1 of 1

Managing Rotation via CLI

Managing rotation settings on individual and bulk records using Keeper Commander

Important: The legacy rotate (plugin‑based) and pam rotation set commands are deprecated. Use pam rotation edit to configure rotation schedules and pam action rotate to trigger an on‑demand rotation through a Keeper Gateway.

Prerequisites

Target records are in place – all PAM Machine, PAM User and other privileged records you plan to rotate live in shared folders inside your Keeper Vault.
A Keeper Gateway is installed and online – see Step 1 below.
At least one PAM Configuration exists and points to the gateway – see Step 2.
You are signed in to Keeper Commander with an administrator or rotation‑manager role.

Step 1 – Create (or locate) a Gateway

Commander’s pam gateway sub‑commands manage the Gateway service.

Task

Command

List existing gateways

pam gateway list

Create a new gateway and generate a one‑time token

pam gateway new --name "<Gateway_Name>" --application "<KSM_Application_UID>"

Generate the GATEWAY_CONFIG blob for Docker installs

pam gateway new -n "<Gateway_Name>" -a "<App_UID>" --config-init b64

Tip: Retrieve the UID for an existing gateway at any time with pam gateway list --verbose.

Step 2 – Build a PAM Configuration that uses the Gateway

pam config new (or pam config edit) assembles the rules that tie the gateway to rotation, discovery, tunnelling and connections.

pam config new --title "Prod Rotation" \
               --gateway "<Gateway_UID>" \
               --shared-folder "<Shared_Folder_UID>" \
               --rotation on \
               --schedule "0 2 * * *"

--gateway binds the configuration to the Keeper Gateway you created in Step 1.
--rotation on enables the rotation feature for any records attached to this configuration.
--schedule sets a default CRON schedule that records can inherit (you can still override per record with pam rotation edit).

Use pam config list to obtain the configuration’s UID for later commands.

Understanding Rotation Commands (Quick Recap)

Command

What it actually does

rotate

Deprecated: legacy plugin‑based rotation run directly from Commander.

pam action rotate

Runs an immediate rotation job through the Keeper Gateway.

pam rotation edit

Configures rotation settings (schedule, resource, complexity) on one or many records. (Does not rotate immediately.)

Command: `pam rotation edit`

pam rotation edit adjusts the KeeperPAM rotation metadata stored on a record.

Key Options

Option

Purpose

--record / -r

Target an individual record by UID, name, or pattern.

--folder / -fd

Target every record in a folder (bulk update).

--force / -f

Skip confirmation prompts.

--config / -c

UID or path of the PAM Configuration to link.

--iam-aad-config / -iac

Alternative to --resource for IAM / Azure AD users.

--resource / -rs

UID or path of the resource record used to perform the change.

--schedulejson / -sj

Supply a JSON scheduler object.

--schedulecron / -sc

Supply a CRON‑formatted schedule string.

--on-demand / -od

Mark rotation as on‑demand (no schedule).

--schedule-config / -sf

Inherit schedule from the linked PAM Configuration.

--complexity / -x

Password complexity spec (length,upper,lower,digits,symbols[,symbol_set]).

--admin-user / -a

UID/path of a PAM User to act as admin for rotation.

--enable / -e

Enable rotation on the targeted record(s).

--disable / -d

Disable rotation on the targeted record(s).

--schedule-only / -so

Update only the schedule on the targeted record(s). Leaves config, resource, complexity untouched. .

Full help: pam rotation edit --help

Worked Examples

Replace angle‑bracket placeholders with real UIDs or paths.

1 – Daily rotation on a single machine (CRON)

pam rotation edit --record "<Machine_UID>" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Machine_UID>" \
                  --schedulecron "0 2 * * *" \
                  --enable

2 – Weekly rotation using JSON

pam rotation edit --record "<Machine_UID>" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Machine_UID>" \
                  -sj '{"type":"WEEKLY","weekday":"SATURDAY","time":"22:00","tz":"America/New_York"}' \
                  --enable

3 – Bulk‑enable rotation for every record in a folder (monthly)

pam rotation edit --folder "/Shared/Prod" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Gateway_Proxy_User_UID>" \
                  --schedulecron "0 3 1 * *" \
                  --enable --force

4 – Change schedule only

pam rotation edit --folder "/Shared/Prod" \
                  --schedulecron "0 1 * * *" \
                  --schedule-only --force

Tip: Combine -so with --enable or --disable to quickly activate or pause existing schedules without touching other parameters.

5 – On‑demand rotation (no schedule)

pam rotation edit --record "<Machine_UID>" --on-demand --enable

6 – Set password complexity

pam rotation edit --record "<PAM_User_UID>" \
                  --complexity 20,1,4,2,2,.=+- \
                  --enable

Triggering an On‑Demand Rotation

Run a rotation right now (ignoring any schedule):

pam action rotate --record "<Machine_UID>"

Commander sends the job to the Keeper Gateway, which executes the correct plugin or native driver for the resource.

Where to Go Next

pam action gateway-info --gateway <Gateway_UID> – check gateway health and version.
pam rotation list – verify which resources have rotation enabled.
pam action job-info --gateway <Gateway_UID> – view historical rotation job logs.
pam rotation script – manage post‑rotation scripts.

Batch Mode

To run a large number of commands in a batch mode, see Keeper's Batch Mode command.

Managing Rotation via CLI

Managing rotation settings on individual and bulk records using Keeper Commander

Important: The legacy rotate (plugin‑based) and pam rotation set commands are deprecated. Use pam rotation edit to configure rotation schedules and pam action rotate to trigger an on‑demand rotation through a Keeper Gateway.

