Secrets Manager Commands

Overview

Keeper Secrets Manager is a cloud-based, Zero-Knowledge platform for DevOps and engineering teams to centrally manage and control access to privileged accounts. Common use cases for Secrets Manager include:

• Removing hard-coded credentials from source code, configuration files and CI/CD systems

• Protecting access to privileged passwords, API keys and other managed secrets.

• Providing vault access to machines and applications.

• Rotating service account credentials on-demand or on a schedule

In Keeper Secrets Manager, an "Application" is created for every target environment which needs access to specific folders in the Keeper Vault. An Application can be granted access to one ore more Shared Folders or records within the vault. An Application can be utilized by one or more "Clients" which are individually authenticated and managed by the Secrets Manager infrastructure.

As an example, a Keeper "Application" might represent a production system, and each individual web server in your production system would represent a Client. Each Client authenticates and communicates to the Keeper Vault using a Client ID and a Private Key which is used to sign the request.

The commands in this document can be used to configure the Keeper Secrets Manager applications and client devices.

Keeper Secrets Manager Commands

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.

To get help on a particular command, run:

help <command>

secrets-manager Command Format

Keeper Secrets Manager commands follow the format:

secrets-manager <command> <sub command>

For example to list all apps use the following command:

secrets-manager app list

A list of all secrets-manager commands and details about each are below:

Example API Flow

Below is an example of creating an application, assigning secrets and creating machine devices.

Create an application

secrets-manager app create <APPLICATION NAME>

Create a New Secret

This can be done on the Vault user interface, but we'll create a Secret, create a Shared Folder, then move the Secret into the Shared Folder. Example commands are below:

Share the Folder to the Secrets Manager Application

Allow a client to access an application

Get a List of all applications

secrets-manager app list

View the details of an individual application

secrets-manager app get <APPLICATION NAME|APP UID>

Commands

secrets-manager app create command

Command: secrets-manager app create

Detail: Create a new application that will be used to link clients to secrets

Parameters:

Name of the application

Example:

secrets-manager app get command

Command: secrets-manager app get

Detail: Display information about a specified application

Parameters:

Name or UID of the application

Examples:

secrets-manager app remove command

Command: secrets-manager app remove

Detail: Remove an application

Parameters:

Name or UID of the application

Examples:

secrets-manager app share command

Command: secrets-manager app share

Detail: Share an application and associated gateways and configurations with another user.

Parameters:

• Name or UID of the application

• Email of the user to share with

Examples:

secrets-manager app unshare command

Command: secrets-manager app unshare

Detail: Unshare an application from a user.

Parameters:

• Name or UID of the application

• Email of the user to remove from the application

Examples:

secrets-manager app list command

Command: secrets-manager app list

Detail: List all created applications

Example:

secrets-manager share add command

Command: secrets-manager share add

Detail: Add secret (record or shared folder) to an Application

Switches:

--secret , -s <SECRET'S UID> secret to share. can be folder or record UID

--app, -a <APPLICATION RECORD UID> application to share with

--editable, -e Allow edits to the records

Examples:

secrets-manager share remove command

Command: secrets-manager share remove

Detail: Remove secret (record or shared folder) from an Application

Switches:

--secret , -s <SECRET'S UID> secret to share. can be folder or record UID

--app, -a <APPLICATION RECORD UID> application to share with

Examples:

secrets-manager client add command

Command: secrets-manager client add

Detail: Add a Client to an Application that will be used to connect to the application. The output of this command is a one-time token which is used for initializing the Client device through the Secrets Manager SDK.

Switches:

--name [CLIENT NAME] : Name of the client (Default: Random 10 characters string)

--first-access-expires-in-min [MIN] : First time access expiration (Default 60, Max 1440)

--access-expire-in-min [MIN] : Client access expiration (Default: no expiration)

--unlock-ip : Does not lock IP address to first requesting device

--count [NUM] : Number of tokens to generate (Default: 1)

--config-init [json, b64 or k8s] : Initialize configuration string from a one-time token

--name [NAME] name of the client

Example 1: Create a new device called "Test 1" and produce a One Time Access Token.

Example 2: Create a new device called "Test 2" and produce a fully initialized JSON config file without IP lock. This config file can be loaded into a device directly.

Example 3: Create a new device called "Test 3" and produce a fully initialized base64 config string without IP lock. This config file can be loaded into a device as a single string instead of using a JSON config file.

Example 4: Create a new device called "Test 4" and produce a fully initialized Kubernetes config without IP lock. The YAML output can be cut-n-pasted into a file and applied to create as a Kubernetes secret.

secrets-manager client remove command

Command: secrets-manager client remove

Detail: Remove a client from an Application

Switches:

--client <CLIENT ID> client to remove from the application

--app, -a <APPLICATION RECORD UID> application

--force don't ask for approval

Examples: