Password Rotation in the AWS Environment
In this section, you will learn how to rotate user credentials within the AWS Cloud environment across various target systems and services.
Configurations for your AWS environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited EC2 instance role where the Gateway is installed to authenticate with the AWS system and perform rotation. If instance roles are not defined, the AWS Access Key ID and Secret Key can be stored in the PAM Configuration record to authenticate and perform rotations.
Configurations for managed resources like EC2, RDS, and Directory Services are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with KeeperPAM and their corresponding PAM Record Type:
EC2
PAM Machine
RDS
PAM Database
Directory Service
PAM Directory
Configurations for directory users or IAM users are defined in the PAM User record type.
To successfully rotate IAM User accounts or EC2 local user accounts, the Keeper Gateway needs to have the necessary AWS role policies with the permissions for performing the password rotation.
See the AWS environment setup guide for more information.
If you are not using EC2 instance role policies, the following values are needed in the PAM Configuration:
Access Key ID
This is the Access Key ID from the desired Access Key found in the IAM User account
Set this field to USE_INSTANCE_ROLE if the gateway is deployed to an EC2 Instance that supports instance roles
Secret Access Key
This is the Secret Access Key from the desired Access Key found in the IAM User account
Set this field to USE_INSTANCE_ROLE if the gateway is deployed to an EC2 Instance that supports instance roles
The Keeper Gateway will always first attempt to use the EC2 instance role to authenticate and perform the rotation. If this fails or is not available on the machine, Keeper will use the Access Key ID and Secret Access Key stored in the PAM Configuration.
At a high level, the following steps are needed to successfully rotate passwords on your Azure network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records representing each resource
Create PAM User records that contain the necessary account credentials for each resource
Link the PAM User record to the PAM Resource record.
Assign a Secrets Manager Application to all of the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records
Rotating AWS IAM account passwords with Keeper
In this guide, you will learn how to rotate passwords for AWS IAM users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the AWS IAM user accounts to be rotated are stored in the PAM User record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed and running
Your AWS environment is configured per our documentation
The Keeper Gateway uses AWS APIs to rotate the credentials defined in the PAM User records.
In this folder, you’ll create records for the AWS IAM accounts that you’ll rotate. You will create a PAM User record for each user that will be rotated.
Note: The target user to be rotated must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.
Keeper Rotation uses the AWS API to rotate the PAM User records in your AWS environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. AWS user: TestUser
Login
Case sensitive username of the account being rotated.
Password
Providing a password is optional. Performing a rotation will set one if this field is left blank.
Distinguished Name
This is the full ARN of the user identity, e.g: arn:aws:iam::123456789:user/TestUser
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: AWS IAM Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
AWS ID
A unique ID for this instance of AWS. This is only for your reference and can be anything, but its recommended to be kept short
Ex: AWS-DepartmentName
Access Key ID
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Select the PAM User record(s) from Step 2, edit the record and open the "Password Rotation Settings".
Select "IAM User" as the rotation method, since this uses AWS APIs.
The "Rotation Settings" should use the PAM Configuration setup previously.
Select the desired schedule and password complexity.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Note: The user must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.
Loading...
Rotating AWS EC2 Virtual Machine accounts with Keeper
In this guide, you will learn how to rotate AWS EC2 Virtual Machine (VM) Accounts on your AWS Environment using Keeper Rotation. The EC2 VM is an AWS managed resource where the EC2 VM Admin Credentials are linked to the PAM Machine record and the identity of the EC2 VM Users are defined in the PAM User record type.
For EC2 VM Accounts, normal operating system commands are used to change the password. Keeper will connect to the target machine and send command-line commands to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate via SSH or WinRM with your target AWS Virtual Machine(s).
Your AWS environment is configured per our documentation
Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record should link to an administrative credential that has the rights to change passwords for users on the machine.
Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each local user account that will be rotated.
Keeper will use the referenced admin credential to rotate the password or SSH key of AWS Virtual Machine users in your AWS environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of these user accounts.
If you are running a rotation on a PAM Machine record which also happens to be the same machine running the Keeper Gateway, Keeper will attempt to rotate the password or SSH key for the account using the keeper-gw user. Assuming that keeper-gw has sudoers privilege, it will be able to perform rotations on the local Gateway machine.
