# Secrets Manager Commands ## Overview Keeper Secrets Manager is a cloud-based, Zero-Knowledge platform for DevOps and engineering teams to centrally manage and control access to privileged accounts. Common use cases for Secrets Manager include: * Removing hard-coded credentials from source code, configuration files and CI/CD systems * Protecting access to privileged passwords, API keys and other managed secrets. * Providing vault access to machines and applications. * Rotating service account credentials on-demand or on a schedule In Keeper Secrets Manager, an "Application" is created for every target environment which needs access to specific folders in the Keeper Vault. An Application can be granted access to one ore more Shared Folders or records within the vault. An Application can be utilized by one or more "Clients" which are individually authenticated and managed by the Secrets Manager infrastructure. As an example, a Keeper "Application" might represent a production system, and each individual web server in your production system would represent a Client. Each Client authenticates and communicates to the Keeper Vault using a Client ID and a Private Key which is used to sign the request. The commands in this document can be used to configure the Keeper Secrets Manager applications and client devices. ### Keeper Secrets Manager Commands Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options. To get help on a particular command, run: `help ` **secrets-manager Command Format** Keeper Secrets Manager commands follow the format: `secrets-manager ` For example to list all apps use the following command: `secrets-manager app list` A list of all secrets-manager commands and details about each are below:
Secrets Manager CLI CommandDescription
secrets-manager app listList all Secrets Manager applications to view the App UID, last access and number of records/folders assigned.
secrets-manager app getRetrieve detailed information about the application including devices
secrets-manager app createCreate a new application
secrets-manager app removeDelete an application
secrets-manager app shareShare an application and associated gateways and configurations with another user.
secrets-manager app unshareUnshare an application from a user
secrets-manager client addCreate a device or machine identity associated with an application
secrets-manager client removeRemove a device from an application
secrets-manager client revokeRevoke a device based on Client ID
secrets-manager share addAssociate a folder or record with an application
secrets-manager share removeRemove a folder or record from an application
secrets-manager app updateRename an existing Secrets Manager application.
secrets-manager share updateUpdate the permissions of a secret (record or shared folder) already associated with an application.
### Example API Flow Below is an example of creating an application, assigning secrets and creating machine devices. ### Create an application `secrets-manager app create ` ```bash My Vault> secrets-manager app create MyApplication ``` ### Create a New Secret This can be done on the Vault user interface, but we'll create a Secret, create a Shared Folder, then move the Secret into the Shared Folder. Example commands are below: ``` My Vault> add --login admin --pass "46$$625" --url "192.168.1.1" -t "Test Secret" My Vault> mkdir -sf -a "My Shared Folder" My Vault> mv "Test Secret" "My Shared Folder" ``` ### Share the Folder to the Secrets Manager Application {% code overflow="wrap" %} ``` My Vault> secrets-manager share add --app MyApplication --secret n4QtaKjRjhWMz5aS7bT77Q ``` {% endcode %} {% hint style="info" %} To find the Shared Folder or Record UID, use the 'ls -l' command or Vault user interface in the "info" dialog. {% endhint %} ### Allow a client to access an application ``` My Vault> secrets-manager client add MyApplication ``` {% hint style="info" %} The output of this command provides the One Time Access Token that will be used on the client. {% endhint %} ### Get a List of all applications `secrets-manager app list` ``` My Vault> secrets-manager app list List of all Applications Title Uid --------- ---------------------- PythonApp oXMfwo-hzZNRqMXGvJlccQ TestApp KtU4eAzor5IpqRW3x4A8FA ``` ### View the details of an individual application `secrets-manager app get ` ``` My Vault> secrets-manager app get MyApplication Secrets Manager Application App Name: MyApplication App UID: ji__h4gaY3xvQdatVY_ffA Client Device 1 ============================= Name: Device1 Short ID: nWThUIbR Created On: 2021-10-11 16:26:21 First Access: 2021-10-11 16:27:05 Last Access: 2021-10-11 16:49:47 IP Lock: Disabled IP Address: -- Application Access Share Type UID Title Permissions ------------ ---------------------- ---------------------- ------------- FOLDER J6xMIXKiwMqIyYJL7kd3xw Secrets Editable RECORD