# Inputs and Outputs

## Overview

Upon successful rotation of credentials on a PAM record, Keeper executes the attached Post-Rotation scripts with parameters containing information on the involved records, credentials, and user.

## Inputs

The Keeper Gateway executes PAM scripts and provides inputs to the script through stdin parameters. These parameters are placed in a Base64 encoded JSON object and piped to the script. 

For example, the Keeper Gateway will essentially execute the script on a Linux machine as follows:

```sh
history -c && echo "BASE64==......" | /path/to/script.sh
```

Windows:

```
"BASE64==......" | .\script.ps1; Clear-History
```

The following keys can be found in this base64 encoded JSON object:

<table><thead><tr><th width="250">Key</th><th>Description</th></tr></thead><tbody><tr><td><code>providerRecordUid</code> </td><td>The UID of the PAM Configuration record</td></tr><tr><td><code>resourceRecordUid</code> </td><td>The UID of the PAM Resource record</td></tr><tr><td><code>userRecordUid</code> </td><td>The UID of the PAM User record</td></tr><tr><td><code>newPassword</code> </td><td>The new password generated for the User</td></tr><tr><td><code>oldPassword</code> </td><td>The previous password for the User</td></tr><tr><td><code>user</code> </td><td>The username for the User</td></tr><tr><td><code>records</code></td><td>Base64-encoded JSON array of record dictionaries</td></tr></tbody></table>

### **Additional Info on** `records` **field**

The records key value is a Base64, JSON array of dictionaries. This array will include the following data:

* PAM Configuration information&#x20;
* Related PAM Machine, PAM Database, or PAM Directory Record Data
* Additional Records supplied when uploading the post-rotation scripts
* User Record Data&#x20;

Each dictionary object will contain:

* `uid` - The UID of the Vault record.
* `title` - The title of the Vault record.
* The rest of the dictionary will contain key/value pairs of the record's data where the key will be the label of the field. If the field does not contain a label, the field type will be used. If the key already exists, a number will be added to the key.&#x20;

## Outputs

Upon execution of the PAM Script, an array is returned containing instances of `RotationResult` for each script that was executed. The class `RotationResult` has the following attributes:

* `uid` - Keeper Vault record UID that has the script attached
* `command` - Command that was issued to the shell
* `system` - Operating system the script will run upon
* `title` - Title of the script attached to the Keeper Vault record
* `name` - Name of the script attached to the Keeper Vault record
* `success` - Was the script successful?
  * Linux and macOS - Script returned in a 0 return code.
  * Windows - Script returned a True status.
* `stdout` - The stdout from the execution of the script
* `stderr` - The stderr from the execution of the script

Additionally, the following methods can be used to determine if the script was a success, or not:

<table><thead><tr><th width="194">Method</th><th>Descripton</th></tr></thead><tbody><tr><td><code>was_failure</code> </td><td>boolean, return True if failure, False if success </td></tr><tr><td><code>was_success</code> </td><td>boolean, returns True if success, False if failure</td></tr></tbody></table>

With this, it is possible to customize logging:

{% code title="Example in Python" %}

```python
for r in results:
    if r.was_failure:
        print(f"For record {r.uid}, the script {r.title} failed: {r.stderr}")
```

{% endcode %}

### Troubleshooting

The class `RotationResult` has attribute `stderr` which logs the errors from execution of the script.

Although post rotation script results and information are available via the `RotationResult` class, errors and outputs of scripts are based on the type of shell the script is executed on. Keeper does not check the stdout or errors of the scripts as Keeper does not know what defines as an error for a customer-controlled script.

For example, if a BASH script does not contain a `set -e`, the script will continue even if part of the script fails. If the script exits with a `0` return code, the script will be flagged as successful.

Therefore, it is up to the customer to properly handle the outputs and errors of the script.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/privileged-access-manager/password-rotation/post-rotation-scripts/parameters.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.