Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Rotate Azure Managed Database credentials with Keeper
In this section, you will learn how to rotate DB User or Admin credentials on the following Azure Managed Databases:
Prior to setting up password rotation, make sure to have the following set up:
Learn about KeeperPAM in the Getting Started section
Enforcement policies for KeeperPAM password rotation are managed in the Keeper Admin Console under Admin > Roles > Enforcement Policies > Privileged Access Manager.
For Password Rotation capabilities, enable the necessary policies:
Can create applications and manage secrets
Allow users to create a Secrets Manager Application
Can create, deploy and manage Keeper Gateways
Allow users to deploy and manage a Keeper Gateway
Can configure rotation settings
Allow users to set up rotation on a PAM User record
Can configure rotation settings (legacy setting)
Rotation can also be enabled on the Keeper Commander CLI using the enterprise-role command:
If you haven't yet created a Keeper Gateway yet, a new Gateway deployment can be created by clicking on Create New > Gateway from the Web Vault or Desktop App (version 17.1 or newer). We have also posted a page describing how to create a sandbox environment in just a few steps:
When you use the Gateway using the Create New > Gateway feature, Keeper will automatically create the Secrets Manager Application, Shared Folders and PAM Configuration. In the Secrets Manager section of the vault, you'll see the Application assigned to Shared Folders and also assigned to the Gateway.
A PAM user record holds a privileged account credential, password or private key. For steps on creating a PAM User, follow this page. The example below shows a PAM User record for an admin password on a Windows server. The PAM User record is added to a Shared Folder containing user accounts.
A PAM Resource represents a Machine, Database or Directory.
The rotation of credentials is restricted to the PAM User record type.
When you have activated Keeper Secrets Manager or KeeperPAM, the following new record types will be available to users:
PAM User Contains a login / password, private key, or both.
PAM Directory Information about your on-prem or cloud-based directory
PAM Database Self-hosted or managed cloud-based databases such as MySQL, SQL Server, etc.
PAM Machine Windows, Linux, macOS machines on-prem or in the cloud
PAM Remote Browser Remote browser isolation to protect web-based applications
All 5 record types can be added in the Vault, placed in folders, and shared like any other Keeper records.
See PAM Resources
When rotation is activated, within the Secrets Manager screen of the vault you'll see a section called PAM Configurations. A PAM Configuration is an object which is contains the following:
Environment Local Network, AWS or Azure
Keeper Gateway Service which you install into your on-prem or cloud infrastructure
Application Folder Shared Folder which contains the Secrets Manager application and associated records
Administrative Credentials Keeper record which contains privileged credentials for performing rotation and discovery.
Customers may have any number of PAM Configurations, Applications and Gateways.
More information on: PAM Configuration, Applications and Gateways
The basic steps to rotation of passwords in any target environment are:
Add PAM User records to the Shared Folder
Add PAM Resource (Machine, Database, Directory) records to a Shared Folder
Configure rotation settings on each PAM User record
Create a Secrets Manager application
Assign the Secrets Manager application to the Shared Folders
Set the shared folder permissions containing the PAM Users from Read Only to Can Edit
Add a to the Secrets Manager application
Create a which ties everything together
Assign rotation settings to the records
For automation of Rotation capabilities, Keeper Commander supports KeeperPAM rotation using the following commands:
Example:
Keeper Rotation can also update the "log on" credentials for Windows service accounts and scheduled tasks. See the Service Management documentation.
Keeper supports importing in bulk from JSON format. See the Importing PAM Records section for more details.
enterprise-role "Keeper Administrator" --enforcement "ALLOW_SECRETS_MANAGER":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_PAM_GATEWAY":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_PAM_ROTATION":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_CONFIGURE_ROTATION_SETTINGS":true
enterprise-role "Keeper Administrator" --enforcement "ALLOW_ROTATE_CREDENTIALS":trueMy Vault> pam action rotate -r 5NaygwI4LK1BDZmH3Ib
Scheduled action id: MfKbPR3ac6A/oBDZpctpOg==
My Vault> pam action job-info MfKbPR3ac6A/oBDZpctpOg== -g QPkRsR8KQm6_4vnHTcofZA
Job id to check [MfKbPR3ac6A/oBDZpctpOg==]
Execution Details
-------------------------
Status : finished
Duration : 0:00:17.525641
Response Message : Rotation completed for record uid 5NaygwI4LK1BDZmH3Ib
My Vault>This should be set the same as ALLOW_PAM_ROTATION
Can rotate credentials
All users to perform a password rotation action
Automatically rotate the secret of an Azure app using Keeper rotation
Keeper can automatically rotate a client secret in Azure. Please see the Azure Client Secret section of the .
ALLOW_ROTATE_CREDENTIALSALLOW_SECRETS_MANAGERALLOW_PAM_GATEWAYALLOW_PAM_ROTATIONALLOW_CONFIGURE_ROTATION_SETTINGSAutomatically rotate AWS access keys using Keeper Secrets Manager rotations
Keeper can automatically rotate an IAM User Access Key in AWS. Please see the AWS Access Key section of the SaaS Plugin documentation.
If you are running a database directly on an Google Compute instance in your GCP environment instead of using a managed service, refer to the Local Network > Database documentation for rotating passwords.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
Keeper Rotation will use the linked admin credential to rotate other accounts in your environment. This account does not need to be joined to a domain, or a full admin account, but the account needs to be able to successfully change passwords for other accounts.
Record Type
PAM Machine
Title
My macOS User
Hostname or IP Address
IP address or hostname of the directory macOS device. Use localhost if the gateway is installed on the device. Examples: 10.10.10.10, MarysMacBook, localhost
Port
SSH port, typically: 22 - SSH is required for rotation.
Use SSL
Must be enabled
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab. Create a new configuration:
Title
Configuration name, example: MAC Rotation
Environment
Select: Local Network
Gateway
Select the Gateway that has SSH access to your MacOS devices
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.
Default Rotation Schedule
Optional
Keeper Rotation will use the linked credentials in the PAM Machine record to rotate the PAM User records in your environment.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Other fields
These should be left blank
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Machine" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Add "Additional Credentials". This is an option to add additional records which contains the credentials needed by the post rotation script. These credentials must be available to the Keeper Gateway.
Specify an optional custom command to executed. In the below screenshot, a python script (postRotationTest.py) is attached, and a specific command to be used to execute the python script.
After successfully selecting the script(s), the record will be updated to show the attached Post Rotation scripts:
Click Save to create or update the record. Attached Post Rotation Scripts can be deleted or edited by clicking on their respective actions.
Keeper password rotation capabilities with Keeper Secrets Manager
KeeperPAM Password Rotation enables customers to securely and automatically rotate credentials across cloud-based and on-premises environments, including Active Directory accounts, Windows and Linux users, database passwords, Azure IAM accounts, AWS accounts, Google Workspace accounts, SSH keys, and more. Adhering to Keeper’s Zero Trust and Zero Knowledge security model, this feature helps organizations mitigate risks associated with weak, reused, or long-standing credentials, as well as threats such as breaches, terminations, and dark web exposure.
Comprehensive Credential Rotation: Automate rotation for machines, service accounts, and user accounts across your infrastructure and multi-cloud environments.
Flexible Scheduling: Schedule rotations to occur at any time or trigger them on demand.
Service Management: Automatically update the log on credentials for Windows services and scheduled tasks after rotation.
Post-Rotation Actions
Rotation is performed on the Keeper Gateway and controlled through the Keeper Web Vault, Desktop App or Commander CLI.
In KeeperPAM, the way Password Rotation works is as follows:
The record holds the credential that is being rotated.
The Rotation Settings of the PAM User record references a specific PAM Machine, PAM Database or PAM Directory resource. This is the target resource where the rotation is performed.
The uses the Admin Credential associated to the PAM Machine, PAM Database or PAM Directory resource to perform the rotation with native protocols.
For AWS, Azure and GCP resources, the record holds the necessary rights and access keys to perform rotations with cloud native APIs.
Password Rotation in the Local Network Environment
In this section, you will learn how to rotate user credentials within a Local Network environment across various target systems.
A "local network" simply means any resource that has line of sight access from the Keeper Gateway. This configuration can be used in any cloud or managed environment. Native protocols are used to communicate to the target resources and perform rotations.
At a high level, the following steps are needed to successfully rotate passwords on a network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records representing each resource
Create PAM User records that contain the necessary account credentials for each resource
Link the PAM User record to the PAM Resource record.
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.
Operating System
For Mac OS rotation, use: MacOS
Access-Based Rotation: Automatically rotate credentials once access expires.
Secure Access Control: Control and audit access to credentials through secure sharing and compliance reporting.
Detailed Audit Logs: Track all rotation events using Keeper’s Advanced Reporting and Alerts Module (ARAM).
Automation with Keeper Commander: Leverage Keeper Commander for fully automated rotation workflows.
Rotation Plugins: Open source Plugin framework provides rotation capabilities with any 3rd party SaaS service.
For AWS-deployed Gateways, Keeper uses Instance Role permission of the Gateway to perform the rotation with APIs.
For Azure and Google Cloud managed resources, Keeper uses the Service Account permissions of the Gateway.
Assign a Secrets Manager Application to all of the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records
If you are running a database directly on an EC2 instance in your AWS environment instead of using a managed service, refer to the Local Network > Database documentation for rotating passwords.
Step by step guides for performing rotation on any target system
The setup and configuration of Keeper Rotation is defined by the use case. Keeper supports any cloud or on-prem environment.
See the Keeper for updates
Perform privileged automation tasks with Post-Rotation scripts and password rotation
Post-rotation scripts (PAM Scripts) are user-defined software programs that can perform privilege automation tasks. Scripts can be attached to any PAM resource records in the vault. Depending on the PAM record the script is attached to, the script will execute either on the Keeper Gateway, or the remote host where password rotation occurred.
The following table shows all the available PAM Records and where the attached script will execute:
When setting up rotation on a record on a PAM User record, you can select from one of the following methods:
General
IAM User
Run PAM scripts only
When the "General" or "IAM User" methods are selected, Keeper will attempt to rotate the credentials using built-in capabilities based on the information stored in the record.
When the "Run PAM scripts only" option is selected, Keeper will skip the default rotation task and immediately run the attached PAM scripts on the gateway.