mux0ZaWKd-h8maggFzy1rw Database Login Read-Only ``` ## Commands ### secrets-manager app create command **Command:** `secrets-manager app create` **Detail:** Create a new application that will be used to link clients to secrets **Parameters:** Name of the application **Example:** ``` My Vault> secrets-manager app create PythonApp Application was added successfully ``` ### secrets-manager app get command **Command:** `secrets-manager app get` **Detail:** Display information about a specified application and users with access to the application. **Parameters:** Name or UID of the application **Examples:** ``` My Vault> secrets-manager app get PythonApp Secrets Manager Application App Name: PythonApp App UID: ji__hxgaY3xvQdefVY_ffA Client Device 1 ============================= Name: Device1 Short ID: nWThUIbR Created On: 2021-10-11 16:26:21 First Access: 2021-10-11 16:27:05 Last Access: 2021-10-11 16:49:47 IP Lock: Disabled IP Address: -- Application Users Username Role Editable Shareable ------------------------------ ------ -------- --------- user@company.com Owner Yes Yes Application Access Share Type UID Title Permissions ------------ ---------------------- ---------------------- ------------- FOLDER J62WIXgJwMqIyYJL7kd3xw Secrets Editable RECORD mux0ZaWKd-vpmaggFzLkrw Database Login Read-Only ``` ### secrets-manager app remove command **Command:** `secrets-manager app remove` **Detail:** Remove an application **Parameters:** Name or UID of the application **Examples:** ``` My Vault> secrets-manager app remove PythonApp This Application (uid: 2lj-PaoQp281mTV7GWK5Bw) has 5 client(s), 1 shared folder(s), and 10 record(s). Are you sure you want to delete this application [y/n]: >? y >? y Removed Application uid: 2lj-PaoQp281mTV7GWK5Bw My Vault> secrets-manager app remove KtU4eAzor5IpqRW3x4A8FA This Application (uid: KtU4eAzor5IpqRW3x4A8FA) has 12 client(s), 1 shared folder(s), and 4 record(s). Are you sure you want to delete this application [y/n]: >? y >? y Removed Application uid: KtU4eAzor5IpqRW3x4A8FA ``` ### secrets-manager app share command {% hint style="warning" %} Sharing an application to a user provides them with access to Gateways, Devices and Folders associated {% endhint %} **Command:** `secrets-manager app share` **Detail:** Share an application and associated gateways and configurations with another user. **Parameters:** * Name or UID of the application * Email of the user to share with **Examples:** ``` secrets-manager app share KtU4eAzor5IpqRW3x4A8FA --email user@company.com ``` ### secrets-manager app unshare command **Command:** `secrets-manager app unshare` **Detail:** Unshare an application from a user. **Parameters:** * Name or UID of the application * Email of the user to remove from the application **Examples:** ``` secrets-manager app unshare KtU4eAzor5IpqRW3x4A8FA --email user@company.com ``` ### secrets-manager app list command **Command:** `secrets-manager app list` **Detail:** List all created applications **Example:** ``` My Vault> secrets-manager app list List of all Applications Title Uid --------- ---------------------- PythonApp oXMfwo-hzZNRqMXGvJlccQ TestApp KtU4eAzor5IpqRW3x4A8FA ``` ### secrets-manager share add command **Command:** `secrets-manager share add` **Detail:** Add secret (record or shared folder) to an Application **Switches:** \--secret , -s \ secret to share. can be folder or record UID \--app, -a \ application to share with \--editable, -e Allow edits to the records **Examples:** ``` My Vault> secrets-manager share add --app PythonApp --secret="-XMfwo-hzZNRqMXGvJlccQ" Successfully added new record uid=E7YS6Yqmhsip52DzwdC9gw to app uid=oXMfwo-hzZNRqMXGvJlccQ ``` ### secrets-manager share remove command **Command:** `secrets-manager share remove` **Detail:** Remove secret (record or shared folder) from an Application **Switches:** \--secret , -s \ secret to share. can be folder or record UID \--app, -a \ application to share with **Examples:** ``` My Vault> secrets-manager share remove --app PythonApp --secret="-XMfwo-hzZNRqMXGvJlccQ" Secret share was successfully removed from the application ``` ### secrets-manager client add command **Command:** `secrets-manager client add` **Detail:** Add a Client to an Application that will be used to connect to the application. The output of this command is a one-time token which is used for initializing the Client device through the Secrets Manager SDK. **Switches:** \--name \[CLIENT NAME] : Name of the client (Default: Random 10 characters string) \--first-access-expires-in-min \[MIN] : First time access expiration (Default 60, Max 1440) \--access-expire-in-min \[MIN] : Client access expiration (Default: no expiration) \--unlock-ip : Does not lock IP address to first requesting device \--count \[NUM] : Number of tokens to generate (Default: 1) \--config-init \[json, b64 or k8s] : Initialize