Management of KeeperPAM functionality including Discovery, Rotation, Connections and Tunneling
command: pam
Detail: Perform KeeperPAM controls.
My Vault> pam --help
pam command [--options]
Command Description
--------- -----------------------------
gateway Manage Gateways
config Manage PAM Configurations
rotation Manage Rotations
action Execute action on the Gateway
tunnel Manage TunnelsMy Vault> pam gateway help
pam command [--options]
Command Description
--------- ------------------
list List Gateways
new Create new Gateway
remove Remove GatewayDetail: View, create, edit and remove Keeper PAM Configurations. To learn more about PAM Configurations click here.
My Vault> pam config help
pam command [--options]
Command Description
--------- -------------------------------------------------------------
new Create new PAM Configuration
edit Edit PAM Configuration
list List available PAM Configurations associated with the Gateway
remove Remove a PAM ConfigurationDetail: View and create Keeper Rotation configuration for records.
My Vault> pam rotation help
pam command [--options]
Command Description
--------- -----------------------------------
edit Edits Record Rotation configuration
list List Record Rotation configuration
info Get Rotation Info
script Add, delete, or edit script fieldMy Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG_UID] [--iam-aad-config IAM_AAD_CONFIG_UID]
[--resource RESOURCE_UID] [--schedulejson SCHEDULE_JSON_DATA | --schedulecron SCHEDULE_CRON_DATA | --on-demand]
[--complexity PWD_COMPLEXITY] [--admin-user ADMIN] [--enable | --disable]
options:
-h, --help show this help message and exit
--record RECORD_NAME, -r RECORD_NAME
Record UID, name, or pattern to be rotated manually or via schedule
--folder FOLDER_NAME, -fd FOLDER_NAME
Used for bulk rotation setup. The folder UID or name that holds records to be configured
--force, -f Do not ask for confirmation
--config CONFIG_UID, -c CONFIG_UID
UID of the configuration record.
--iam-aad-config IAM_AAD_CONFIG_UID, -iac IAM_AAD_CONFIG_UID
UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
--resource RESOURCE_UID, -rs RESOURCE_UID
UID of the resource record.
--schedulejson SCHEDULE_JSON_DATA, -sj SCHEDULE_JSON_DATA
Json of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY", "intervalCount": 1}'
--schedulecron SCHEDULE_CRON_DATA, -sc SCHEDULE_CRON_DATA
Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17 * * *"
--on-demand, -od Schedule On Demand
--complexity PWD_COMPLEXITY, -x PWD_COMPLEXITY
Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5
--admin-user ADMIN, -a ADMIN
UID for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when rotating
--enable, -e Enable rotation
--disable, -d Disable rotationMy Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]
optional arguments:
-h, --help show this help message and exit
--verbose, -v Verbose outputMy Vault> pam rotation info --help
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotateMy Vault> pam rotation script --help
pam command [--options]
Command Description
--------- ---------------------------------
list List script fields
add List Record Rotation Schedulers
edit Add, delete, or edit script field
delete Delete script fieldDetail: Discovery, rotation and service account management of PAM Resources
My Vault> pam action help
pam command [--options]
Command Description
------------ ---------------------
gateway-info Info command
discover Discover command
rotate Rotate command
job-info View Job details
job-cancel View Job details
service Manage services and scheduled tasks
debug PAM debug informationMy Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID
--verbose, -v Verbose OutputMy Vault> pam action discover --help
pam command [--options]
Command Description
--------- ----------------------------------
start Start a discovery process
status Status of discovery jobs
remove Cancel or remove of discovery jobs
process Process discovered items
rule Manage discovery rulesMy Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
[--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
[--cred-file CREDENTIAL_FILE]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--resource RESOURCE_UID, -r RESOURCE_UID
UID of the resource record. Set to discover specific resource.
--lang LANGUAGE Language
--include-machine-dir-users
Include directory users found on the machine.
--inc-azure-aadds Include Azure Active Directory Domain Service.
--skip-rules Skip running the rule engine.
--skip-machines Skip discovering machines.
--skip-databases Skip discovering databases.
