# Secrets Manager Share Commands
### Overview
Controls which **records or folders** (secrets) are accessible to a Secrets Manager App.
* User "share" secrets with an App by linking them via this command.
* User can also choose whether the app has **read-only** or **editable** access.
### Commands Supported
* [Secrets manager Share Command](#secrets-manager-share)
* [Secrets Manager Unshare Command](#secrets-manager-unshare)
### Secrets Manager Share
This command associates a vault folder or record with a Secrets Manager Application, granting the app access to those secrets.
DotNet CLI
**Command:** `ksm`
**Action:** `share`
**Flags:**
* `--folder` : Shared Folder UID or name. "share", "unshare" only
* `-e, --can-edit` : Can secret be edited? "share", "unshare" only
* `--help` : Display this help screen.
* `--version` : Display version information.
* `value pos. 0` : KSM command: "view", "create", "delete", "share", "unshare", "add-client",\
"delete-client", "list", "app-share", "app-unshare"
* `value pos. 1` : Secret Manager application UID or Title
**Example:**
```bash
My Vault > ksm share ksm_app_uid --folder folder_uid
Application UID: ksm_app_uid
Title: Test_Example Application
Shares
# Share Type Share UID Share Title Editable Created
--- ------------ ---------------------- ----------------------------- -------- ------------------
1 SharedFolder ksm_app_uid Example Resources X 5/2/2025 9:53 AM
Devices
# Name Device ID Created Last Accessed
--- -------------------- --------- ------------------ ------------------
1 Exmaple Application 4xeebo 5/2/2025 9:53 AM 7/8/2025 10:56 AM
```
DotNet SDK
**Function:** `ShareToSecretManagerApplication`
```csharp
Task ShareToSecretManagerApplication(string applicationId,
string sharedFolderOrRecordUid, bool canEdit);
```
**Arguments:**
`applicationId` - ID of ksm application to whom the folder or record is being shared
`sharedFolderOrRecordUid` ID of record or shared folder
`canEdit` - Boolean whether the permission to be edited is to be given or not
PowerCommander
**Command:** `Grant-KeeperSecretManagerFolderAccess`
**Aliases :** `ksm-share`
**Flags:**
* `-App` : Application UID
* `-Secret` : UID of the Secret/Record/Folder
**Example:**
```powershell
PS > Grant-KeeperSecretManagerFolderAccess -App ksm_app_uid -Secret record_uid
Uid Title IsExternalShare DeviceCount ShareCount
--- ----- --------------- ----------- ----------
ksm_app_uid Example Application False 7 6
```
Python CLI
**Command**: `secret-manager-share --command=`
**Parameters**:
* `--command` Add or remove
* `-a` `--app` Application Name or UID
* `-s` `--secret` Record UID - space separated (e.g., "uid1 uid2 uid3")
**Options**:
* -e --editable Is this share going to be editable or not
**Example:**
```sh
My Vault> secrets-manager-share --command='add' -e -a='ksm_uid' -s='record_uid'
Successfully added secrets to app uid=ksm_uid, editable=True:
record_uid Record
Share updates processed successfully
My Vault>
```
Python SDK
**Function:**
```python
master_key = vault.vault_data.get_record_key(record_uid=app_uid)
if not master_key:
raise ValueError(f"Could not retrieve app key for application {app_uid}")
added = ksm_management.KSMShareManagement.add_secrets_to_ksm_app(
vault=vault,
enterprise=enterprise_data,
app_uid=app_uid,
master_key=master_key,
secret_uids=secret_uids,
is_editable=is_editable,
)
print(f"Added {len(added)} secret(s) to KSM app '{app_uid_or_name}' (editable={is_editable}):")
for secret_uid, secret_type in added:
print(f" {secret_uid} ({secret_type})")
```
### Secrets Manager Unshare
This command removes a previously shared folder or record from a Secrets Manager Application, revoking its access to that secret.
DotNet CLI
**Command:** `ksm`
**Action:** `unshare`
**Flags:**
* `--folder` : Shared Folder UID or name. "share", "unshare" only
* `-e, --can-edit` : Can secret be edited? "share", "unshare" only
* `value pos. 1` : Secret Manager application UID or Title
**Example:**
```bash
My Vault > ksm unshare ksm_app_uid --folder folder_uid
Application UID: ksm_app_uid
Title: Test_Example Application
Shares
# Share Type Share UID Share Title Editable Created
--- ------------ ---------------------- ----------------------------- -------- ------------------
Devices
# Name Device ID Created Last Accessed
--- -------------------- --------- ------------------ ------------------
1 Exmaple Application 4xeebo 5/2/2025 9:53 AM 7/8/2025 10:56 AM
```
DotNet SDK
**Function:** `UnshareFromSecretManagerApplication`
```csharp
Task UnshareFromSecretManagerApplication(string applicationId,
string sharedFolderOrRecordUid);
```
**Arguments:**
`applicationId` - ID of ksm application to whom the folder or record is being unshared
`sharedFolderOrRecordUid` ID of record or shared folder whose permissions are being revoked
PowerCommander
**Command**: `Revoke-KeeperSecretManagerFolderAccess`
**Alias:** `ksm-unshare`
**Flags**:
* `-App` : Application UID
* `-Secret` : UID of the Secret/Record/Folder
**Example:**
```powershell
PS > Revoke-KeeperSecretManagerFolderAccess -App ksm_app_uid -Secret record_uid
Uid Title IsExternalShare DeviceCount ShareCount
--- ----- --------------- ----------- ----------
ksm_app_uid Example Application False 7 5
```
Python CLI
**Command**: `secret-manager-share --command=`
**Parameters**:
* `--command` Add or remove
* `-a` `--app` Application Name or UID
* `-s` `--secret` Record UID - space separated (e.g., "uid1 uid2 uid3")
**Example:**
```sh
My Vault> secrets-manager-share --command='remove' -a='ksm_uid' -s='record_uid'
Shared secrets were successfully removed from the application
```
Python SDK
**Function:**
```python
ksm_management.KSMShareManagement.remove_secrets_from_ksm_app(
vault=vault,
app_uid=app_uid,
secret_uids=secret_uids,
)
```