PAM Project Import/Export
PAM Project Import and Export
Commander supports round-trip import and export of PAM project configurations as JSON. Use pam project export to capture an existing project and pam project import to apply it to the same or a different tenant.
Applies to: Keeper Commander 17.3+ (PR #2006 for export, PR #2005 for import dedup guard, merged 2026-04-30)
Commands
pam project export
Export a PAM project configuration to JSON
pam project import
Import a PAM project configuration from JSON
pam project export
Walks the vault graph for a given PAM project configuration UID and emits a JSON document that is directly re-importable via pam project import.
Syntax
pam project export -p <config-uid> [--output <file>]Parameters
-p <config-uid>
Yes
UID of the PAM project configuration to export
--output <file>
No
Write JSON to this file path. If omitted, prints to stdout.
Output schema
The exported JSON matches PROJECT_IMPORT_JSON_TEMPLATE exactly and is always re-importable without modification:
tool_version
Identifies the export generator; activates generator-aware import path
project
PAM project metadata (name, node, shared folder UIDs)
shared_folder_users
Users with access to the shared folder
shared_folder_resources
Resources linked to the shared folder
pam_configuration
Full PAM configuration (gateway, rotation policy, etc.)
pam_data.resources
PAM-managed resources (machines, databases, directories)
pam_data.users
PAM-managed users, de-duplicated across resources
Design properties
Deterministic output —
sort_keys=Trueensures stable JSON suitable for git diffs and drift detectionIdempotent re-import — resource UIDs are derived from Keeper record UIDs, which are stable across exports
User de-duplication — users shared across multiple resources appear once in
pam_data.users
Examples
Export to stdout:
Export to a file for later import or version control:
Round-trip — export from one tenant, import to another:
pam project import
Imports a PAM project from a JSON file. Supports re-importing an export from pam project export or a manually authored import document.
Syntax
Parameters
--filepath <file>
Yes
Path to the JSON import document
--dry-run
No
Validate and preview without making changes
Duplicate UID guard (PR #2005)
pam project import now rejects import documents that contain duplicate uid values before creating any records.
Before this fix: Duplicate UIDs were silently preserved, producing an ambiguous dependency graph and incorrect DAG links during record creation.
After this fix: If any uid value appears more than once across resources and users, the import aborts with a clear error message listing the duplicates. Zero records are created.
Valid imports with unique UIDs continue to work unchanged.
Import document format
Import documents must follow the same schema as pam project export output. Key rules:
All
uidvalues acrosspam_data.resourcesandpam_data.usersmust be uniquetool_versionis optional; its presence activates generator-aware import behaviourUIDs should be stable base64-URL-encoded 16-byte values; the importer will generate them if absent
Example
Workflow: environment promotion
A common use case is promoting a PAM project from a staging tenant to production:
Notes
pam project exportrequires the authenticated user to have admin access to the PAM configuration and shared folder.The export walks the vault graph live — ensure Commander has an up-to-date vault sync before exporting (
synccommand).tool_version: "commander-export-1.0"in exported files activates a dedicated import branch that handles UIDs generated by Commander. Manually authored files withouttool_versionuse the standard import path.The duplicate UID guard in
pam project importruns after the UID-normalisation pass, so externally supplied valid unique UIDs continue to work unchanged.
Last updated
Was this helpful?