Secrets Manager App Commands
This page shows how to use secrets manager commands focused on app usage
Secrets Manager App Commands
This subset of secrets manager command deal with keeper secrets manager applications found in vault under Secrets Manager > My Applications. These Commands help with performing CRUD and share/un-share operations for applications, so that you can use the app to access your vault data like secrets and folders.
Commands:
Secrets Manager App List
This action retrieves and displays a table of all Secrets Manager applications currently available in the Keeper vault. Each row contains the unique application UID and the application’s title. This is useful for quickly reviewing all registered apps before managing access or clients.
DotNet CLI
Command: ksm list
Flags:
--folder: Shared Folder UID or name. "share", "unshare" only-e, --can-edit: Can secret be edited? "share", "unshare" only--client-name: Client name. "add-client", "remove-client" only--unlock-ip: Unlock IP Address? "add-client" only--create-expire: Device creation expitation in minutes. "add-client" only--access-expire: Device access expitation in minutes. "add-client" only--b64: Return KSM configuration intead of one time token "add-client" only--email: User UID or email address."app-share", "app-unshare" only--is-admin: Share as admin user. "app-share", "app-unshare" only--help: Display this help screen.--version: Display version information.value pos. 0: KSM command options: "view", "create", "delete", "share", "unshare", "add-client", "delete-client", "list", "app-share", "app-unshare"value pos. 1: Secret Manager application UID or Title
Example:
My Vault> ksm list
# Application UID Title
--- ---------------------- ---------------
1 ksm_app_uid DemoApplicationDotNet SDK
Application list can be obtained from sdk using the following snippet, provided the vault is authenticated before.
foreach (var app in context.Vault.KeeperRecords.OfType<ApplicationRecord>())
{
Console.WriteLine(app.Uid, app.Title);
}Secrets Manager App Create
The create action creates a new Secrets Manager Application record in the Keeper Vault. This application can later be configured with client devices and shared folders for secrets management and automation use cases. Optionally, an application name (KsmId) can be specified during creation.
Once created, the application’s UID and title will be displayed in the output.
DotNet CLI
Command: ksm create <APP_NAME>
Flags:
--folder: Shared Folder UID or name. "share", "unshare" only-e, --can-edit: Can secret be edited? "share", "unshare" only--client-name: Client name. "add-client", "remove-client" only--unlock-ip: Unlock IP Address? "add-client" only--create-expire: Device creation expiration in minutes. "add-client" only--access-expire: Device access expiration in minutes. "add-client" only--b64: Return KSM configuration instead of one time token "add-client" only--email: User UID or email address. "app-share", "app-unshare" only--is-admin: Share as admin user. "app-share", "app-unshare" only--help: Display this help screen.--version: Display version information.value pos. 0: KSM command: "view", "create", "delete", "share", "unshare", "add-client", "delete-client", "list", "app-share", "app-unshare"value pos. 1: Secret Manager application UID or Title
Example:
Python CLI
Command: secrets-manager-app --command='create' or 'add'
Parameters:
--command{list,get,add,create,remove,share,unshare} One of: list, get, add, create, remove, share, unshare--app, -a: Use to set name of the secrets manager app to be created
Options:
--force, -f: Use to forcefully add secrets manager app with same name
Example:
Secrets Manager App View
Displays detailed information about a specific Secrets Manager Application using its UID/Name.
This command retrieves the application record from the vault and prints relevant metadata, including its UID, title, shared status, linked shared folders, and any associated records.
Behaviour:
Fetches the Secrets Manager Application from the vault using the provided Name.
Outputs a summary of the application’s details, similar to how they are stored in Keeper.
Useful for auditing or reviewing configuration and access relationships.
DotNet CLI
Command : ksm view <AppName>
Flags :
--folder: Shared Folder UID or name. "share", "unshare" only-e, --can-edit: Can secret be edited? "share", "unshare" only--client-name: Client name. "add-client", "remove-client" only--unlock-ip: Unlock IP Address? "add-client" only--create-expire: Device creation expiration in minutes. "add-client" only--access-expire: Device access expiration in minutes. "add-client" only--b64: Return KSM configuration instead of one time token "add-client" only--email: User UID or email address. "app-share", "app-unshare" only--is-admin: Share as admin user. "app-share", "app-unshare" only--help: Display this help screen.--version: Display version information.value pos. 0: KSM command: "view", "create", "delete", "share", "unshare", "add-client", "delete-client", "list", "app-share", "app-unshare"value pos. 1: Secret Manager application UID or Title
Example:
PowerCommander
Command: Get-KeeperSecretManagerApp
Aliases : ksm <uid>
Flags :
UidFilterDetail
Example:
Python CLI
Command: secrets-manager-app --command='get'
Parameters:
--command= get--app, -a: The UID or title of the secrets-manager-app to be fetched
Example:
Secrets Manager App Delete
This Command removes the application whose UID or name is given by user.