Scripts will be executed in the following order:
Scripts attached on PAM User records
Scripts attached on PAM Machine, PAM Database, or PAM Directory Record types
Scripts attached on PAM Configuration Record types
If multiple scripts are attached to a record, scripts will be executed in the order they appear on the PAM Record.
Here are some of the use cases made possible with Keeper Post-Rotation Scripts:
Custom rotation scripts for any type of target
Revoking access to a resource
Sending notifications to team members
Propagating the password change to other systems
Password Rotation in the Azure Environment
In this section, you will learn how to rotate user credentials within the Azure network environment across various target systems. Rotation works on the devices configured and attached to the Azure Active Directory (Azure AD) which can also be your default directory.
KeeperPAM can rotate the password for Azure AD users, service accounts, local admin users, local users, managed services, databases and more.
On the "Rotation Settings" section of the PAM User vault record, you can configure how credential rotation is managed.
PAM Configuration
Gateway
PAM Machine
The Machine specified in the record
PAM Database
Gateway
PAM Directory
Gateway
PAM User
Gateway
Note: For this example, jq needs to be installed to parse the JSON. Attach this as a PAM script and perform the rotation. The Gateway logfile will contain the output.
Attach this as a PAM script and perform the rotation. The Keeper Gateway logfile will contain the output. This script simply echoes the input.
Here's a PowerShell script that sends a Webhook to a 3rd party site.
The post rotation script is not limited to shell scripts. Applications can be written in languages like Python or C# to get the piped parameters. Since the UIDs of the Rotation involved records are passed in the params, the post-rotation script can use the Keeper Secrets Manager SDKs to get additional information.
#!/bin/bash
# Read the Base64 encoded JSON input and decode it
decoded_json=$(cat | base64 --decode)
# Extract the "records" field, which is Base64 encoded, and decode it separately
records_base64=$(echo "$decoded_json" | jq -r '.records')
# Decode the Base64 "records" field and pretty-print the JSON
decoded_records=$(echo "$records_base64" | base64 --decode | jq '.')
# Print the entire decoded JSON, replacing "records" with the decoded version
echo "$decoded_json" | jq --argjson records "$decoded_records" '.records = $records'Begin {
# Executes once before first item in pipeline is processed
}
Process {
# Stop if error. If not set, result value will be True and assumed there
# was no problem.
$ErrorActionPreference = "Stop"
# Executes once for each pipeline object
$JSON = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_))
$Params = ($JSON | ConvertFrom-Json)
Write-Output "providerRecordUid=$($Params.providerRecordUid)"
Write-Output "resourceRecordUid=$($Params.resourceRecordUid)"
Write-Output "userRecordUid=$($Params.userRecordUid)"
Write-Output "newPassword=$($Params.newPassword)"
Write-Output "oldPassword=$($Params.oldPassword)"
Write-Output "user=$($Params.user)"
$recordsJSON = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Params.records))
$records = ($recordsJSON | ConvertFrom-Json)
# Output full JSON for records
Write-Output "Full Records JSON: $recordsJSON"
# Extract the provider title from the records
$title = ($records | Where-Object {$_.uid -eq $Params.providerRecordUid}).title
Write-Output "Provider Title=$title"
# Loop through all records and display details
foreach ($record in $records) {
Write-Output "Record UID=$($record.uid)"
Write-Output "Record Title=$($record.title)"
Write-Output "Record Type=$($record.type)"
Write-Output "Record Details=$($record.details | ConvertTo-Json)"
}
}
End {
# Executes once after last pipeline object is processed
}param (
[Parameter(ValueFromPipeline=$true)]
[string]
$Record
)
# Decode the Base64 input and convert it to a PowerShell object
$RecordJsonAsB64 = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($Record))
$Params = $RecordJsonAsB64 | ConvertFrom-Json
# Prepare the webhook payload
$webhookPayload = @{
providerRecordUid=$Params.providerRecordUid
resourceRecordUid=$Params.resourceRecordUid
userRecordUid=$Params.userRecordUid
user=$Params.user
timestamp= (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")
message= "Post-rotation script executed successfully."
} | ConvertTo-Json
# Define the webhook URL
$webhookUrl = "https://webhook.site/3308ec5a-3fba-4e31-85ad-37b0f643ac82"
# Send the POST request to the webhook
try {
Invoke-RestMethod -Uri $webhookUrl -Method Post -Body $webhookPayload -ContentType 'application/json'
Write-Host "Webhook message sent successfully."
}
catch {
Write-Error "Failed to send webhook message: $_"
}#!/usr/bin/env python3
import sys
import base64
import json
from keeper_secrets_manager_core import SecretsManager
# sys.stdin is not an array, it can not subscripted (ie sys.stdin[0])
for base64_params in sys.stdin:
params = json.loads(base64.b64decode(base64_params).decode())
print(f"providerRecordUid={params.get('providerRecordUid')}")
print(f"resourceRecordUid={params.get('resourceRecordUid')}")
print(f"userRecordUid={params.get('userRecordUid')}")
print(f"newPassword={params.get('newPassword')}")
print(f"oldPassword={params.get('oldPassword')}")
print(f"user={params.get('user')}")
records = json.loads(base64.b64decode(params.get('records')).decode())
print("Provider Title="
f"{next((x for x in records if x['uid'] == params.get('providerRecordUid')), None).get('title')}")
ksm = SecretsManager(config=...)
resource_records = ksm.get_secrets(params.get('userRecordUid'))[0]
break
Configurations for the Azure Active Directory are defined in the PAM Configuration section of Keeper Secrets Manager.
Configurations for the Azure AD joined devices are defined in the PAM Directory, PAM Machine, and PAM Database record types. The credentials and user accounts are defined in PAM User records. The following table shows the supported Azure AD joined devices with Keeper Rotation and their corresponding PAM Record Type:
Azure AD Domain Services
PAM Directory
Virtual Machines
PAM Machine
Managed Databases
PAM Database
Prior to rotating user credentials within your Azure environment, you need to make sure you have the following information and configurations in place:
All Azure AD joined devices that you want to use with Rotation need to be created and configured within your Azure Active Directory
To successfully configure and setup Rotation within your Azure Network, the following values are needed for your PAM Configuration:
Client ID
The application/client id (UUID) of the Azure application
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID of your subscription to use Azure services (i.e. Pay-As-You-GO)
Tenant ID
The UUID of the Azure Active Directory
Make sure all the Azure services or Azure AD joined devices you plan on using for rotation have access to the Azure Active Directory.
Create a custom role to allow application to access/perform actions on various Azure resources. For more information see the Azure Environment Setup document.
At a high level, the following steps are needed to successfully rotate passwords on your Azure network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records representing each resource
Create PAM User records that contain the necessary account credentials for each resource
Link the PAM User record to the PAM Resource record.
Assign a Secrets Manager Application to all of the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the Azure environment setting
Configure Rotation settings on the records
The Keeper Gateway executes PAM scripts and provides inputs to the script through stdin parameters. These parameters are placed in a Base64 encoded JSON object and piped to the script.
For example, the Keeper Gateway will essentially execute the script on a Linux machine as follows:
Windows:
The following keys can be found in this base64 encoded JSON object:
providerRecordUid
The UID of the PAM Configuration record
resourceRecordUid
The UID of the PAM Resource record
userRecordUid
The UID of the PAM User record
newPassword
The new password generated for the User
oldPassword
The previous password for the User
The records key value is a Base64, JSON array of dictionaries. This array will include the following data:
PAM Configuration information
Related PAM Machine, PAM Database, or PAM Directory Record Data
Additional Records supplied when uploading the post-rotation scripts
User Record Data
Each dictionary object will contain:
uid - The UID of the Vault record.
title - The title of the Vault record.
The rest of the dictionary will contain key/value pairs of the record's data where the key will be the label of the field. If the field does not contain a label, the field type will be used. If the key already exists, a number will be added to the key.
Upon execution of the PAM Script, an array is returned containing instances of RotationResult for each script that was executed. The class RotationResult has the following attributes:
uid - Keeper Vault record UID that has the script attached
command - Command that was issued to the shell
system - Operating system the script will run upon
title - Title of the script attached to the Keeper Vault record
name - Name of the script attached to the Keeper Vault record
success - Was the script successful?
Linux and macOS - Script returned in a 0 return code.
Windows - Script returned a True status.
stdout - The stdout from the execution of the script
stderr - The stderr from the execution of the script
Additionally, the following methods can be used to determine if the script was a success, or not:
was_failure
boolean, return True if failure, False if success
was_success
boolean, returns True if success, False if failure
With this, it is possible to customize logging:
The class RotationResult has attribute stderr which logs the errors from execution of the script.
Although post rotation script results and information are available via the RotationResult class, errors and outputs of scripts are based on the type of shell the script is executed on. Keeper does not check the stdout or errors of the scripts as Keeper does not know what defines as an error for a customer-controlled script.
For example, if a BASH script does not contain a set -e, the script will continue even if part of the script fails. If the script exits with a 0 return code, the script will be flagged as successful.
Therefore, it is up to the customer to properly handle the outputs and errors of the script.
Configurations for your GCP environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited service account where the Gateway is installed to authenticate with the GCP system and perform rotation.
Configurations for managed resources like Compute Engine, Cloud SQL, and Managed Microsoft AD are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with KeeperPAM and their corresponding PAM Record Type:
Compute Engine VM
PAM Machine
Cloud SQL Instance
PAM Database
Managed Microsoft AD
PAM Directory
Google Workspace Principal
PAM User
Configurations for directory users, database users, or VM users are defined in the PAM User record type.
To successfully rotate Compute Cloud Resource User accounts or Google Workspace Principal accounts, the Keeper Gateway needs to have the necessary service account with the permissions for performing the password rotation.
See the Google Cloud environment setup guide for more information.
At a high level, the following steps are needed to successfully rotate passwords on your Google Cloud network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records representing each resource
Create PAM User records that contain the necessary account credentials for each resource
Link the PAM User record to the PAM Resource record.
Assign a Secrets Manager Application to all of the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records
Configurations for your AWS environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited EC2 instance role where the Gateway is installed to authenticate with the AWS system and perform rotation. If instance roles are not defined, the AWS Access Key ID and Secret Key can be stored in the PAM Configuration record to authenticate and perform rotations.
