Secrets Manager Client Commands

This page focuses on usage of secrets manager commands related to clients created per app

Overview

A client is a specific device that authenticates using a one-time token and gets access to secrets through the application it’s linked to.

Commands

Secrets Manager Client Add

This command creates a new client identity and generates a one-time access token for securely initialising the Secrets Manager SDK on that device.

DotNet CLI

Command: ksm

Action:

add-client : This will add a new device / add a new configuration to the secrets manager application. The user can now access the secrets manager application and vault parts which this app has access to using this client configuration.

Flag:

--clinet-name : Client name. "add-client", "remove-client" only
--unlock-ip : Unlock IP Address? "add-client" only
--create-expire : Device creation expiration in minutes. "add-client" only
--access-expire : Device access expiration in minutes. "add-client" only
--b64 : Return KSM configuration instead of one-time token "add-client" only
value pos. 1 : Secret Manager application UID or Title

Example:

My Vault> ksm add-client ksm_app_uid --client-name "Example Client"
Successfully generated Client Device

One-Time Access Token: US:device_token
IP Lock: Enabled
Token Expires On: 9/1/2025 10:23:15 AM
App Access Expires On: Never

DotNet SDK

Function:

public async Task<Tuple<SecretsManagerDevice, string>> AddSecretManagerClient(
            string applicationId, bool? unlockIp = null, int? firstAccessExpireInMinutes = null,
            int? accessExpiresInMinutes = null, string name = null)

Arguments:

applicationId - This is application uid of the application to whom this device will be linked to.

unlockIp - This flag sets whether the client data generated using the command is locked to single IP from which it is first used or if it can be used from any computer as long as configuration is migrated across. setting this flag to true will unlock IP

firstAccessExpireInMinutes - this integer is time in minutes from which the configuration will become obsolete if not used

accessExpiresInMinutes - this integer is time in minutes from which this configuration will be obsolete and expired.

name - Name of the client which will be stored on secrets manager application. this will be visible on secrets manager app in vault in web app/UI.

PowerCommander

Command : Add-KeeperSecretManagerClient

Aliases : ksm-addclient

Flag :

-App : Application UID
-Name : Name of the device
-UnlockIP : Unlock IP Address
-B64 : Return KSM configuration instead of one time token "add-client" only

Example:

PS > Add-KeeperSecretManagerClient -App ksm_app_uid -Name "Exmaple Device"               
US:device_token

Python CLI

Command: secrets-manager-client

Parameters:

--command Add or Remove
-a --app Application name or UID
-n --name Client Name
-c --count Number of tokens, default is 1
-s --secret Record UID added to KSM app
-x --first-access-expires-in-min

Time for the first request to expire in minutes from the time

when this command is executed. Max 1440 min(24 hrs).

Default: 60

-p --access-expire-in-min

Time interval that this client can access the KSM application.

After this time, access is denied. Time is entered in minutes

starting from the time when command is executed.

Options:

-f --force Skip confirmation prompts
-l --unlock-ip Unlock IP address where client can be accessed
--return-tokens Return the device tokens

Example:

My Vault> secrets-manager-client --command add --app="ksm_app_uid" --name "test client"

Successfully generated Client Device
====================================

One-Time Access Token: US:access_token
Name: test client
IP Lock: Enabled
Token Expires On: 2025-11-05 16:20:14
App Access Expires on: Never
Warning: Configuration is now locked to your current IP. To keep in unlock you can add flag `--unlock-ip` or use the One-time token to generate configuration on the host that has the IP that needs to be locked.

Python SDK

Function: Coming Soon

Secrets Manager Client Remove

This command revokes a device’s access to secrets by removing its client registration.

DotNet CLI

Command: ksm

Action: delete-client

Flag:

--client-name : Client name. "add-client", "remove-client" only
--b64 : Return KSM configuration instead of one-time token "add-client" only
value pos. 1 : Secret Manager application UID or Title

Example:

My Vault> ksm delete-client ksm_app_uid --client-name "Example Client"
Client "Example Client" has been deleted from application Test_Gateway Application

DotNet SDK

Function:

public async Task DeleteSecretManagerClient(string applicationId, string deviceId)

Arguments:

ApplicationId : Id of KSM app

deviceId : Id of KSM device configuration

Example:

var applicationID = "<AppId>";
var deviceId = "<deviceId>";
await vault.DeleteSecretManagerClient(applicationId,DeviceId);

PowerCommander

Command: Remove-KeeperSecretManagerClient

Aliases : ksm-rmclient

Flag:

-App : Application UID
-Name : Name of the device
-WhatIf
-Confirm

Example:

PS > Remove-KeeperSecretManagerClient -App ksm_app_uid -Name "Exmaple Device" -Confirm

Confirm
Are you sure you want to perform this action?
Performing the operation "Removing KSM Device 'Exmaple Device'" on target "Test_Gateway Application".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

Python CLI

Command: secrets-manager-client

Parameters:

--command Add or Remove
-i --client ID of client to be removed, obtain from secrets-manager-app

get which lists clients

Options:

-f --force Skip confirmation prompts

Example:

My Vault> secrets-manager-client --command remove --app="ksm-app-uid" -i "client-uid"
Are you sure you want to delete 1 matching client(s) from this application? [y/n]: y

Client removal was successful

My Vault>

Python SDK

Function: Coming Soon

PreviousSecrets Manager App Commands NextSecrets Manager Share Commands

Last updated 15 days ago

Was this helpful?