SaaS Plugins
SaaS and REST-based rotation plugins

KeeperPAM SaaS Rotation Plugins
Overview
KeeperPAM supports automated password rotation for various SaaS applications and services, including cloud infrastructure. This feature requires Keeper Gateway version 1.6 or newer. Currently, the configuration of SaaS rotations requires the use of Keeper Commander CLI. The front-end for managing these rotations will be included in an upcoming release of the Web Vault and Desktop App.
SaaS rotations are available as built-in integrations, catalog integrations or custom integrations.
Built-in SaaS Integrations
KeeperPAM includes pre-built integrations for popular services:
Okta - Identity and access management
Snowflake - Cloud data platform
REST APIs - Generic REST endpoint integration
AWS Access Keys - Amazon Web Services credential rotation
Azure Client Secrets - Microsoft Azure application secrets
Cisco IOS XE - Network device management
Cisco Meraki - Cloud-managed networking
Catalog SaaS Integrations
In Keeper's SaaS Github Repository, several new rotation plugins have been created, including:
AWS Cognito
Cisco APIC
and More
As new catalog rotations are added, customers may use these rotations within their environments.
Custom Integrations
Following the examples in Keeper's SaaS Github Repository, customers can create their own plugins that are private and only available to their Keeper Gateway. See the Using Custom Plugins section for more information.
Setting Up SaaS Password Rotation
This is accomplished in 3 steps outlined below:
Step 1: Create a SaaS Configuration Record
Step 2: Associate SaaS Rotation with PAM Users
Step 1: Create a SaaS Configuration Record
SaaS rotation configurations are stored as records with custom fields that define the configuration parameters.
Using Keeper Commander CLI
The fastest way to create a SaaS configuration is using the Commander CLI pam action saas config
command:
# Login to your vault
keeper shell
# List available SaaS types for your gateway
pam action saas config --gateway "My Gateway" --list
# Create a new SaaS configuration (example for Okta)
pam action saas config --gateway "My Gateway" --plugin "Okta" --shared-folder-uid FOLDER_UID --create
The command will prompt you for the required configuration values specific to your chosen SaaS type. Each of the configuration values is documented in the section below, for built-in and catalog plugins.
You can also just create a Login record with custom fields as defined below.
Okta Configuration Record
SaaS Type
Okta
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Okta URL
The URL to customer login portal. Where users login in.
Yes
Okta Token
The API token created on the Security → API → Tokens admin page.
Yes
Snowflake Configuration Record
SaaS Type
Snowflake
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Snowflake Admin User
An admin username
Yes
Snowflake Admin Password
The password for the admin username.
Yes
Snowflake Account
The account. It’s is the subdomain of the URL.
Yes
REST Configuration Record
SaaS Type
REST
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
REST Url
URL to the web service.
Yes
REST Token
A header Bearer token. This must be static. It cannot be generated.
Yes
REST Method
The HTTP Method to use. The default is POST. Valid values are: POST, PUT.
No
AWS Access Key Configuration Record
SaaS Type
AWS Access Key
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
AWS Access Key ID for the Administrative role
Admin Access Key ID
No
AWS Secret Access Key for the Administrative role
Admin Secret Access Key
No
Region Name
Region name. This can be left blank unless GovCloud. A value is required for GovCloud.
No
AWS Clean Keys
Remove old Access Keys. If not set, will default to ‘All’
All - Will remove all the access keys.
Oldest - Will remove the oldest access key if both Access Key slots are filled.
Replace - Will replace the Access Key used in the Vault record. If there are two Access Keys, the other will not be removed.
No
Note: The admin access key does NOT be set if you using an EC2 instance an attached IAM role or the using an AWS configuration. The plugin with get its credentials from the following in the specified order.
SaaS Configuration Record - Ensure that the Access Key and Secret Key
AWS PAM Configuration - See the AWS Environment Setup for details
Assigning Permissions
Ensure that the roles assigned to your AWS PAM Configuration or to the specific administrative access key / secret key include the below policies required to rotate a target access key:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:ListAccessKeys",
"iam:DeleteAccessKey"
],
"Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID_HERE:user/*"
}
]
}
Azure Client Secret Configuration Record
SaaS Type
Azure Client Secret
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Azure Target Object ID
The target Azure Entra ID application. This is the object ID of the application which is being rotated.
Yes
Expiry Days
The number of days before the secret expires. Default if 365 days.
No
Azure Tenant ID
The Directory (tenant) ID of the Azure Entra ID. This for both the admin and target application.
No
Azure Admin Application ID
The Application (client) ID for the Administrative app which is performing the rotation (NOT the target).
No
Azure Admin Client Secret
This is the Secret value for the administrative application.
No
Azure Authority
Special URL for MSAL to request tokens.
No
Azure Graph Endpoint
Special URL for Azure Graph scope.
No
Azure Clean Keys
Remove old Access Keys upon every rotation.
All - Will remove all the secrets.
Replace - Will replace the secret used in the Vault record.
No
Note: The administrative application ID and client secret does not be set if you using a PAM Configuration that already has necessary Azure permissions.
The plugin with get its credentials from the following in the specified order.
SaaS Configuration Record
Azure PAM Configuration
Assigning Permissions to Admin Application
In order for the target secret to be rotated, the administrative application must have the necessary Azure role permissions.