configuration string from a one-time token \--name \[NAME] name of the client **Example 1:** Create a new device called "Test 1" and produce a One Time Access Token. ``` My Vault> sm client add --app Ansible --name "Test 1" Successfully generated Client Device ==================================== One-Time Access Token: US:_wYNCeeLmBSdDgkcE77NyMcO-6DqLutNO1NylWVyco Name: Test 1 IP Lock: Enabled Token Expires On: 2021-09-30 22:52:46 App Access Expires on: Never ``` **Example 2:** Create a new device called "Test 2" and produce a fully initialized JSON config file without IP lock. This config file can be loaded into a device directly. ``` My Vault> sm client add --app Ansible --name "Test 2" --unlock-ip --config-init=json Successfully generated Client Device ==================================== Initialized Config: {"hostname": "keepersecurity.com","clientId": "XXX","privateKey": "XXX","serverPublicKeyId": "10","appKey": "XXX"} Name: Test 2 IP Lock: Disabled Token Expires On: 2021-09-30 22:54:11 App Access Expires on: Never ``` **Example 3:** Create a new device called "Test 3" and produce a fully initialized base64 config string without IP lock. This config file can be loaded into a device as a single string instead of using a JSON config file. ``` My Vault> sm client add --app Ansible --name "Test 3" --unlock-ip --config-init=b64 Initialized Config: eyJob3N0bmFtJjbGllbnRJZCI6I3lHbXZodUZFITEhBbDhBRmVHK1ow Name: Test 3 IP Lock: Disabled Token Expires On: 2021-09-30 22:59:09 App Access Expires on: Never ``` **Example 4:** Create a new device called "Test 4" and produce a fully initialized Kubernetes config without IP lock. The YAML output can be cut-n-pasted into a file and applied to create as a Kubernetes secret. ``` My Vault> sm client add --app Nginx --name "Test 4" --unlock-ip --config-init=k8s apiVersion: v1 data: config: eyJob3N0bmFtJjbGllbnRJZCI6I3lHbXZodUZFITEhBbDhBRmVHK1owSD... kind: Secret metadata: name: ksm-config namespace: default type: Opaque Name: Test 4 IP Lock: Disabled Token Expires On: 2021-09-30 22:59:09 App Access Expires on: Never ``` ### secrets-manager client remove command **Command:** `secrets-manager client remove` **Detail:** Remove a client from an Application **Switches:** \--client \ client to remove from the application \--app, -a \ application \--force don't ask for approval **Examples:** ``` My Vault> secrets-manager client remove --app PythonApp --client MyClient Are you sure you want to delete 3 matching clients from this application? [y/n]: >? y Client removal was successful ``` ### secrets-manager client revoke command **Command:** `secrets-manager client revoke` **Detail:** Searches all applications for the given client ID and revokes it. Useful for quickly revoking a lost or leaked device without knowing the application. The client ID can be found in the device's configuration file as "clientId". The client ID also supports the shortened version ("Short ID") as seen in the Vault user interface. **Switches:** \--client \ client to revoke \--force don't ask for approval **Example:** ``` My Vault> secrets-manager client revoke --client La1Ud62e Found 1 matching client device(s): Application: :: KeeperPAM Demo Device Name: kUejmuw6JnU Client ID: La1Ud62eGHcqQ8h27UQs... Are you sure you want to revoke 1 client device(s)? [y/n]: y Revoked 1 client(s) from application "KeeperPAM Demo" Client revocation complete. ``` ### secrets-manager app update command **Command**: `secrets-manager app update` **Detail**: Rename an existing Secrets Manager application. **Parameters**: * Name or UID of the application * \--name / -n — New name for the application **Examples**: {% code overflow="wrap" %} ``` My Vault> secrets-manager app update PythonApp --name PythonAppV2Application "PythonApp" was successfully renamed to "PythonAppV2" ``` {% endcode %} ### secrets-manager share update command **Command**: `secrets-manager share update` **Detail**: Update the permissions of a secret (record or shared folder) already associated with an application. Use `--editable` to allow the client to modify the secret or `--readonly` to restrict access to read-only. This command Update the share permission. **Switches**: \--secret, -s \ — UID of the record or shared folder to update \--app, -a \ — application that owns the share \--editable,-e — set the share to editable \--readonly,-r — set the share to read-only **Examples**: {% code overflow="wrap" %} ``` My Vault> secrets-manager share update --app PythonApp --secret="-XMfwo-hzZNRqMXGvJlccQ" --editable Successfully updated share permissions to editable for app uid=oXMfwo-hzZNRqMXGvJlccQ ``` {% endcode %} {% code overflow="wrap" %} ``` My Vault> secrets-manager share update --app PythonApp --secret="-XMfwo-hzZNRqMXGvJlccQ" --readonly Successfully updated share permissions to read-only for app uid=oXMfwo-hzZNRqMXGvJlccQ ``` {% endcode %}