Secrets Manager Token Add

Secrets Manager — Token Add

The secrets-manager token add subcommand adds a one-time access token to an existing KSM application. It is a discoverable shortcut to the secrets-manager client add flow, designed for operators and automation scripts that need to provision tokens without re-creating the application.

Applies to: Keeper Commander 17.3+

Syntax

secrets-manager token add <APP_UID_OR_NAME> [options]

This is equivalent to:

secrets-manager client add --app <APP_UID_OR_NAME> [options]

Both commands produce identical output. token add exists for discoverability — the help text for secrets-manager now surfaces a dedicated token sub-group.

Parameters

Parameter

Required

Description

<APP_UID_OR_NAME>

Yes

UID or name of an existing KSM application

Options

Option

Type

Default

Description

--count <n>

integer

Number of one-time tokens to generate

--unlock-ip

flag

false

Remove the IP-lock restriction from the generated token

--first-access-expires-in-min <n>

integer

—

Minutes until the token expires if not used for the first time

--access-expire-in-min <n>

integer

—

Minutes until the token expires after first use

--name <label>

string

—

Friendly name for the generated client

--config-init <type>

string

—

Output format for config initialisation (k8s, json, b64)

--return-tokens

flag

false

Return raw token string(s) to the caller (for scripting)

Examples

Add a single token to an application

My Vault> secrets-manager token add MyApp
Token generated for application 'MyApp'.
  Token: US:AAA...

Generate multiple tokens

My Vault> secrets-manager token add MyApp --count 3

Generate a token that expires in 30 minutes if unused

My Vault> secrets-manager token add MyApp --first-access-expires-in-min 30

Scripting — capture the token value

TOKEN=$(keeper secrets-manager token add MyApp --return-tokens)
echo "Token: $TOKEN"

Generate a token with Kubernetes config output

keeper secrets-manager token add MyApp --config-init k8s --name ci-runner-token

Notes

The application must already exist. To create a new KSM application, use secrets-manager app create <NAME>.
Tokens generated with --unlock-ip are not bound to the IP address of the machine that generated them.
--return-tokens is intended for use in scripts. Without it, the token is printed to stdout as part of the normal command output.
Implementation delegates entirely to KSMCommand.add_client() — no new API surface is introduced.

PreviousSecrets Manager Commands NextMSP Management Commands

Last updated 5 days ago

Was this helpful?

hashtagSecrets Manager — Token Add

hashtagSyntax

hashtagParameters

hashtagOptions

hashtagExamples

hashtagAdd a single token to an application

hashtagGenerate multiple tokens

hashtagGenerate a token that expires in 30 minutes if unused

hashtagScripting — capture the token value

hashtagGenerate a token with Kubernetes config output

hashtagNotes