Configurations for managed resources like EC2, RDS, and Directory Services are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with KeeperPAM and their corresponding PAM Record Type:
EC2
PAM Machine
RDS
PAM Database
Directory Service
PAM Directory
Configurations for directory users or IAM users are defined in the PAM User record type.
To successfully rotate IAM User accounts or EC2 local user accounts, the Keeper Gateway needs to have the necessary AWS role policies with the permissions for performing the password rotation.
See the AWS environment setup guide for more information.
If you are not using EC2 instance role policies, the following values are needed in the PAM Configuration:
Access Key ID
This is the Access Key ID from the desired Access Key found in the IAM User account
Set this field to USE_INSTANCE_ROLE if the gateway is deployed to an EC2 Instance that supports instance roles
Secret Access Key
This is the Secret Access Key from the desired Access Key found in the IAM User account
Set this field to USE_INSTANCE_ROLE if the gateway is deployed to an EC2 Instance that supports instance roles
The Keeper Gateway will always first attempt to use the EC2 instance role to authenticate and perform the rotation. If this fails or is not available on the machine, Keeper will use the Access Key ID and Secret Access Key stored in the PAM Configuration.
At a high level, the following steps are needed to successfully rotate passwords on your AWS network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records representing each resource
Create PAM User records that contain the necessary account credentials for each resource
Link the PAM User record to the PAM Resource record.
Assign a Secrets Manager Application to all of the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records
PAM Resource
For General rotation type, specifies the PAM Resource record which can provide the necessary privilege. For IAM User rotation type, specifies the PAM Configuration utilizing cloud APIs.
Required only for "General" and "IAM User" rotation types
Rotation Schedule
Rotation can be performed on-demand or on a specific schedule.
For advanced scheduling, see the .
Password Complexity
Applies to password-based rotations, not PEM keys.
Select "Show More" to control special characters and symbols.
Keeper supports 3 different types of rotation:
General: Uses native protocols for performing the rotation, such as LDAP, Databases, SSH keys, etc.
IAM User: Uses the cloud-specific APIs for performing rotation, such as AWS IAM users, Azure managed resources, and Google Workspace principals. In this case, only the PAM Configuration is required since it contains the necessary credentials.
Run PAM scripts only: Skips the standard rotation and only executes the attached PAM Scripts.
The rotation schedule can be set on a specific interval, or using a cron spec.
To complete the Rotation setup, you need to select a resource, which depends on the rotation type.
For a "General" rotation, the Keeper Gateway uses a native protocol for performing the necessary rotation, and the rotation will be executed on the associated PAM Resource supplied. If necessary, the rotation will use the associated administrative credential on the PAM Resource.
In the example below, a Windows service account password is going to be rotated on the associated Windows Server.
For an "IAM User" rotation type, the Keeper Gateway will use the referenced PAM Configuration to determine which APIs and methods are used to perform the rotation. In the example below, an IAM user in AWS will use the "AWS (US-WEST-1)" configuration.
When using the IAM User rotation method, it is assumed that the Keeper Gateway either inherits its privilege from the instance role policy, or through explicit access keys that are provided on the PAM Configuration record.
The PAM User record holds the credential that is being rotated.
The Rotation Settings of the PAM User record references a specific PAM Machine, PAM Database or PAM Directory resource. This is the target resource where the rotation is performed.
The Keeper Gateway uses the Admin Credential associated to the PAM Machine, PAM Database or PAM Directory resource to perform the rotation with native protocols.
For AWS, Azure and GCP managed resources, Keeper uses Instance Role permission of the Gateway, or specific PAM Configuration secrets to perform the rotation with APIs.
For Google Cloud managed resources, Keeper uses the Service Account permissions of the Gateway.
Below are some examples of PAM User records.
Windows Domain Admin
Windows Domain User with post-rotation scripts
AWS IAM User
Database user
Azure AD User
Rotation Type
Specifies which type of rotation is being performed (and which protocol is utilized).
Required "General", "IAM User" or "Run PAM Scripts Only". See below for details.
Managing the credentials of Windows services and scheduled tasks
KeeperPAM Password Rotation is able to automatically manage the "log on" credentials for Windows services and scheduled tasks.
When rotation is performed for a specific PAM User record, the Keeper Gateway will update the credentials for all services and scheduled tasks on the associated PAM Machine, and restart the services. One PAM User record can be associated to any number of PAM Machine records, allowing you to update the services and scheduled tasks across a fleet of servers.
This guide assumes the following tasks have already taken place:
are configured for your role
A Keeper Secrets Manager has been created
Your is online
The Keeper Gateway can communicate over WinRM or SSH to the target machine:
Service account and scheduled task management works by associating a PAM User record with one or more PAM Machine records in the vault. This mapping tells the Keeper Gateway to reach into each machine and look up any services running as the user, updating the password and restarting the service.
When running a , Keeper will automatically locate any services or scheduled tasks that require update when a password is rotated.
If you don't use Discovery, this can be managed directly through the Commander CLI interface using the pam action service commands.
Keeper Commander provides the necessary commands to associate services and scheduled tasks, such that password rotations will trigger an update and restart of the service.
If you haven't set up Keeper Commander yet, please follow the .
Use the pam gateway list command to locate the Gateway UID which manages the machine containing the services and scheduled tasks. You'll need this for the next step.
The PAM Machine and PAM User UIDs can be found in Commander by using the ls -l command inside a folder or by using the search command.
The UIDs can also be found in the Keeper Vault "Record Information" screen:
Use the pam action service command to instruct Keeper to update services and scheduled tasks on a particular machine, for a particular user, within a network.
To instruct Keeper to update and restart services and scheduled tasks on a particular machine, use the syntax below:
To instruct Keeper to remove the associations of services and scheduled tasks on a machine:
To display the current mappings between Gateway, Machine and User accounts where services and tasks need to be managed, use the pam action service list command.
To perform a password rotation of a PAM User account, click on the Rotate button from the vault user interface.
To perform the rotation from Commander, run pam action rotate :
To view the status of the rotation job, check the Vault UI or run the pam action job-info command as instructed:
Keeper will not start a service which is currently stopped. We will only restart any actively running services after updating the log on credential.
When troubleshooting a service credential update issue, please make sure of the following:
For a Windows server, ensure the operating system field is set to windows
Ensure that the Keeper Gateway can communicate to the PAM Machine via WinRM or SSH.
Check the Event Viewer > Windows Logs > Application events for any error messages
Ensure that you are using a PAM Machine record to manage services and scheduled tasks.
Rotating Linux User Accounts on Local Network
Rotating Local Network PostgreSQL database accounts with Keeper Rotation
Rotating Local Network MongoDB database accounts with Keeper Rotation
Rotating Local Network MariaDB database accounts with Keeper Rotation
Rotating Local Network Oracle database accounts with Keeper Rotation
history -c && echo "BASE64==......" | /path/to/script.sh"BASE64==......" | .\script.ps1; Clear-Historyfor r in results:
if r.was_failure:
print(f"For record {r.uid}, the script {r.title} failed: {r.stderr}")user
The username for the User
records
Base64-encoded JSON array of record dictionaries
WinRM: Enabled and running on port 5986.
Verification: Run winrm get winrm/config to verify that WinRM is running. See WinRM setup page for installation help.
OR...
SSH: Enabled and running on port 22.
Verification: Run ssh [your-user]@[your-machine] -p 22 to verify that SSH is running.
Any Windows-based PAM Machine record being managed needs to have the operating system field set to windows
My Vault> pam gateway list
KSM Application Name (UID) Gateway Name Gateway UID Status
-------------------------- ------------ ---------------------- --------
My Application1 East Cost oVCr3n7qV8uARjwSqBQBBw ONLINE
My Application2 West Coast qSiGWa55QVaGEv3_xAO3UA ONLINE
My Application3 GovCloud 31t78gWKRQeY54l0u1sbMA ONLINE
My Application4 Tokyo 2XT9aKlYTLOyTnVlpny-dA ONLINEMy Vault> pam action service
pam command [--options]
Command Description
--------- ------------------------------------------
list List all mappings
add Add a user and machine to the mapping
remove Remove a user and machine from the mappingpam action service add -g <Gateway_UID> -m <Machine_UID> -u <User_UID> -t service
pam action service add -g <Gateway_UID> -m <Machine_UID> -u <User_UID> -t task
pam action service add -g <Gateway_UID> -m <Machine_UID> -u <User_UID> -t iispam action service remove -g <Gateway_UID> -m <Machine_UID> -u <User_UID) -t service
pam action service remove -g <Gateway_UID> -m <Machine_UID> -u <User_UID) -t task
pam action service remove -g <Gateway_UID> -m <Machine_UID> -u <User_UID) -t iisMy Vault> pam action service list -g oVCr3n7qV8uARjwSqBQBBw
User Mapping
Local service user - testuser (pEFr_dJn5EAc3MT_v30DQw)
* Lureydemo.com Server (CrvdntH-f9mIcraY1InGiw) : Services, Scheduled Tasks
* Windows 2022 Server (U3fHEK2i7LIkWZAzANz2sA) : Services, Scheduled TasksMy Vault> pam action rotate -r pEFr_dJn5EAc3MT_v30DQw
Scheduled action id: +dXjf690oGKgg==My Vault> pam action job-info +dXjf690oGKgg== --gateway=oVCr3n7qV8uARjwSqBQBBw
Job id to check [+dXjf690oGKgg==]
Execution Details
-------------------------
Status : finished
Duration : 0:01:01.923147
Response Message : Rotation completed for record uid XXX with post-executionThis guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Machine Record.
The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:
Title
Name of the Record ex: "Local Linux Admin"
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway (internal) or "localhost"
Port
22 for SSH
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Linux LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Linux devices
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Private PEM Key
SSH private key. This is only required if you are planning to rotate the PEM key instead of rotating the password.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Postgres database
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see
Ex: postgresql=5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Postgresql LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MongoDB Database
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see
Ex: mongodb=27017
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MongoDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MongoDB database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Keeper Rotation will use the credentials linked from the PAM Database record to rotate the PAM User records on your local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example: MongoDB requires a database and so this will default to admin.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MariaDB database
Keeper Rotation will use an admin credential linked to the PAM Database record to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see
Ex: mariadb=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: MariaDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Oracle database
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database record with your information:
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see
Ex: oracle=1521
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Oracle LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Windows User Accounts on Local Network
In this guide, you'll learn how to rotate Windows user accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed and showing online
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Machine Record.