The following table lists all the required fields on the PAM Machine record:
Title
Name of the Record i.e AWS Linux 1
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway
Port
Typically 5985 or 5986 for WinRM, 22 for SSH.
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH key) of the Admin account.
Operating System
The VM Operating System, i.e Windows or Linux
SSL Verification
For WinRM, if selected, will use SSL mode port 5986. Ignored for SSH.
This PAM Machine Record with the linked admin credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
Make sure the following items are completed:
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
PAM Machine records have been created for each target machine
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration.
Title
Configuration name, example: AWS VM Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to the machine configured from step 1
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the admin accounts, not the machines.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Secret Access Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Keeper will use the credentials linked from the PAM Machine record to rotate the PAM User records in your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields that need to be filled on the PAM User record:
Title
Keeper record title i.e. AWS Machine1 ec2-user
Login
Case sensitive username of the user account being rotated, e.g. ec2-user.
Password
This is only required if the user logs in with a password. If the password is left blank, performing a rotation will set one.
Private PEM Key
SSH private key. This is only required if you are planning to rotate the PEM key instead of rotating the password.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Automatically rotate AWS access keys using Keeper Secrets Manager rotations
This documentation explains how to rotate AWS IAM user access keys using KeeperPAM's rotation option called "Run PAM scripts only". This is a setting in the PAM User rotation settings which tells the Gateway to skip the primary rotation method and directly execute the post-rotation script attached to the PAM User record in the vault.
This guide includes prerequisites, step-by-step instructions, and a Python script example. This provided script supports both provided admin credentials (AWS Access key for an admin account) and EC2 instance role authentication. The script ensures secure access key rotation, including deletion of previous user keys. The new key is stored in the Keeper record after rotation is complete.
KSM role: Ensure that the Keeper user has a role providing access to Keeper Secrets Manager, and Keeper Secrets Manager rotations.
A Linux instance to run the Keeper Gateway: The Gateway can be deployed in an EC2 instance, any private Cloud or on-prem. This script is capable of leveraging EC2 Instance Roles Authentication to perform the Access Key rotation if the Gateway runs in an EC2 instance. If the gateway runs somewhere else, then an Access Key with role privilege needs to be provided in the Keeper vault to perform the rotation of the end user Access Key.
The script retrieve admin credentials in three ways:
Record directly attached to the post rotation script.
The access key provided to the AWS PAM config selected for the rotation. This will be used if no access key is found in the record attached (method 1 above) to the post rotation script.
Uses AWS instance role authentication if no credentials are provided from either methods above. The gateway needs to be running on an EC2 Instance with an EC2 Instance Role in place.
The script provides two modes of operation based on the delete_all_keys_before_rotating custom field:
If False (default), a new access key is created first, then the old ones are deleted, keeping only the newly created key. This will fail if the user account has already two access keys: AWS will not allow the script to create a third one.
If this custom field is set to True, the script deletes all existing access keys for the IAM user before creating a new one. This helps in the scenario described above where the end user account has already two access keys.
After key rotation, the script updates the rotated PAM User Keeper record with the new AWS access key ID, secret access key, creation date, and any deleted access keys IDs.
You need to create a PAM User record where the rotation will be configured later on. The fields below need to be created.
When the gateway runs in an EC2 instance, you don’t need to provide an admin access key to the script. The gateway will leverage the AWS Instance Role permissions assigned to the VM.
The steps below explains how to set up an EC2 Instance role to the gateway EC2 instance with minimal permissions:
Select Policies and click Create policy.
Select JSON and paste the following, make sure to replace your AWS Account ID:
Name the policy and save it.
Go to the IAM Management Console.
Select Roles and click create role.
Choose AWS service and select EC2.
Attach the necessary IAM policies (e.g., the policy we created above with the minimum permissions).
In the EC2 Management Console, find your instance.
Click Actions > Security > Modify IAM Role.
Select the role you created and click Update
Verify Instance Role Permissions
You can ensure that the instance role has appropriate permissions to interact with IAM by running the command below on the Gateway EC2 Instance:
Create a shared folder in the vault
In the Secret Manager tab of the Keeper vault, create a new application for the gateway if there is no gateway yet.
Make sure the Application has edit permissions on the shared folder created above.
