1 of 14

Password Rotation

Rotate passwords on any remote system using Keeper Commander plugins

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

Password Rotation

Keeper Commander has a feature which can communicate to internal and external systems for the purpose of rotating a password and synchronizing the change to your Keeper Vault. We accomplish this by associating a Keeper record with a physical system through the use of custom fields. For example, you might want to rotate your MySQL password, Active Directory password and local Administrator password automatically.

Typed Records

Typed records add simplicity to Commander rotation. Commander can scan fields and make intelligent decisions about the rotation type, and connection details. Record types such as the standard "SSH Key" or "Server" types make it easy to create records that are ready for rotation.

Each rotation plugin has slightly different requirements, select from the list of plugins on the left nested under this page to learn more.

Commander will identify the type of rotation to use automatically based on the values supplied to the record. For example a record with a PORT value of 22 will use the SSH rotation plugin by default. The rotation plugin can also be specified during rotation or with a custom record field.

Optionally, any records can use custom fields as configuration for rotation. See table below for an example of custom fields.

Untyped Records

Older, non-typed records require some additional setup in order to support Commander rotation.

Example custom fields for MySQL password rotation:

Typed records also support custom record fields. If an older record is converted to be typed (and the fields are unchanged) it will work with Commander rotation.

When a plugin is specified in a record, Commander will search in the plugins/ folder to load the module based on the name provided (e.g. mysql.py) then it will use the values of the Keeper record to connect, rotate the password and save the resulting data.

Supported Plugins

Github Location

Activating a Plugin

To activate a plugin for a particular Keeper record, you first need to update the custom fields for that record with special keywords that are used by Commander. See the specific plugin for the custom field requirements.

To perform a rotation use the rotate command.

AWS Plugin

Rotate AWS Passwords and Keys

Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below:

Prerequisites

1. Install AWS CLI package

pip3 install boto3

2. Configure AWS CLI package

Install AWS CLI if necessary

pip3 install awscli

Configure AWS Connection with the AWS CLI

aws configure

You need to configure your AWS environment on the environment with an account that has administrative privileges in order to modify the Password for the specified user.

Prepare Records for Rotation

Create a Record for Rotation

Rotation supports legacy and typed records. Additional fields may be added depending on the rotation type as well. See the instructions below.

Rotation Types

Rotate AWS Keys

To run a rotation of AWS Keys, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "My AWS Credentials" --plugin awskey

The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.

Additional Rotation Options

The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

For an easier time creating new AWS rotation records, create a custom record type with the text type fields defined

Label

Value

Comment

cmdr:plugin

awskey

(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command

cmdr:aws_profile

(Optional) AWS profile to use to login to AWS with

cmdr:aws_sync_profile

(Optional) if supplied, the AWS secret for the given profile will be updated to the AWS credentials file

cmdr:aws_assume_role

AWS Role ARN

(Optional) if supplied, the password rotation plugin assumes this role. The role requires these permissions:

iam:DeleteAccessKey iam:CreateAccessKey iam:ListAccessKeys

Output

After rotation is completed, the Access Key ID and Secret Key are stored in custom fields on the record with labels: cmdr:aws_key_id and cmdr:aws_key_secret.

Any Keeper user or Keeper Shared Folder associated with the record is updated instantly.

Label

Value

cmdr:aws_key_id

generated AWS Access Key ID

cmdr:aws_key_secret

generated AWS Secret Access Key

The 'Password' field is ignored when rotating keys

Rotate AWS Passwords

To run a rotation of AWS passwords, use the rotate command in Commander. Pass the command a record title or UID (or use --match with a regular expression to rotate several records at once)

rotate "My AWS Credentials" --plugin awspswd

Additional Rotation Options

The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.

Name

Value

Comment

cmdr:plugin

awspswd

(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command

cmdr:rules

cmdr:aws_profile

(Optional) AWS profile to use to login to AWS with

Output

The Password field of the Keeper record contains a new password to AWS account.