The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Note that Keeper will attempt to login to the remote system using the username exactly as supplied. If authentication fails, Keeper will then attempt to use the below variations:
User Principal Name (UPN) format: [email protected]
Domain NetBIOS format: COMPANY\admin
Shortened UPN format (no TLD): admin@company
Domain FQDN with backslash format: company.com\admin
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Keeper can automatically update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.
To learn more and set up this capability, see the page.
Rotating Google Cloud Managed Microsoft AD Service accounts with Keeper
In this guide, you will learn how to rotate User Accounts of a Google Cloud Managed Microsoft AD service using Keeper Rotation. The Active Directory Service is an AWS managed resource where the Directory Service admin credentials are linked to the PAM Directory record type and the configurations of the AD Users are defined in the PAM User record type.
User Account passwords will be rotated using LDAP and, in order to successfully rotate, server-side LDAPS must be configured and the Directory Admin, defined in the PAM Directory record type, must be using a SSL Connection.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your Google Cloud Directory Services
Keeper Rotation will use the linked admin credentials of your AWS Managed Directory Service to rotate passwords of Domain Service's directory accounts. These admin credentials can also be used to rotate the passwords of the Directory admin.
The following table lists all the required fields on the PAM Directory Record:
This PAM Directory Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the credentials in the PAM Directory record to rotate the PAM User records on your GCP environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
The following windows command can be used to get the distinguished name of the Directory user:
If the command does not exist, you need to import the appropriate module with:
Rotating Local Network Microsoft SQL Server database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MS SQL Server Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate to your MySQL database
Keeper Rotation will use an admin credential linked to the PAM Database to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database record with your information:
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS SQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS MySQL Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for MySQL is an AWS managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS MySQL Database
The PAM Database record contains the admin credentials and necessary configurations to connect to the MySQL RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MySQL RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Local Network MySQL database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MySQL Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate to your MySQL database
Keeper Rotation will use an admin credential linked from the PAM Database record to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS SQL Server Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Google Cloud SQL Server Database User and Admin accounts on your Google Cloud environment using Keeper Rotation. Cloud SQL for SQL Server is an GCP managed resource where the SQL Server Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Server Users are defined in the PAM User record type.
To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your GCP SQL Server Database
The PAM Database record contains the admin credentials and necessary configurations to connect to the SQL Server Cloud SQL instance on GCP. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the SQL Server Cloud SQL instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your GCP environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS MariaDB Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS MariaDB Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for MariaDB is an AWS managed resource where the MariaDB Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS MariaDB Database
The PAM Database record contains the admin credentials and necessary configurations to connect to the MariaDB RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MariaDB RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS PostgreSQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for GCP PostgreSQL Database User and Admin accounts on your Google Cloud environment using Keeper Rotation. Cloud SQL for PostgreSQL is a GCP managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your GCP PostgreSQL Database
The PAM Database record contains the admin credentials and necessary configurations to connect to the PostgreSQL Cloud SQL instance on GCP. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the PostgreSQL Cloud SQL instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your GCP environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Google Workspace user account passwords with Keeper
In this guide, you will learn how to rotate passwords for Google Workspace users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the Google Principal user accounts to be rotated are stored in the PAM User record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed and running
The Keeper Gateway uses Google Admin APIs to rotate the credentials defined in the PAM User records.
In this folder, you’ll create records for the Google Principal accounts that you’ll rotate. You will create a PAM User record for each user that will be rotated.
Note: The target user to be rotated must be in a domain that the Google Workspace Administrator whose email is set on the PAM Configuration can manage.
Keeper Rotation uses the Google Admin API to rotate the PAM User records in your Google Workspace environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Select the PAM User record(s) from Step 2, edit the record and open the "Password Rotation Settings".
Select "IAM User" as the rotation method, since this uses Google Admin APIs.
The "Rotation Settings" should use the PAM Configuration setup previously.
Select the desired schedule and password complexity.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Azure AD Admin and User passwords with Keeper
In this guide, you will learn how to rotate passwords for Azure AD users. In Keeper, the contains all of the information needed to rotate passwords. The record containing the Azure AD user accounts to be rotated are stored in the PAM User record.
The Keeper Gateway uses Azure APIs to rotate the credentials defined in the PAM User records.
Rotating Admin/Regular AWS Oracle Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS Oracle Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for Oracle is an AWS managed resource where the Oracle Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
Rotating AWS IAM account passwords with Keeper
Rotating Admin/Regular AWS SQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Google Cloud MySQL Database User and Admin accounts on your GCP environment using Keeper Rotation. Cloud SQL for MySQL is an GCP managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
Connect Database
Optional database that will be used when connecting to the database server. For example, PostgreSQL requires a database and so this will default to template1.
Database Type
postgresql or postgresql-flexible
Connect Database
Optional database that will be used when connecting to the database server.
For example, MongoDB requires a database and so this will default to admin.
Database Type
mongodb
Database Type
maridb or maridb-flexible
Database Type
oracle
The Keeper Gateway can communicate over WinRM or SSH to the target machine:
WinRM: Enabled and running on port 5986.
Verification: Run winrm get winrm/config to verify that WinRM is running. See WinRM setup page for installation help.
OR...
SSH: Enabled and running on port 22.
Verification: Run ssh [your-user]@[your-machine] -p 22 to verify that SSH is running.
Title
Name of the Record ex: "Local Windows Admin"
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway (internal) or "localhost"
Port
22 for SSH, 5985 (HTTP) or 5986 (HTTPS) for WinRM
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH Key) of the Admin account which will perform the rotation.
Title
Configuration name, example: Windows LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Windows devices
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the machine resources.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Database Type
mssql
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mssql=1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Title
Configuration name, example: MSSQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MS SQL Server database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Connect Database
Your AWS environment is configured per our documentation
Admin account password
Database ID
The AWS DB instance ID
Database Type
mysql
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title Ex: AWS MySQL Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL RDS Instance
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the admin accounts, not the databases.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Password
Access Key ID
mysql
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mysql=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
Linked PAM User record that contains the username and password of the Admin account which will perform the rotation.
Title
Configuration name, example: MySQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL database
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Database Type
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
Your AWS environment is configured per our documentation
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Database ID
The AWS DB instance ID
Database Type
mssql
Provider Region
The region your Amazon RDS instance is using. i.e us-central1
Copy the JSON text of the service account key of the Gateway
Google Workspace Administrator Email
The email address for a Workspace administrator account that can be used to manage passwords for GCP Principals.
Title
Keeper record title Ex: GCP SQL Server Admin
Hostname or IP Address
The SQL Server Endpoint
Port
The SQL Server Port, for default ports see port mapping
i.e. 1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Title
Configuration name, example: GCP Workspace Configuration
Environment
Select: Google Cloud
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
GCP ID
A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short
Ex: GCP-DepartmentName
Title
Keeper record title i.e. GCP DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Password
Service Account Key
Your AWS environment is configured per our documentation
Admin account password
Database ID
The AWS DB instance ID
Database Type
mariadb
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title Ex: AWS MariaDB Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB RDS Instance
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Password
Access Key ID
Your GCP environment is configured per our documentation
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to template1.
Database ID
The AWS DB instance ID
Database Type
postgresql
Provider Region
The region your Amazon RDS instance is using. i.e us-central1
Copy the JSON text of the service account key of the Gateway
Google Workspace Administrator Email
The email address for a Workspace administrator account that can be used to manage passwords for GCP Principals.
Title
Keeper record title Ex: GCP PostgreSQL Admin
Hostname or IP Address
The RDS Endpoint
Port
The PostgreSQL Port, for default ports see port mapping
i.e. 5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Title
Configuration name, example: GCP Workspace Configuration
Environment
Select: Google Cloud
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
GCP ID
A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short
Ex: GCP-DepartmentName
Title
Keeper record title i.e. GCP DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
Password
Service Account Key
Your Google Cloud environment is configured per our documentation
Copy the JSON text of the service account key of the Gateway
Google Workspace Administrator Email
The email address for a Workspace administrator account that can be used to manage passwords for GCP Principals.
Title
Keeper record title i.e. AWS user: TestUser
Login
Complete email address of the account being rotated.
Password
Providing a password is optional. Performing a rotation will set one if this field is left blank.
Title
Configuration name, example: GCP Workspace Configuration
Environment
Select: Google Cloud
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
GCP ID
A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short
Ex: GCP-DepartmentName
Service Account Key
Your Google Cloud environment is configured per our documentation
Directory Service Admin Account's Distinguished Name (DN).
Example: CN=jsmith,OU=Cloud,DC=example,DC=com
Note: If DN is not provided, the following format will be used:
Given domain name is example.com:
CN=<user>,CN=Users,DC=example,DC=com
Domain Name
The Directory DNS Name Note: This is required if using Login instead of Distinguished Name
Directory ID
Directory Service's Identifier i.e d-##########
Directory Type
Directory Service Directory type, defaults to Active Directory if left blank.
Provider Region
Google Cloud region name i.e. us-east1
Copy the JSON text of the service account key of the Gateway
Title
Name of the Record i.e. AD Domain Service
Hostname or IP Address
The Directory DNS Name i.e. ad.pam.test
Port
636 for LDAPS
Use SSL (checkbox)
Must be checked
Administrative Credentials
PAM User providing the directory service admin account and password i.e. Admin
Note: Either Login and Domain Name or Distinguished Name is required. Distinguished Name is preferred.
