Managing Rotation via CLI

Important: The legacy rotate (plugin‑based) and pam rotation set commands are deprecated. Use pam rotation edit to configure rotation schedules and pam action rotate to trigger an on‑demand rotation through a Keeper Gateway.

Prerequisites

1. Target records are in place – all PAM Machine, PAM User and other privileged records you plan to rotate live in shared folders inside your Keeper Vault.

2. A Keeper Gateway is installed and online – see Step 1 below.

3. At least one PAM Configuration exists and points to the gateway – see Step 2.

4. You are signed in to Keeper Commander with an administrator or rotation‑manager role.

Step 1 – Create (or locate) a Gateway

Commander’s pam gateway sub‑commands manage the Gateway service.

The last variant outputs a base‑64‑encoded string that you pass as the GATEWAY_CONFIG environment variable when you spin up the Docker container.

Tip: Retrieve the UID for an existing gateway at any time with pam gateway list --verbose.

Step 2 – Build a PAM Configuration that uses the Gateway

pam config new (or pam config edit) assembles the rules that tie the gateway to rotation, discovery, tunnelling and connections.

pam config new --title "Prod Rotation" \
               --gateway "<Gateway_UID>" \
               --shared-folder "<Shared_Folder_UID>" \
               --rotation on \
               --schedule "0 2 * * *"

• --gateway binds the configuration to the Keeper Gateway you created in Step 1.

• --rotation on enables the rotation feature for any records attached to this configuration.

• --schedule sets a default CRON schedule that records can inherit (you can still override per record with pam rotation edit).

Use pam config list to obtain the configuration’s UID for later commands.

Understanding Rotation Commands (Quick Recap)

Command: pam rotation edit

pam rotation edit adjusts the KeeperPAM rotation metadata stored on a record.

Key Options

Full help: pam rotation edit --help.

Worked Examples

Example 1 – Daily rotation on a single machine

pam rotation edit --record "<Machine_UID>" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Machine_UID>" \
                  --schedule daily \
                  --enable

Example 2 – Weekly rotation using JSON

pam rotation edit --record "<Machine_UID>" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Machine_UID>" \
                  -sj '{"type":"WEEKLY","weekday":"SATURDAY","time":"22:00","tz":"America/New_York"}' \
                  --enable

Example 3 – Bulk‑enable rotation for every record in a folder

pam rotation edit --folder "/Shared/Prod" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Gateway_Proxy_User_UID>" \
                  --schedule monthly \
                  --enable --force

Example 4 – Remove rotation settings

pam rotation edit --record "<Machine_UID>" --reset

Triggering an On‑Demand Rotation

Run a rotation right now (ignoring any schedule):

pam action rotate --record "<Machine_UID>"

Commander sends the job to the Keeper Gateway, which executes the correct plugin or native driver for the resource.

Where to Go Next

• pam action gateway-info --gateway <Gateway_UID> – check gateway health and version.

• pam rotation list – verify which resources have rotation enabled.

• pam action job-info --gateway <Gateway_UID> – view historical rotation job logs.

Batch Mode

To run a large number of commands in a batch mode, see Keeper's Batch Mode command.