--skip-directories Skip discovering directories.
--skip-cloud-users Skip discovering cloud users.
--cred CREDENTIALS List resource credentials.
--cred-file CREDENTIAL_FILE
A JSON file containing list of credentials.My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Show only discovery jobs from a specific gateway.
--job-id JOB_ID, -j JOB_ID
Detailed information for a specific discovery job.
--history Show history
My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job id.My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job to process.
--add-all Respond with ADD for all prompts.
--debug-gs-level DEBUG_LEVEL
GraphSync debug level. Default is 0My Vault> pam action discover rule --help
pam command [--options]
Command Description
--------- --------------
add Add a rule
list List all rules
remove Remove a rule
update Update a ruleMy Vault> pam action discover rule add --help
usage: dr-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case] [--shared-folder-uid SHARED_FOLDER_UID]
--statement STATEMENT
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--action {add,ignore,prompt}, -a {add,ignore,prompt}
Action to take if rule matches
--priority PRIORITY, -p PRIORITY
Rule execute priority
--ignore-case Ignore value case. Rule value must be in lowercase.
--shared-folder-uid SHARED_FOLDER_UID
Folder to place record.
--statement STATEMENT, -s STATEMENT
Rule statementMy Vault> pam action rotate --help
usage: dr-rotate-command [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotateMy Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway runningMy Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
My Vault> pam action service list -h
usage: pam-action-service-list [-h] --gateway GATEWAY
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UIDMy Vault> pam action service add -h
usage: pam-action-service-add [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to add [service, task]My Vault> pam action service remove -h
usage: pam-action-service-remove [-h] --gateway GATEWAY --machine-uid MACHINE_UID --user-uid
USER_UID --type {service,task}
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name or UID
--machine-uid MACHINE_UID, -m MACHINE_UID
The UID of the Windows Machine record
--user-uid USER_UID, -u USER_UID
The UID of the User record
--type {service,task}, -t {service,task}
Relationship to remove [service, task]Detail: View and create Keeper Tunnels from the local machine to target infrastructure.
My Vault> pam tunnel help
pam command [--options]
Command Description
--------- -------------------------
start Start Tunnel
list List all Tunnels
stop Stop Tunnel to the server
tail View Tunnel Log
edit Edit Tunnel settingsMy Vault> pam tunnel start -h
usage: pam tunnel start [-h] [--host HOST] [--port PORT] uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--host HOST, -o HOST The address on which the server will be accepting connections. It could be an IP address or a
hostname. Ex. set to 127.0.0.1 as default so only connections from the same machine will be accepted.
--port PORT, -p PORT The port number on which the server will be listening for incoming connections. If not set, random
open port on the machine will be used.My Vault> pam tunnel list -h
usage: pam tunnel list [-h]
options:
-h, --help show this help message and exitMy Vault> pam tunnel stop -h
usage: pam tunnel stop [-h] uid
positional arguments:
uid The Tunnel UID or Record UID
options:
-h, --help show this help message and exitMy Vault> pam tunnel tail -h
usage: pam tunnel tail [-h] uid
positional arguments:
uid The Tunnel UID
options:
-h, --help show this help message and exitMy Vault> pam tunnel edit -h
usage: pam tunnel edit [-h] [--configuration CONFIG] [--enable-tunneling] [--tunneling-override-port TUNNELING_OVERRIDE_PORT]
[--disable-tunneling] [--remove-tunneling-override-port]
uid
positional arguments:
uid The Record UID of the PAM resource record with network information to use for tunneling
options:
-h, --help show this help message and exit
--configuration CONFIG, -c CONFIG
The PAM Configuration UID to use for tunneling. Use command `pam config list` to view available PAM
Configurations.
--enable-tunneling, -et
Enable tunneling on the record
--tunneling-override-port TUNNELING_OVERRIDE_PORT, -top TUNNELING_OVERRIDE_PORT
Port to use for tunneling. If not provided, the port from the record will be used.
--disable-tunneling, -dt
Disable tunneling on the record
--remove-tunneling-override-port, -rtop
Remove tunneling override port