Title
Configuration name, example: GCP Workspace Configuration
Environment
Select: Google Cloud
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
GCP ID
A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short
Ex: GCP-DepartmentName
Title
Keeper record title i.e. AWS Directory User1
Login
Username of the Directory Service's user account
Password
Account password is optional, rotation will set one if blank
Distinguished Name
Directory Service User Account's Distinguished Name (DN)
Distinguished Name
Service Account Key
Get-ADUser -Identity "username" | Select-Object -ExpandProperty DistinguishedNameImport-Module ActiveDirectorySee the Azure Overview for a high level overview and getting started with Azure
This guide assumes the following tasks have already taken place:
Rotation enforcements are configured for your role
A Keeper Secrets Manager application has been created
Your Azure environment is configured per our documentation
Your Keeper Gateway is online
Note: You can skip this step if you already have a PAM Configuration set up for Azure.
Prior to setting up the PAM Configuration, make sure that:
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
We recommend installing the Keeper Gateway service in a machine within the Azure environment in order to rotate other types of targets.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration Record with your information:
Title
Configuration name, example: Azure AD Configuration
Environment
Select: Azure
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the admin accounts.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-1
Keeper Rotation uses the Azure Graph API to rotate the PAM User records in your Azure environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the pre-requisites.
The following table lists all the required fields that needs to be filled on the PAM User record with your information:
Title
Keeper record title i.e. Azure User1
Login
Case sensitive username of the account being rotated. The username has to be in one of the following formats:
domain\username username@domain
Password
Providing a password is optional. Performing a rotation will set one if this field is left blank.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select "IAM User" for the rotation method, since this uses Azure APIs.
The "Rotation Settings" should select the PAM Configuration setup previously.
Select the desired schedule and password complexity.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS Oracle Database
Your AWS environment is per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the Oracle RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Oracle RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: AWS Oracle Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see
i.e. 1521
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle RDS Instance
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed and running
Your AWS environment is per our documentation
The Keeper Gateway uses AWS APIs to rotate the credentials defined in the PAM User records.
In this folder, you’ll create records for the AWS IAM accounts that you’ll rotate. You will create a PAM User record for each user that will be rotated.
Note: The target user to be rotated must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.
Keeper Rotation uses the AWS API to rotate the PAM User records in your AWS environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. AWS user: TestUser
Login
Case sensitive username of the account being rotated.
Password
Providing a password is optional. Performing a rotation will set one if this field is left blank.
Distinguished Name
This is the full ARN of the user identity, e.g: arn:aws:iam::123456789:user/TestUser
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: AWS IAM Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
AWS ID
A unique ID for this instance of AWS. This is only for your reference and can be anything, but its recommended to be kept short
Ex: AWS-DepartmentName
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Select the PAM User record(s) from Step 2, edit the record and open the "Password Rotation Settings".
Select "IAM User" as the rotation method, since this uses AWS APIs.
The "Rotation Settings" should use the PAM Configuration setup previously.
Select the desired schedule and password complexity.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Note: The user must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your GCP MySQL Database
Your GCP environment is per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the MySQL instance on Google Cloud SQL. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MySQL Cloud SQL instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: GCP MySQL Admin
Hostname or IP Address
The Cloud SQL Endpoint
Port
The MySQL Port, for default ports see
i.e. 3306
Use SSL
Must be checked, performs SSL verification before connecting
Login
Admin account username that will perform rotation
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: GCP Workspace Configuration
Environment
Select: Google Cloud
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
GCP ID
A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short
Ex: GCP-DepartmentName
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Google Cloud environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. GCP DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating AWS EC2 Virtual Machine accounts with Keeper
In this guide, you will learn how to rotate AWS EC2 Virtual Machine (VM) Accounts on your AWS Environment using Keeper Rotation. The EC2 VM is an AWS managed resource where the EC2 VM Admin Credentials are linked to the PAM Machine record and the identity of the EC2 VM Users are defined in the PAM User record type.
For EC2 VM Accounts, normal operating system commands are used to change the password. Keeper will connect to the target machine and send command-line commands to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to or with your target AWS Virtual Machine(s).
Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record should link to an administrative credential that has the rights to change passwords for users on the machine.
Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each local user account that will be rotated.
Keeper will use the referenced admin credential to rotate the password or SSH key of AWS Virtual Machine users in your AWS environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of these user accounts.
If you are running a rotation on a PAM Machine record which also happens to be the same machine running the Keeper Gateway, Keeper will attempt to rotate the password or SSH key for the account using the keeper-gw user. Assuming that keeper-gw has sudoers privilege, it will be able to perform rotations on the local Gateway machine.
The following table lists all the required fields on the PAM Machine record:
This PAM Machine Record with the linked admin credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
Make sure the following items are completed:
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
PAM Machine records have been created for each target machine
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration.
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper will use the credentials linked from the PAM Machine record to rotate the PAM User records in your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields that need to be filled on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Active Directory or OpenLDAP user accounts remotely using KeeperPAM
In this guide, you'll learn how to remotely rotate Active Directory or OpenLDAP user accounts using KeeperPAM.
This guide assumes the following tasks have already taken place:
are configured for your role
A Keeper Secrets Manager has been created
Your is online
The Keeper Gateway is able to communicate via LDAPS (port 636) or LDAP (port 389) to your directory.
Keeper Rotation will use the linked admin credential to rotate other accounts in your directory. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
A associates an environment with a Keeper Gateway and credentials. If you don't have a PAM Configuration set up yet for this use case, create one.
KeeperPAM will use the credentials linked from the "PAM Directory" record to rotate other "PAM User" records in your environment. The PAM User credential needs to be saved in a shared folder that is assigned to the secrets manager application. In the example below, the AD user demouser can be rotated.
If you don't know the user's DN, the following PowerShell command can be used to find it:
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with edit rights to a PAM User record and allowing rotation has the ability to set up rotation for that record.
The "Rotation" should be of type "General".
The "PAM Resource" field should select the "PAM Directory" credential setup previously.
Select the desired schedule and password complexity.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.
For the purpose of testing an Active Directory user account rotation with Keeper, it is necessary to ensure that the LDAPS connection is active and using a valid certificate. If you are just testing and don't have a production certificate, the instructions below provide you with a self-signed cert.
Using a self-signed certificate with AD is only for testing purposes, do not use in production
Rotating Admin/Regular AWS SQL Server Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS SQL Server Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for SQL Server is an AWS managed resource where the SQL Server Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Server Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS SQL Server Database
The PAM Database record contains the admin credentials and necessary configurations to connect to the SQL Server RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the SQL Server RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular Azure PostgreSQL Single or Flexible Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure PostgreSQL Database Users and Admin accounts on your Azure environment using KeeperPAM. Azure PostgreSQL is an Azure managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
For Azure Managed PostgreSQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
See the for a high level overview and getting started with Azure
This guide assumes the following tasks have already taken place:
are configured for your role
A Keeper Secrets Manager has been created
Your Azure environment is per our documentation
Your is online
The PAM Database record links to the admin credentials and necessary configurations to connect to the PostgreSQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure PostgreSQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment..
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the linked credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular Azure MariaDB Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure MariaDB Users and Admin accounts on your Azure environment using KeeperPAM. Azure MariaDB is an Azure managed resource where the MariaDB Admin Credentials are defined in the PAM Database record type and the configurations of the MariaDB Users are defined in the PAM User record type.
For Azure Managed MariaDB database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
See the for a high level overview and getting started with Azure
This guide assumes the following tasks have already taken place:
are configured for your role
A Keeper Secrets Manager has been created
Your Azure environment is per our documentation
Your is online
The PAM Database record links to the admin credentials and necessary configurations to connect to the MariaDB server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure MariaDB Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the linked credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular AWS PostgreSQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS PostgreSQL Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for PostgreSQL is an AWS managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS PostgreSQL Database
The PAM Database record contains the admin credentials and necessary configurations to connect to the PostgreSQL RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the PostgreSQL RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Admin/Regular Azure SQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure SQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure SQL is an Azure managed resource where the SQL Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Users are defined in the PAM User record type.
For Azure Managed SQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the linked admin credentials and executes the necessary SQL statements to change the password.
See the for a high level overview and getting started with Azure
This guide assumes the following tasks have already taken place:
are configured for your role
A Keeper Secrets Manager has been created
Your Azure environment is per our documentation
Your is online
The PAM Database record links to admin credentials and contains the necessary configurations to connect to the SQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure SQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the linked admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the linked credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating Google Compute Virtual Machine accounts with Keeper
In this guide, you will learn how to rotate Google Compute Virtual Machine (VM) Accounts on your Google Cloud Environment using Keeper Rotation. The Compute VM is an GCP managed resource where the Google Compute VM Admin Credentials are linked to the PAM Machine record and the identity of the Google Compute VM Users are defined in the PAM User record type.
For Google Compute VM Accounts, normal operating system commands are used to change the password. Keeper will connect to the target machine and send command-line commands to change the password.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to or with your target Google Compute Virtual Machine(s).
Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record should link to an administrative credential that has the rights to change passwords for users on the machine.
Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each local user account that will be rotated.
Keeper will use the referenced admin credential to rotate the password or SSH key of AWS Virtual Machine users in your AWS environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of these user accounts.
If you are running a rotation on a PAM Machine record which also happens to be the same machine running the Keeper Gateway, Keeper will attempt to rotate the password or SSH key for the account using the keeper-gw user. Assuming that keeper-gw has sudoers privilege, it will be able to perform rotations on the local Gateway machine.
The following table lists all the required fields on the PAM Machine record:
This PAM Machine Record with the linked admin credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper will use the credentials linked from the PAM Machine record to rotate the PAM User records in your Google Cloud environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields that need to be filled on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating local and remote user accounts on Azure Virtual Machines with Keeper
In this guide, you'll learn how to rotate Azure Virtual Machine local and remote user accounts within the Azure environment using KeeperPAM.
See the Azure Overview for a high level overview and getting started with Azure
are configured for your role
A Keeper Secrets Manager has been created
Your Azure environment is per our documentation
A Keeper Rotation is already installed
Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record will be associated to a linked administrative credential that has the rights to change passwords for users on the machine.
Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each user account that will be rotated.
The following table lists all the required fields that needs to be filled on the PAM Machine records.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
Make sure the following items are completed first:
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
PAM Machine records have been created for each target machine
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration.
Keeper Rotation will use the credentials linked from the PAM Machine record to rotate the credentials of accounts referenced by the PAM User records.