Behaviour:
Fetches the secrets manager application based on name or uid provided
Asks user confirmation (in power shell)
Deletes the application with given UID
DotNet CLI
Command: ksm delete <APP_UID>
Flags :
--folder: Shared Folder UID or name. "share", "unshare" only-e, --can-edit: Can secret be edited? "share", "unshare" only--client-name: Client name. "add-client", "remove-client" only--unlock-ip: Unlock IP Address? "add-client" only--create-expire: Device creation expiration in minutes. "add-client" only--access-expire: Device access expiration in minutes. "add-client" only--b64: Return KSM configuration instead of one time token "add-client" only--email: User UID or email address. "app-share", "app-unshare" only--is-admin: Share as admin user. "app-share", "app-unshare" only--help: Display this help screen.--version: Display version information.value pos. 0: KSM command: "view", "create", "delete", "share", "unshare", "add-client", "delete-client", "list", "app-share", "app-unshare"value pos. 1: Secret Manager application UID or Title
Example:
Python CLI
Command: secrets-manager-app --command='remove' --app='<app_uid_or_name>'
Parameters:
--command remove
Options:
--force Use force to delete secrets manager apps with clients
Example:
Secrets Manager App Share
This command shares the application with users mentioned. In case the user is not part of shareable pool ( By default, it will be your team/enterprise) then an invitation to share will be sent to the email mentioned and an email invitation for sharing will be sent.
Behaviour:
Fetches the app details and its information related to shares
checks if the user is already in shareable pool and if user has access to the app
once the app is shareable, it will be shared with user else an email will be sent to user with invite.
DotNet CLI
Command: ksm app-share APP_UID --email=USER_EMAIL --is-admin --can-edit --folder=<FOLDER_UID_FOR_SHARE_FOLDER>
Flags
--can-edit
--can-edit
When this flag is used in command, this sets user can edit to true which will make the application which is shared to user be editable by user, else the application will be readonly
--folder
--folder=UID
When this flag is given, it has to be given in format of --folder=FOLDER_UID which will share just the subfolder to the user instead of all the things which this application has acces to
--is-admin
--is-admin
When this flag is given, , this gives the user an admin permission to the application and everything which is being shared with the user.
--email=id
This is required field. it should be given in format of --email=EMAIL_ID and this will be the user email to which we will be sharing to.
Example:
DotNet SDK
Function: ShareRecordWithUser
Flags:
recordUid
<Record UID>
This is UID of the application/record which needs to be shared
username
<Email>
This is Email or userid of the user with whom we are sharing the application
options.CanEdit
boolean
can edit the application data
options.CanShare
boolean
can share the application
userType
Enum
Type of the user - Enterprise or regular user
Example:
Note:
Sharing the application this way has to follow a process.
when we are sharing an application with user, first we have to get all records to which this application has access to.
once we get all records, we have to share them all with the user in question with required permissions using
RevokeShareFromUser.once we get all the shared folders which the application has access to, then put the user into each shared folder using the
PutUserToSharedFolder.finally once all the above steps are done, then share the application with the user with appropriate permissions using
ShareRecordWithUser.Now Sharing of application is done.
PowerCommander
Command: Grant-KeeperAppAccess -ApplicationId <APP_UID> -UserUid <USER_ID>
Flags:
-IsAdmin
-IsAdmin
When this flag is given, , this gives the user an admin permission to the application and everything which is being shared with the user.
-UserUid
-UserUid <id>
This is required field. it should be given in format of -UserUid EMAIL_ID. This will be the user email to which we will be sharing to.
Example:
Python CLI
Command: secrets-manager-app --command='share'
Flags:
--command= share-a, --app: Name or UID of app to be share-e, --email: Email of user with whom the app is to be shared/unshared--admin: Admin permissions to share and edit the records present in the app
Example:
Secrets Manager App UnShare
This command removes the application shares with users mentioned. The user's access to the application along with folder and records under the application will be revoked.
Behavior:
Fetches the app details and its information related to shares
checks if user has access to the app
If the user is not found the command exits stating the same.
If app is shared with the user, then we remove access to the underlying records and folder which are present in app, then app access is revoked.
DotNet CLI
Command: ksm app-unshare APP_UID --email=USER_EMAIL
Flags
--email=id
This is required field. it should be given in format of --email=EMAIL_ID and this will be the user whose access is revoked with respect to application.
Example:
DotNet SDK
Function: ShareRecordWithUser
Flags:
recordUid
<Record UID>
This is UID of the application/record which needs to be revoked
username
<Email>
This is Email or userid of the user with whom we are revoking the application from
userType
Enum
Type of the user - Enterprise or regular user
Example:
Note:
revoking the application access has to follow this process
when we are revoking an application from user, first we have to get all records to which this application has access to
once we get all records, we have to revoke them all from the user in question with required permissions
RevokeShareFromUseronce we get all the shared folders which the application has access to, then remove the user from each shared folder using the
RemoveUserFromSharedFolderfinally once all the above steps are done, then revoke the application from user using
RevokeShareFromUserNow revoking of application is done.
PowerCommander
Command: Revoke-KeeperAppAccess -ApplicationId <APP_UID> -UserUid <USER_ID>
Flags:
UserUid
-UserUid <id>
This is required field. it should be given in format of -UserUid EMAIL_ID. This will be the user email to which we will be sharing to.
Example:
Last updated
Was this helpful?