Required Microsoft Graph Permissions:
Application.ReadWrite.All
How to Assign:
Go to Azure Portal > Azure Active Directory > App registrations
Select your Administrative app (the one that will rotate secrets)
Go to API permissions > Add a permission
Choose Microsoft Graph
Select Application permissions
Search and select:
Application.ReadWrite.All
Click Add permissions
Then click Grant admin consent for the tenant
Cisco IOS EX Configuration Record
SaaS Type
Cisco IOS XE
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Admin Username
The administrator’s username.
Yes
Admin Password
The administrator’s password.
Yes
Hostname
Hostname or IP of the web service.
Yes
Verify SSL
Verfiy server’s SSL certificate. Default is FALSE.
No
Cisco Meraki Configuration Record
SaaS Type
Cisco Meraki
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Admin Email
The administrator’s email address
Yes
API Key
The API Key generated in the admin’s profile, in the API access section.
Yes
Network ID
The Network ID.
If blank, an attempt will be made to find the network id. If the customer has only one organization, and only one network in that organization, it will use that network id.
No
Verify SSL
Verfiy server’s SSL certificate. Default is FALSE.
No
API: Cisco Meraki OpenAPI Document
Step 2: Associate SaaS Rotation with PAM Users
Once your SaaS configuration record is created, associate that record with one or more PAM User records in the vault.
Create the PAM User record either in the vault, or using the Commander CLI
Using Commander, run the below commands to create the association:
# Add SaaS rotation to a user
pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID
# Optionally attach to a specific resource
pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID --resource-uid RESOURCE_UID
Step 3: Verify Configuration
Check that your SaaS rotation is properly configured on the PAM User record:
# View all SaaS rotations for the PAM User
pam action saas user -u USER_RECORD_UID
This will display all configured SaaS rotations for the specified PAM User, including their current settings.
Performing SaaS Rotation
To perform the rotation from the Commander CLI, use the pam action rotate command:
pam action rotate -r USER_RECORD_UID
Managing SaaS Rotations
Remove SaaS Rotation
To remove a SaaS rotation from a PAM User record:
pam action saas remove --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID
Activate/Deactivate Rotations
You can control whether a SaaS rotation is active by setting the Active
custom field:
Set to any value (e.g., "true", "yes", "1") to activate
Remove the field or set to empty/false to deactivate
Custom and Community Plugins
Available Custom Plugins
In addition to built-in integrations, you can use custom plugins for additional services. Keeper maintains a repository of community-contributed plugins:
GitHub Repository: discovery-and-rotation-saas-dev
Check the integrations/
folder for available plugins, which may include:
Additional cloud services
Database systems
Network equipment
Custom enterprise applications
Using Custom Plugins
To use custom plugins in your environment:
1. Set Up Plugin Directory
Configure your PAM Gateway to recognize custom plugins:
# Set the plugin directory path on your PAM Configuration record
record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/path/to/plugins"
2. Deploy Plugin Files
Copy the plugin Python files to your configured directory:
# Create plugin directory
mkdir /opt/keeper/saas_plugins
# Copy plugin files from the repository
cp custom_plugin.py /opt/keeper/saas_plugins/
3. Docker Container Setup
If using Docker, mount the plugin directory:
# docker-compose.yml
services:
keeper-gateway:
image: keeper/gateway:preview
volumes:
- ./saas_plugins:/opt/keeper/saas_plugins
environment:
GATEWAY_CONFIG: YOUR_GATEWAY_CONFIG_UID
Update the PAM configuration to use the container path:
record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/opt/keeper/saas_plugins"
4. Configure Plugin Access (If Required)
Some plugins may need access to your PAM configuration credentials (e.g., for AWS or Azure integration). Grant access by adding the plugin name to the allow list:
record-update -r PAM_CONFIG_RECORD_UID "multiline.Allow SaaS Access=Custom Plugin Name\nAnother Plugin"
Developing Custom Plugins
If you need a plugin for a service not currently available, you can develop your own using the development environment provided in the repository. The repository includes:
Development and testing tools
Example plugins and templates
API documentation
Testing framework
Visit the repository README for detailed development instructions. To contribute to the community rotation plugin directory, submit a pull request.
Best Practices
Security Considerations
Use dedicated service accounts with minimal required permissions for SaaS integrations
Regularly rotate API keys and tokens used in SaaS configurations
Test rotations in a development environment before production deployment
Monitor rotation logs for failures or authentication issues
Configuration Management
Store SaaS configurations in dedicated shared folders for better organization
Use descriptive names for configuration records (e.g., "Okta Production", "Snowflake Dev")
Document any custom field requirements for team members
Regularly review and update SaaS rotation assignments
Troubleshooting
Check Gateway logs for detailed error messages during rotations
Verify API credentials and permissions in your SaaS applications
Ensure network connectivity between Gateway and target services
Test individual SaaS configurations before associating with multiple users
Support and Resources
Built-in SaaS Types: Supported through standard Keeper support channels
Custom Plugins: Community support via GitHub repository issues
Development Questions: Refer to repository documentation and examples
Enterprise Support: Contact your Keeper representative for assistance with custom integrations
For the most up-to-date list of available plugins and integration examples, regularly check the GitHub repository.
Last updated
Was this helpful?