The following table lists all the required fields that need to be filled on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine admin credential specific to this user's machine.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Keeper can automatically update the Windows service account "log on as" credentials for any Windows services running as the PAM User, and restart the service. Keeper will also update the credential of any scheduled task running as that user on the target machine.
To learn more and set up this capability, see the page.
Rotating Admin/Regular Azure MySQL Single or Flexible Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure MySQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure MySQL is an Azure managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Azure Managed MySQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password.
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
Database ID
The AWS DB instance ID
Database Type
oracle
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Access Key ID
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Password
Admin account password
Database ID
The AWS DB instance ID
Database Type
mysql
Provider Region
The region your Cloud SQL instance is using. i.e us-central1
Service Account Key
Copy the JSON text of the service account key of the Gateway
Google Workspace Administrator Email
The email address for a Workspace administrator account that can be used to manage passwords for GCP Principals.
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application. It’s random looking text.
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Access Key ID
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
Your AWS environment is configured per our documentation
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Database ID
The AWS DB instance ID
Database Type
mssql
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title Ex: RDS SQL Server Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your SQL Server RDS Instance
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Password
Access Key ID
Your Keeper Gateway is able to communicate with the Azure Managed PostgreSQL database
Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to template1.
Database ID
Name of the Azure Database Server i.e. testdb-psql
Database Type
postgresql or postgresql-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Keeper record title Ex: Azure PostgreSQL Admin
Hostname or IP Address
The Database Server name i.e testdb-psql.postgresql.database.azure.com
Port
For default ports, see port mapping
i.e. 5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
PAM User admin account username that will perform rotation. If the Admin account in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure PostgreSQL database from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Title
Keeper record title i.e. Azure PostgreSQL User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
Connect Database
Client ID
Your Keeper Gateway is able to communicate with the Azure Managed MariaDB database
Name of the Azure Database Server i.e. testdb-mariadb
Database Type
mariadb or mariadb-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Keeper record title Ex: Azure MariaDB Admin
Hostname or IP Address
The Database Server name i.e testdb-mariadb.mariadb.database.azure.com
Port
For default ports, see port mapping
Ex: mariadb=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
PAM User admin account username that will perform rotation. If the admin in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure MariaDB database from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Title
Keeper record title i.e. Azure MariaDB User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Database ID
Client ID
Your AWS environment is configured per our documentation
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to template1.
Database ID
The AWS DB instance ID
Database Type
postgresql
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title Ex: AWS PostgreSQL Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL RDS Instance
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records, not the database resources.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
Password
Access Key ID
The Keeper Gateway is able to communicate with your Azure SQL Server Database
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Database ID
Name of the Azure Database Server i.e. testdb-sql
Database Type
mssql
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Keeper record title Ex: Azure SQL Admin
Hostname or IP Address
The Database Server name i.e testdb-sql.mssql.database.azure.com
Port
For default ports, see port mapping
Ex: 1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
PAM User providing the Admin account username and password that will perform rotation. If the admin in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure SQL database from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Title
Keeper record title i.e. Azure DB User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master.
Connect Database
Client ID
PowerShell is available on all Windows machines and bash on all Linux targets
For WinRM, if selected, will use SSL mode port 5986. Ignored for SSH.
The unique Application (client) ID assigned to your app by Azure AD when the application was registered.
Client Secret
The client credentials secret for the Azure application.
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Name of the Record e.g. Windows Machine 1
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway, e.g. 10.0.1.4
Port
Typically 5985 or 5986 for WinRM, 22 for SSH
Private PEM Key
Required for SSH if not using a password
Operating System
The VM Operating System: Windows or Linux
Title
Configuration name, example: Azure Demo
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to the machine configured from step 1
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the admin accounts, not the machines.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-prod
Title
Keeper record title i.e. Local User1
Login
Case sensitive username of the account being rotated. The username has to be in one of the following formats:
domain\username username@domain
Password
Account password is optional, rotation will set one if blank
SSL Verification
Client ID
Your AWS environment is configured per our documentation
For WinRM, if selected, will use SSL mode port 5986. Ignored for SSH.
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Secret Access Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Name of the Record i.e AWS Linux 1
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway
Port
Typically 5985 or 5986 for WinRM, 22 for SSH.
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH key) of the Admin account.
Operating System
The VM Operating System, i.e Windows or Linux
Title
Configuration name, example: AWS VM Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to the machine configured from step 1
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the admin accounts, not the machines.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Title
Keeper record title i.e. AWS Machine1 ec2-user
Login
Case sensitive username of the user account being rotated, e.g. ec2-user.
Password
This is only required if the user logs in with a password. If the password is left blank, performing a rotation will set one.
Private PEM Key
SSH private key. This is only required if you are planning to rotate the PEM key instead of rotating the password.
When rotating the private PEM Key credential on a target machine or user, Keeper will update the authorized_keys file on the machine with the new public key. The first time that a rotation occurs, the old public key is left intact in order to prevent system lockout. The second public key added to the file contains a comment that serves as an identifier for future rotations. For example:
By default, Keeper will not remove other keys from the .ssh/authorized_keys file since some providers will place in their own keys in order to control the virtual machine (ie Google Cloud Provider).
If the first rotation is successful, you can optionally delete the old public key entry in the authorized_keys file. On subsequent rotations, Keeper will update the line which contains the "keeper-security-xxx" comment.
Rotation will also create backup of the prior .ssh/authorized_keys inside of the .ssh directory.
For private key rotation, the new private key will be same algorithm and key size (bits) as the current private key. For example, if the current private key is ecdsa-sha2-nistp256 the new private key will be ecdsa-sha2-nistp256. This can be overridden by adding a custom text field, with the label Private Key Type , and setting the value to one support algorithms:
ssh-rsa - 4096 bits
ecdsa-sha2-nistp256 - ECDSA, 256 bits
ecdsa-sha2-nistp384 - ECDSA, 384 bits
.This custom field can also be used if the current private key's algorithm cannot be detected.
To prevent private key rotation, a custom text field can be added to the PAM User record with the label Private Key Rotate. If the value of the field is TRUE, or the field doesn't exists, the private key will be rotated if it exists. If the value is FALSE, the private key will not be rotated.
For Linux user rotations, password-encrypted PEM files are not currently supported.
When configuring a PAM User with only a private PEM key and no password as the admin credential for a machine resource, this user will execute all administrative operations such as password rotation. In this configuration, the admin account must be able to perform sudo operations without being prompted for a password.
If a password is required to execute sudo commands, rotations for non-admin credentials on that resource will fail—since the admin credential does not include a password. To ensure successful rotation, configure the PEM key only admin account to run sudo commands without a password prompt.
SSL Verification
Access Key ID
Linked PAM User credential used for performing the LDAP rotation. Example: rotationadmin
Domain Name
Domain name of the Active Directory. Example: mydomain.local
Directory Type
Set to Active Directory or OpenLDAP
Record Type
PAM Directory
Title
Keeper record title
Hostname or IP Address
IP address, hostname or FQDN of the directory server. Examples: 10.10.10.10, dc01.mydomain.local
Port
636 - LDAPS is required for rotation on Active Directory.
LDAP over port 389 is insecure and should be avoided.
Use SSL
Must be enabled for use with Active Directory
Title
Configuration name, example: My Active Directory
Environment
Select: Local Network
Gateway
Select the Gateway that has access to your directory server
Application Folder
Select the Shared folder that contains the PAM Directory record
Other fields
Depends on your use case. See the PAM Configuration section.
Record Type
PAM User
Title
Keeper record title, e.g. AD User - demouser
Login
Username of the account being rotated. The format of the username depends on the target system and type of service.
Examples:
demouser
[email protected]
Password
Account password is optional. In most cases, a password rotation will not require the existing password to be present. However there are some scenarios and protocols which may require it.
Distinguished Name
Required for Active Directory and OpenLDAP directories.
The LDAP DN for the user, e.g.
CN=Demo User,CN=Users,DC=lureydemo,DC=local
Administrative Credentials
Your Google Cloud environment is configured per our documentation
For WinRM, if selected, will use SSL mode port 5986. Ignored for SSH.
Copy the JSON text of the service account key of the Gateway
Title
Name of the Record i.e GCP Linux 1
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway
Port
Typically 5985 or 5986 for WinRM, 22 for SSH.
Administrative Credentials
Linked PAM User record that contains the username and password (or SSH key) of the Admin account.
Operating System
The VM Operating System, i.e Windows or Linux
Title
Configuration name, example: GCP Workspace Configuration
Environment
Select: Google Cloud
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
GCP ID
A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short
Ex: GCP-DepartmentName
Title
Keeper record title i.e. GCP Machine1 compute-user
Login
Case sensitive username of the user account being rotated, e.g. compute-user.
Password
This is only required if the user logs in with a password. If the password is left blank, performing a rotation will set one.
Private PEM Key
SSH private key. This is only required if you are planning to rotate the PEM key instead of rotating the password.
When rotating the private PEM Key credential on a target machine or user, Keeper will update the authorized_keys file on the machine with the new public key. The first time that a rotation occurs, the old public key is left intact in order to prevent system lockout. The second public key added to the file contains a comment that serves as an identifier for future rotations. For example:
By default, Keeper will not remove other keys from the .ssh/authorized_keys file since some providers will place in their own keys in order to control the virtual machine (ie Google Cloud Provider).
If the first rotation is successful, you can optionally delete the old public key entry in the authorized_keys file. On subsequent rotations, Keeper will update the line which contains the "keeper-security-xxx" comment.
Rotation will also create backup of the prior .ssh/authorized_keys inside of the .ssh directory.
For private key rotation, the new private key will be same algorithm and key size (bits) as the current private key. For example, if the current private key is ecdsa-sha2-nistp256 the new private key will be ecdsa-sha2-nistp256. This can be overridden by adding a custom text field, with the label Private Key Type , and setting the value to one support algorithms:
ssh-rsa - 4096 bits
ecdsa-sha2-nistp256 - ECDSA, 256 bits
ecdsa-sha2-nistp384 - ECDSA, 384 bits
.This custom field can also be used if the current private key's algorithm cannot be detected.
To prevent private key rotation, a custom text field can be added to the PAM User record with the label Private Key Rotate. If the value of the field is TRUE, or the field doesn't exists, the private key will be rotated if it exists. If the value is FALSE, the private key will not be rotated.
