop
Remove tunneling override portSub-command: split
Detail: Split a legacy PAM record into the new KeeperPAM format.
My Vault> pam split -h
usage: pam split [-h] [--configuration PAM_CONFIG] [--folder PAM_USER_FOLDER] pam_machine_record
positional arguments:
pam_machine_record The record UID or title of the legacy PAM Machine record with built-in PAM User credentials.
options:
-h, --help show this help message and exit
--configuration PAM_CONFIG, -c PAM_CONFIG
The PAM Configuration Name or UID - If the legacy record was configured for rotation this command
will try to autodetect PAM Configuration settings otherwise you'll be prompted to provide the PAM
Config.
--folder PAM_USER_FOLDER, -f PAM_USER_FOLDER
The folder where to store the new PAM User record - folder names/paths are case sensitive!(if skipped
- PAM User will be created into the same folder as PAM Machine)Sub-command: project
Detail: Create a KeeperPAM project (similar to the Quick Start Sandbox from the vault user interface).
The PAM Import command helps customers (such as MSPs) with thousands of managed companies to automate the creation of folders, gateways, machines, users, connections, tunnels and (optionally) rotations.
My Vault> pam project import -h
usage: pam project import [-h] [--name PROJECT_NAME] [--filename FILE_NAME] [--dry-run] [--sample-data] [--show-template]
[--output {token,base64,json}]
options:
-h, --help show this help message and exit
--name PROJECT_NAME, -n PROJECT_NAME
Project name.
--filename FILE_NAME, -f FILE_NAME
File to load import data from.
--dry-run, -d Test import without modifying vault.
--sample-data, -s Generate sample data.
--show-template, -t Print JSON template required for manual import.
--output {token,base64,json}, -o {token,base64,json}
Output format (token: one-time token, config: base64/json)pam project import --name=project1 --filename=/path/to/import.json --dry-run
--name,-n→ Project name (overrides"project":""from JSON)--filename,-f→ JSON file to load import data from.--dry-run,-d→ Test import without modifying vault.
Import JSON Documentation
A step-by-step guide to importing Windows Servers as PAM Resources from a basic list of server hostnames can be found at this page: Importing PAM Resources
A more detailed specification for "pam project import" templates can be found at this GitHub README Page
If you require assistance, contact the Commander team ([email protected]).
Last updated
Was this helpful?