Prerequisites

Target records are in place – all PAM Machine, PAM User and other privileged records you plan to rotate live in shared folders inside your Keeper Vault.
A Keeper Gateway is installed and online – see Step 1 below.
At least one PAM Configuration exists and points to the gateway – see Step 2.
You are signed in to Keeper Commander with an administrator or rotation‑manager role.

Step 1 – Create (or locate) a Gateway

Commander’s pam gateway sub‑commands manage the Gateway service.

Task

Command

List existing gateways

pam gateway list

Create a new gateway and generate a one‑time token

pam gateway new --name "<Gateway_Name>" --application "<KSM_Application_UID>"

Generate the GATEWAY_CONFIG blob for Docker installs

pam gateway new -n "<Gateway_Name>" -a "<App_UID>" --config-init b64

Tip: Retrieve the UID for an existing gateway at any time with pam gateway list --verbose.

Step 2 – Build a PAM Configuration that uses the Gateway

pam config new (or pam config edit) assembles the rules that tie the gateway to rotation, discovery, tunnelling and connections.

pam config new --title "Prod Rotation" \
               --gateway "<Gateway_UID>" \
               --shared-folder "<Shared_Folder_UID>" \
               --rotation on \
               --schedule "0 2 * * *"

--gateway binds the configuration to the Keeper Gateway you created in Step 1.
--rotation on enables the rotation feature for any records attached to this configuration.
--schedule sets a default CRON schedule that records can inherit (you can still override per record with pam rotation edit).

Use pam config list to obtain the configuration’s UID for later commands.

Understanding Rotation Commands (Quick Recap)

Command

What it actually does

rotate

Deprecated: legacy plugin‑based rotation run directly from Commander.

pam action rotate

Runs an immediate rotation job through the Keeper Gateway.

pam rotation edit

Configures rotation settings (schedule, resource, complexity) on one or many records. (Does not rotate immediately.)

Command: `pam rotation edit`

pam rotation edit adjusts the KeeperPAM rotation metadata stored on a record.

Key Options

Option

Purpose

--record / -r

Target an individual record by UID, name, or pattern.

--folder / -fd

Target every record in a folder (bulk update).

--force / -f

Skip confirmation prompts.

--config / -c

UID or path of the PAM Configuration to link.

--iam-aad-config / -iac

Alternative to --resource for IAM / Azure AD users.

--resource / -rs

UID or path of the resource record used to perform the change.

--schedulejson / -sj

Supply a JSON scheduler object.

--schedulecron / -sc

Supply a CRON‑formatted schedule string.

--on-demand / -od

Mark rotation as on‑demand (no schedule).

--schedule-config / -sf

Inherit schedule from the linked PAM Configuration.

--complexity / -x

Password complexity spec (length,upper,lower,digits,symbols[,symbol_set]).

--admin-user / -a

UID/path of a PAM User to act as admin for rotation.

--enable / -e

Enable rotation on the targeted record(s).

--disable / -d

Disable rotation on the targeted record(s).

--schedule-only / -so

Update only the schedule on the targeted record(s). Leaves config, resource, complexity untouched. .

Full help: pam rotation edit --help

Worked Examples

Replace angle‑bracket placeholders with real UIDs or paths.

1 – Daily rotation on a single machine (CRON)

pam rotation edit --record "<Machine_UID>" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Machine_UID>" \
                  --schedulecron "0 2 * * *" \
                  --enable

2 – Weekly rotation using JSON

pam rotation edit --record "<Machine_UID>" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Machine_UID>" \
                  -sj '{"type":"WEEKLY","weekday":"SATURDAY","time":"22:00","tz":"America/New_York"}' \
                  --enable

3 – Bulk‑enable rotation for every record in a folder (monthly)

pam rotation edit --folder "/Shared/Prod" \
                  --config "<PAM_Config_UID>" \
                  --resource "<Gateway_Proxy_User_UID>" \
                  --schedulecron "0 3 1 * *" \
                  --enable --force

4 – Change schedule only

pam rotation edit --folder "/Shared/Prod" \
                  --schedulecron "0 1 * * *" \
                  --schedule-only --force

Tip: Combine -so with --enable or --disable to quickly activate or pause existing schedules without touching other parameters.

5 – On‑demand rotation (no schedule)

pam rotation edit --record "<Machine_UID>" --on-demand --enable

6 – Set password complexity

pam rotation edit --record "<PAM_User_UID>" \
                  --complexity 20,1,4,2,2,.=+- \
                  --enable

Triggering an On‑Demand Rotation

Run a rotation right now (ignoring any schedule):

pam action rotate --record "<Machine_UID>"

Commander sends the job to the Keeper Gateway, which executes the correct plugin or native driver for the resource.

Where to Go Next

pam action gateway-info --gateway <Gateway_UID> – check gateway health and version.
pam rotation list – verify which resources have rotation enabled.
pam action job-info --gateway <Gateway_UID> – view historical rotation job logs.
pam rotation script – manage post‑rotation scripts.

Batch Mode

To run a large number of commands in a batch mode, see Keeper's Batch Mode command.

Managing Rotation via CLI

Prerequisites

Step 1 – Create (or locate) a Gateway

Step 2 – Build a PAM Configuration that uses the Gateway

Understanding Rotation Commands (Quick Recap)

Command: pam rotation edit

Key Options

Worked Examples

Triggering an On‑Demand Rotation

Where to Go Next

Batch Mode

Managing Rotation via CLI

Prerequisites

Step 1 – Create (or locate) a Gateway

Step 2 – Build a PAM Configuration that uses the Gateway

Understanding Rotation Commands (Quick Recap)

Command: pam rotation edit

Key Options

Worked Examples

Triggering an On‑Demand Rotation

Where to Go Next

Batch Mode

Command: `pam rotation edit`

Command: `pam rotation edit`