For Linux user rotations, password-encrypted PEM files are not currently supported.
When configuring a PAM User with only a private PEM key and no password as the admin credential for a machine resource, this user will execute all administrative operations such as password rotation. In this configuration, the admin account must be able to perform sudo operations without being prompted for a password.
If a password is required to execute sudo commands, rotations for non-admin credentials on that resource will fail—since the admin credential does not include a password. To ensure successful rotation, configure the PEM key only admin account to run sudo commands without a password prompt.
SSL Verification
Service Account Key
See the Azure Overview for a high level overview and getting started with Azure
In 2024, Azure is going to sunset the non-flexible MySQL managed services. Most likely the term flexible will be removed. See: What's happening to Azure Database for MySQL Single Server?
This guide assumes the following tasks have already taken place:
Rotation enforcements are configured for your role
A Keeper Secrets Manager application has been created
Your Azure environment is configured per our documentation
Your Keeper Gateway is online
Your Keeper Gateway is able to communicate with the Azure MySQL Server Database
The PAM Database record links to the admin credentials and necessary configurations to connect to the MySQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure MySQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Title
Keeper record title Ex: Azure MySQL Admin
Hostname or IP Address
The Database Server name i.e testdb-sql.mysql.database.azure.com
Port
For default ports, see
Ex: mysql=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Administrative Credentials
PAM User admin account username and password that will perform rotation. If the Admin account in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure MySQL database from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
For more details on all the configurable fields in the PAM Configuration record, visit this page.
Keeper Rotation will use the linked credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Title
Keeper record title i.e. Azure DB User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
Rotating AWS Managed Microsoft AD Service accounts with Keeper
In this guide, you will learn how to rotate Admin and User Accounts of an AWS Managed Microsoft AD service using Keeper Rotation. The Active Directory Service is an AWS managed resource where the Directory Service admin credentials are linked to the PAM Directory record type and the configurations of the AD Users are defined in the PAM User record type.
For Amazon Managed Active Directory Services, the AWS SDK will be used to rotate the password of Directory Admins. User Account passwords will be rotated using LDAP and, in order to successfully rotate, server-side LDAPS must be configured and the Directory Admin, defined in the PAM Directory record type, must be using a SSL Connection.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS Directory Services
Keeper Rotation will use the linked admin credentials of your AWS Managed Directory Service to rotate passwords of Domain Service's directory accounts. These admin credentials can also be used to rotate the passwords of the Directory admin.
The following table lists all the required fields on the PAM Directory Record:
Note: Adding Provider Region and Directory ID will enable managing the PAM Directory Record through the AWS SDK, which is preferred.
This PAM Directory Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM Configuration set up for this environment.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Configuration record, visit this .
Keeper Rotation will use the credentials in the PAM Directory record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Any user with edit rights to a PAM User record has the ability to setup rotation for that record.
The following windows command can be used to get the distinguished name of the Directory user:
If the command does not exist, you need to import the appropriate module with:
When rotating the private PEM Key credential on a target machine or user, Keeper will update the authorized_keys file on the machine with the new public key. The first time that a rotation occurs, the old public key is left intact in order to prevent system lockout. The second public key added to the file contains a comment that serves as an identifier for future rotations. For example:
By default, Keeper will not remove other keys from the .ssh/authorized_keys file since some providers will place in their own keys in order to control the virtual machine (ie Google Cloud Provider).
If the first rotation is successful, you can optionally delete the old public key entry in the authorized_keys file. On subsequent rotations, Keeper will update the line which contains the "keeper-security-xxx" comment.
Rotation will also create backup of the prior .ssh/authorized_keys inside of the .ssh directory.
For private key rotation, the new private key will be same algorithm and key size (bits) as the current private key. For example, if the current private key is ecdsa-sha2-nistp256 the new private key will be ecdsa-sha2-nistp256. This can be overridden by adding a custom text field, with the label Private Key Type , and setting the value to one support algorithms:
ssh-rsa - 4096 bits
ecdsa-sha2-nistp256 - ECDSA, 256 bits
ecdsa-sha2-nistp384 - ECDSA, 384 bits
.This custom field can also be used if the current private key's algorithm cannot be detected.
To prevent private key rotation, a custom text field can be added to the PAM User record with the label Private Key Rotate. If the value of the field is TRUE, or the field doesn't exists, the private key will be rotated if it exists. If the value is FALSE, the private key will not be rotated.
For Linux user rotations, password-encrypted PEM files are not currently supported.
When configuring a PAM User with only a private PEM key and no password as the admin credential for a machine resource, this user will execute all administrative operations such as password rotation. In this configuration, the admin account must be able to perform sudo operations without being prompted for a password.
If a password is required to execute sudo commands, rotations for non-admin credentials on that resource will fail—since the admin credential does not include a password. To ensure successful rotation, configure the PEM key only admin account to run sudo commands without a password prompt.
[compute-user@host .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1...11xZrfOxYXG6RV84mCZ3uldesEyV/ghLxAb7Fcz gcpdemo
ssh-rsa AAAAB3NzaC...un+frl9Q== keeper-security-computeuser# Get the cert we just created
$cert = Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Subject -like "*company*"}
$thumbprint = ($cert.Thumbprint | Out-String).Trim()
# Copy to NTDS through registry
$certStoreLoc = 'HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates'
if (!(Test-Path $certStoreLoc)) {
New-Item $certStoreLoc -Force
}
Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc
# Copy to Trusted Root store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root, 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()Restart-Service NTDS -forceGet-ADUser -Identity <username> -Properties DistinguishedNameNew-SelfSignedCertificate -DnsName XYZ123.company.local,company.local,company, -CertStoreLocation cert:\LocalMachine\My[compute-user@host .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1...11xZrfOxYXG6RV84mCZ3uldesEyV/ghLxAb7Fcz gcpdemo
ssh-rsa AAAAB3NzaC...un+frl9Q== keeper-security-computeuser[compute-user@host .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1...11xZrfOxYXG6RV84mCZ3uldesEyV/ghLxAb7Fcz gcpdemo
ssh-rsa AAAAB3NzaC...un+frl9Q== keeper-security-computeuserecdsa-sha2-nistp521 - ECDSA, 521 bitsssh-ed2551
ecdsa-sha2-nistp521 - ECDSA, 521 bitsssh-ed2551
ecdsa-sha2-nistp521 - ECDSA, 521 bitsssh-ed2551
Database ID
Name of the Azure Database Server i.e. testdb-sql
Database Type
mysql or mysql-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services
Tenant ID
The UUID of the Azure Active Directory
Your AWS environment is configured per our documentation
Directory Service Admin Account's Distinguished Name (DN).
Note: If DN is not provided, the following format will be used:
Given domain name is example.com:
CN=<user>,CN=Users,DC=example,DC=com
Domain Name
The Directory DNS Name Note: This is required if using Login instead of Distinguished Name
Directory ID
Directory Service's Identifier i.e d-##########
Directory Type
Directory Service Directory type, defaults to Active Directory if left blank.
Provider Region
AWS region name i.e. us-east-1
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Region Names
List of AWS region names, one per line
Example:
us-east-1
us-east-2
Title
Name of the Record i.e. AD Domain Service
Hostname or IP Address
The Directory DNS Name i.e. ad.pam.test
Port
636 for LDAPS
Use SSL (checkbox)
Must be checked
Administrative Credentials
PAM User providing the directory service admin account and password i.e. Admin
Note: Either Login and Domain Name or Distinguished Name is required. Distinguished Name is preferred.
Title
Configuration name, example: AWS AD Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites
Application Folder
Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the admin accounts, not the machines.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Title
Keeper record title i.e. AWS Directory User1
Login
Username of the Directory Service's user account
Password
Account password is optional, rotation will set one if blank
Distinguished Name
Directory Service User Account's Distinguished Name (DN)
Distinguished Name
Access Key ID
Get-ADUser -Identity "username" | Select-Object -ExpandProperty DistinguishedNameImport-Module ActiveDirectoryThis guide assumes the following tasks have already taken place:
Rotation enforcements are configured for your role
A Keeper Secrets Manager application has been created
Your Keeper Gateway is online
The Keeper Gateway is able to connect to your Active Directory via LDAPS (port 636)
Keeper Rotation will use the credentials in this PAM User record to rotate other accounts in your directory. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.
Record Type
PAM User
Title
Keeper record title
Login
The username of the Active Directory admin. The format of the username depends on the target system and type of service.
Examples:
Administrator [email protected]
Password
Password of the admin user on the Active Directory.
Distinguished Name
Full Distinguished Name (DN) of the admin user on the Active Directory.
A PAM Configuration associates an environment with a Keeper Gateway and credentials. If you don't have a PAM Configuration set up yet for this use case, create one.
Title
Configuration name, example: My Active Directory
Environment
Select: Domain Controller
Gateway
Select the Gateway that has access to your directory server
Application Folder
Select the Shared folder that contains the PAM User record created in step 1.
Administrative Credential
Select the PAM User record created in step 1.
KeeperPAM will use the credentials linked from the PAM User record to rotate other PAM User records in your environment. The PAM User credential needs to be saved in a shared folder that is assigned to the secrets manager application. In the example below, the AD user demouser can be rotated.
Record Type
PAM User
Title
Keeper record title, e.g. AD User - demouser
Login
Username of the account being rotated. The format of the username depends on the target system and type of service.
Examples:
demouser
[email protected]
Password
Account password is optional. In most cases, a password rotation will not require the existing password to be present. However there are some scenarios and protocols which may require it.
Distinguished Name
The LDAP DN for the user, e.g.
CN=Demo User,CN=Users,DC=lureydemo,DC=local
If you don't know the user's DN, the following PowerShell command can be used to find it:
Select the PAM User record, edit the record and open the Password Rotation Settings.
Any user with edit rights to a PAM User record and enforcement policies allowing rotation has the ability to set up rotation for that record.
The "Rotation" should be of type IAM User.
The "PAM Configuration" field should point to the Active Directory PAM Configuration created in step 2.
Select the desired schedule and password complexity.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.
For the purpose of testing an Active Directory user account rotation with Keeper, it is necessary to ensure that the LDAPS connection is active and using a valid certificate. If you are just testing and don't have a production certificate, the instructions below provide you with a self-signed cert.
