Rotate Credential via REST API
Automatically rotate any cloud-based account using a REST API with Keeper Secrets Manager
Last updated
Was this helpful?
Automatically rotate any cloud-based account using a REST API with Keeper Secrets Manager
Last updated
Was this helpful?
This documentation provides generic instructions on how to set up password rotation using KeeperPAM's rotation option called "Run PAM scripts only". This is a setting in the PAM User rotation settings which tells the Gateway to skip the primary rotation method and directly execute the post-rotation script attached to the PAM User record in the vault.
This guide includes pre-requisites, step-by-step instructions, and a Python script example.
KSM Application: Ensure that the Keeper Secrets Manager (KSM) application is set up.
Shared Folder: A shared folder should be set up where all the records will be stored.
PAM Configuration: Ensure that the PAM Configuration is set up and that the Gateway is running and attached to this configuration.
REST API Token: You will need an API Token to interact with the arbitrary API.
Follow the steps in your target application or service to generate an API token.
Store this API token in a Keeper record. The record can be of any type, but for this example, we will use a "Login" type.
Store the API Token in the "password" field.
Store the Organization URL in the "Website Address" field.
Name this record "API Access Details" as this title will be used to fetch the record in the script later.
Create a new PAM User record to store target User details whose password will be rotated.
Set the username to match the user's login ID.
Set the password to the current password set for the user (this really depends on the REST endpoint)
Add the "Rotation Credential" record, which is the record created in Step 1 containing the API Token and URL.
Enable No-Operation (NOOP) atomic execution:
In the current PAM User record where user's details are stored, create a new custom text field labeled NOOP
and set its value to True
.
Rotation Type: Set it to "On-Demand" for this example.
Password Complexity: Leave it as default unless you have specific requirements.
Rotation Settings: Point to the PAM Configuration set up earlier.
Administrative Credentials Record: Can should be left empty
Below steps are related to the environment where the Keeper Gateway is running.
Ensure that the Python environment has all necessary dependencies installed.
If you want to use a virtual environment, add a shebang line at the top of the script.
Note: Ensure that the shebang line does not contain spaces. If it does, create a symbolic link without spaces. Example to create a symbolic link on Linux:
sudo ln -s "/Users/john/PAM Rotation Example/.venv/bin/python3" /usr/local/bin/pam_rotation_venv_python3
The Python script is well-commented and follows best practices. It imports necessary modules, initializes variables, and defines a rotation function to call an arbitrary REST API that changes user's password.
Attach the below that will perform the password rotation. The script has additional comments inside that describe each line.