Provision the gateway (gateway tab after selecting the application) on an EC2 instance. On the EC2 Instance run the install command provided by the Keeper vault and make sure boto3 and keeper_secrets_manager_core are installed by running the following commands in the EC2 instance:
In the Secret Manager tab of the Keeper vault, go to the PAM Configurations tab. Create a new PAM configuration if needed.
Under Environment you can select “Local Network” or “AWS”. If you select “AWS”, please make sure to leave the “Access Key” and “Secret Access Key” field empty. If you provide one, it will be automatically used by the script instead of using the Instance Role authentication. You will still need to provide the AWS Account ID to the AWS PAM configuration.
Select the gateway, select the shared folder and save the PAM configuration.
Password Rotation Settings: select your desired schedule and the PAM configuration created above.
Add PAM Script to the record: select the provided file below and make sure to specify the script command:
When the gateway does not run in an EC2 instance, it will require an admin access key to authenticate against AWS and rotate another user's access key. Here we will be using the admin access key provided in the AWS PAM Configuration.
Create a shared folder in the vault
In the Secret Manager tab of the Keeper vault, create a new application for the gateway if there is no gateway yet.
Make sure the Application has edit permissions on the shared folder created above.
Provision the gateway (gateway tab after selecting the application) on a Linux box. Simply run the install command provided by the Keeper vault and make sure boto3 and keeper_secrets_manager_core are installed by running the following commands on the Linux box:
In the Secret Manager tab of the Keeper vault, go to the PAM Configurations tab. Create a new PAM configuration if needed.
Under Environment, please select “AWS”, select the Gateway, select the shared folder, provide the “AWS ID”, the “Access Key” and “Secret Access Key”. This will be the admin access key that the script uses to rotate a user access key.
Password Rotation Settings: select your desired schedule and the PAM configuration created above.
Add PAM Script to the record: select the provided file below and make sure to specify the script command:
When the gateway does not run in an EC2 instance, it will require an admin access key to authenticate against AWS and rotate another user's access key. Here we will be using the admin access key provided in another Keeper record. This option also allows to rotate the admin access key the same way Keeper rotates an user access key.
You may have followed any of the two other tabs available in this doc (Using AWS instance role, or Using AWS PAM Config) to set up the rotation: you will have a PAM configuration that contains or does not contain an access key. Following the steps below will force the use of an admin access key stored in another Keeper record.
The attached record could be any record type. It needs at least the two custom fields “aws_access_key_id” and “aws_secret_access_key” with the admin access key.
When attaching a record to the PAM script itself to provide an admin AWS access keys also allows to leverage AWS AssumeRole to rotate an AWS user access key across multiple AWS accounts.
To leverage this feature, you need to add a new custom field to the record attached to the PAM script (Rotation Credentials).
The custom field label needs to be:
This field will contain the role arn from your AWS environment that has the permissions to rotate access keys in other AWS accounts.
When this field exists, the rotation script will use it along with the provided admin access key ID and secret to generate a new temporary access key to rotate the end user’s one in the other AWS account. The script will then update the Keeper PAM User record with the new key and information, the same way it usually does without this extra field.
Rotating AWS RDS accounts with Keeper
Rotating Admin/Regular AWS SQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS MySQL Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for MySQL is an AWS managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the MySQL RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MySQL RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS SQL Server Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS SQL Server Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for SQL Server is an AWS managed resource where the SQL Server Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Server Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the SQL Server RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the SQL Server RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS PostgreSQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS PostgreSQL Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for PostgreSQL is an AWS managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the PostgreSQL RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the PostgreSQL RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: AWS PostgreSQL Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to template1.
Database ID
The AWS DB instance ID
Database Type
postgresql
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL RDS Instance
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS MariaDB Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS MariaDB Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for MariaDB is an AWS managed resource where the MariaDB Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS MariaDB Database
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the MariaDB RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MariaDB RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: AWS MariaDB Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Database ID
The AWS DB instance ID
Database Type
mariadb
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB RDS Instance
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS Oracle Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS Oracle Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for Oracle is an AWS managed resource where the Oracle Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS Oracle Database
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the Oracle RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Oracle RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: AWS Oracle Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
Database ID
The AWS DB instance ID
Database Type
oracle
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle RDS Instance
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.