Using a self-signed certificate with AD is only for testing purposes, do not use in production
New-SelfSignedCertificate -DnsName XYZ123.company.local,company.local,company, -CertStoreLocation cert:\LocalMachine\MyGet-ADUser -Identity <username> -Properties DistinguishedNameHostname or IP Address
Enter the domain or IP address of your Active Directory domain.
Port
Enter 636 (LDAPS). 389 LDAP is not supported for rotations.
Use SSL
Ensure this checkbox is checked.
# Get the cert we just created
$cert = Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Subject -like "*company*"}
$thumbprint = ($cert.Thumbprint | Out-String).Trim()
# Copy to NTDS through registry
$certStoreLoc = 'HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates'
if (!(Test-Path $certStoreLoc)) {
New-Item $certStoreLoc -Force
}
Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc
# Copy to Trusted Root store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root, 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()Restart-Service NTDS -forceSaaS and REST-based rotation plugins
KeeperPAM supports automated password rotation for various SaaS applications and services, including cloud infrastructure. This feature requires Keeper Gateway version 1.6 or newer. Currently, the configuration of SaaS rotations requires the use of Keeper Commander CLI. The front-end for managing these rotations will be included in an upcoming release of the Web Vault and Desktop App.
SaaS rotations are available as built-in integrations, catalog integrations or custom integrations.
KeeperPAM includes pre-built integrations for popular services:
Okta - Identity and access management
Snowflake - Cloud data platform
REST APIs - Generic REST endpoint integration
AWS Access Keys - Amazon Web Services credential rotation
In Keeper's , several new rotation plugins have been created, including:
AWS Cognito
Cisco APIC
and
As new catalog rotations are added, customers may use these rotations within their environments.
Following the examples in Keeper's , customers can create their own plugins that are private and only available to their Keeper Gateway. See the section for more information.
This is accomplished in 3 steps outlined below:
SaaS rotation configurations are stored as records with custom fields that define the configuration parameters.
Using Keeper Commander CLI
The fastest way to create a SaaS configuration is using the Commander CLI pam action saas config command:
The command will prompt you for the required configuration values specific to your chosen SaaS type. Each of the configuration values is documented in the section below, for built-in and catalog plugins.
You can also just create a Login record with custom fields as defined below.
Note: The admin access key does NOT be set if you using an EC2 instance an attached IAM role or the using an AWS configuration. The plugin with get its credentials from the following in the specified order.
SaaS Configuration Record - Ensure that the Access Key and Secret Key
AWS PAM Configuration - See the for details
Ensure that the roles assigned to your AWS PAM Configuration or to the specific administrative access key / secret key include the below policies required to rotate a target access key:
Note: The administrative application ID and client secret does not be set if you using a PAM Configuration that already has necessary Azure permissions.
The plugin with get its credentials from the following in the specified order.
SaaS Configuration Record
Azure PAM Configuration
In order for the target secret to be rotated, the administrative application must have the necessary Azure role permissions.
Required Microsoft Graph Permissions:
Application.ReadWrite.All
How to Assign:
Go to Azure Portal > Azure Active Directory > App registrations
Select your Administrative app (the one that will rotate secrets)
Go to API permissions > Add a permission
Choose Microsoft Graph
API:
Once your SaaS configuration record is created, associate that record with one or more PAM User records in the vault.
Create the PAM User record either in the vault, or using the Commander CLI
Using Commander, run the below commands to create the association:
Check that your SaaS rotation is properly configured on the PAM User record:
This will display all configured SaaS rotations for the specified PAM User, including their current settings.
To perform the rotation from the Commander CLI, use the pam action rotate command:
To remove a SaaS rotation from a PAM User record:
You can control whether a SaaS rotation is active by setting the Active custom field:
Set to any value (e.g., "true", "yes", "1") to activate
Remove the field or set to empty/false to deactivate
In addition to built-in integrations, you can use custom plugins for additional services. Keeper maintains a repository of community-contributed plugins:
GitHub Repository:
Check the integrations/ folder for available plugins, which may include:
Additional cloud services
Database systems
Network equipment
Custom enterprise applications
To use custom plugins in your environment:
Configure your PAM Gateway to recognize custom plugins:
Copy the plugin Python files to your configured directory:
If using Docker, mount the plugin directory:
Update the PAM configuration to use the container path:
Some plugins may need access to your PAM configuration credentials (e.g., for AWS or Azure integration). Grant access by adding the plugin name to the allow list:
If you need a plugin for a service not currently available, you can develop your own using the development environment provided in the repository. The repository includes:
Development and testing tools
Example plugins and templates
API documentation
Testing framework
Visit the for detailed development instructions. To contribute to the community rotation plugin directory, submit a pull request.
Use dedicated service accounts with minimal required permissions for SaaS integrations
Regularly rotate API keys and tokens used in SaaS configurations
Test rotations in a development environment before production deployment
Monitor rotation logs for failures or authentication issues
Store SaaS configurations in dedicated shared folders for better organization
Use descriptive names for configuration records (e.g., "Okta Production", "Snowflake Dev")
Document any custom field requirements for team members
Regularly review and update SaaS rotation assignments
Check Gateway logs for detailed error messages during rotations
Verify API credentials and permissions in your SaaS applications
Ensure network connectivity between Gateway and target services
Test individual SaaS configurations before associating with multiple users
Built-in SaaS Types: Supported through standard Keeper support channels
Custom Plugins: Community support via GitHub repository issues
Development Questions: Refer to repository documentation and examples
Enterprise Support: Contact your Keeper representative for assistance with custom integrations
For the most up-to-date list of available plugins and integration examples, regularly check the .
Azure Client Secrets - Microsoft Azure application secrets
Cisco IOS XE - Network device management
Cisco Meraki - Cloud-managed networking
Snowflake Account
The account. It’s is the subdomain of the URL.
Yes
REST Method
The HTTP Method to use. The default is POST. Valid values are: POST, PUT.
No
Region Name
Region name. This can be left blank unless GovCloud. A value is required for GovCloud.
No
AWS Clean Keys
Remove old Access Keys. If not set, will default to ‘All’
All - Will remove all the access keys.
Oldest - Will remove the oldest access key if both Access Key slots are filled.
Replace - Will replace the Access Key used in the Vault record. If there are two Access Keys, the other will not be removed.
No
Azure Tenant ID
The Directory (tenant) ID of the Azure Entra ID. This for both the admin and target application.
No
Azure Admin Application ID
The Application (client) ID for the Administrative app which is performing the rotation (NOT the target).
No
Azure Admin Client Secret
This is the Secret value for the administrative application.
No
Azure Authority
Special URL for MSAL to request tokens.
No
Azure Graph Endpoint
Special URL for Azure Graph scope.
No
Azure Clean Keys
Remove old Access Keys upon every rotation.
All - Will remove all the secrets.
Replace - Will replace the secret used in the Vault record.
No
Select Application permissions
Search and select:
Application.ReadWrite.All
Click Add permissions
Then click Grant admin consent for the tenant
Hostname
Hostname or IP of the web service.
Yes
Verify SSL
Verfiy server’s SSL certificate. Default is FALSE.
No
Network ID
The Network ID.
If blank, an attempt will be made to find the network id. If the customer has only one organization, and only one network in that organization, it will use that network id.
No
Verify SSL
Verfiy server’s SSL certificate. Default is FALSE.
No
SaaS Type
Okta
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Okta URL
The URL to customer login portal. Where users login in.
Yes
Okta Token
The API token created on the Security → API → Tokens admin page.
SaaS Type
Snowflake
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Snowflake Admin User
An admin username
Yes
Snowflake Admin Password
The password for the admin username.
SaaS Type
REST
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
REST Url
URL to the web service.
Yes
REST Token
A header Bearer token. This must be static. It cannot be generated.
SaaS Type
AWS Access Key
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
AWS Access Key ID for the Administrative role
Admin Access Key ID
No
AWS Secret Access Key for the Administrative role
Admin Secret Access Key
SaaS Type
Azure Client Secret
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Azure Target Object ID
The target Azure Entra ID application. This is the object ID of the application which is being rotated.
Yes
Expiry Days
The number of days before the secret expires. Default if 365 days.
SaaS Type
Cisco IOS XE
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Admin Username
The administrator’s username.
Yes
Admin Password
The administrator’s password.
SaaS Type
Cisco Meraki
Yes
Active
Activate/Deactivate a SaaS rotation. The default is active.
No
Admin Email
The administrator’s email address
Yes
API Key
The API Key generated in the admin’s profile, in the API access section.
Yes
Yes
Yes
No
No
Yes
Yes
# Login to your vault
keeper shell
# List available SaaS types for your gateway
pam action saas config --gateway "My Gateway" --list
# Create a new SaaS configuration (example for Okta)
pam action saas config --gateway "My Gateway" --plugin "Okta" --shared-folder-uid FOLDER_UID --create{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:ListAccessKeys",
"iam:DeleteAccessKey"
],
"Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID_HERE:user/*"
}
]
}# Add SaaS rotation to a user
pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID
# Optionally attach to a specific resource
pam action saas add --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID --resource-uid RESOURCE_UID# View all SaaS rotations for the PAM User
pam action saas user -u USER_RECORD_UIDpam action rotate -r USER_RECORD_UIDpam action saas remove --user-uid USER_RECORD_UID --config-record-uid SAAS_CONFIG_UID# Set the plugin directory path on your PAM Configuration record
record-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/path/to/plugins"# Create plugin directory
mkdir /opt/keeper/saas_plugins
# Copy plugin files from the repository
cp custom_plugin.py /opt/keeper/saas_plugins/# docker-compose.yml
services:
keeper-gateway:
image: keeper/gateway:preview
volumes:
- ./saas_plugins:/opt/keeper/saas_plugins
environment:
GATEWAY_CONFIG: YOUR_GATEWAY_CONFIG_UIDrecord-update -r PAM_CONFIG_RECORD_UID "text.SaaS Plugins Dir=/opt/keeper/saas_plugins"record-update -r PAM_CONFIG_RECORD_UID "multiline.Allow SaaS Access=Custom Plugin Name\nAnother Plugin"