Secrets Manager Commands
Commands to configure and manage the Keeper Secrets Manager platform
Overview
Keeper Secrets Manager is a cloud-based, Zero-Knowledge platform for DevOps and engineering teams to centrally manage and control access to privileged accounts. Common use cases for Secrets Manager include:
Removing hard-coded credentials from source code, configuration files and CI/CD systems
Protecting access to privileged passwords, API keys and other managed secrets.
Providing vault access to machines and applications.
Rotating service account credentials on-demand or on a schedule
In Keeper Secrets Manager, an "Application" is created for every target environment which needs access to specific folders in the Keeper Vault. An Application can be granted access to one ore more Shared Folders or records within the vault. An Application can be utilized by one or more "Clients" which are individually authenticated and managed by the Secrets Manager infrastructure.
As an example, a Keeper "Application" might represent a production system, and each individual web server in your production system would represent a Client. Each Client authenticates and communicates to the Keeper Vault using a Client ID and a Private Key which is used to sign the request.
The commands in this document can be used to configure the Keeper Secrets Manager applications and client devices.
Keeper Secrets Manager Commands
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
secrets-manager Command Format
Keeper Secrets Manager commands follow the format:
secrets-manager <command> <sub command>
For example to list all apps use the following command:
secrets-manager app list
A list of all secrets-manager commands and details about each are below:
secrets-manager app list
List all Secrets Manager applications to view the App UID, last access and number of records/folders assigned.
secrets-manager app get
Retrieve detailed information about the application including devices
secrets-manager app create
Create a new application
secrets-manager app remove
Delete an application
secrets-manager app share
Share an application and associated gateways and configurations with another user.
secrets-manager app unshare
Unshare an application from a user
secrets-manager client add
Create a device or machine identity associated with an application
secrets-manager client remove
Remove a device
secrets-manager share add
Associate a folder or record with an application
secrets-manager share remove
Remove a folder or record from an application
Example API Flow
Below is an example of creating an application, assigning secrets and creating machine devices.
Create an application
secrets-manager app create <APPLICATION NAME>
My Vault> secrets-manager app create MyApplicationCreate a New Secret
This can be done on the Vault user interface, but we'll create a Secret, create a Shared Folder, then move the Secret into the Shared Folder. Example commands are below:
My Vault> add --login admin --pass "46$$625" --url "192.168.1.1" -t "Test Secret"
My Vault> mkdir -sf -a "My Shared Folder"
My Vault> mv "Test Secret" "My Shared Folder"Share the Folder to the Secrets Manager Application
My Vault> secrets-manager share add --app MyApplication --secret n4QtaKjRjhWMz5aS7bT77QAllow a client to access an application
My Vault> secrets-manager client add MyApplicationGet a List of all applications
secrets-manager app list
My Vault> secrets-manager app list
List of all Applications
Title Uid
--------- ----------------------
PythonApp oXMfwo-hzZNRqMXGvJlccQ
TestApp KtU4eAzor5IpqRW3x4A8FAView the details of an individual application
secrets-manager app get <APPLICATION NAME|APP UID>
My Vault> secrets-manager app get MyApplication
Secrets Manager Application
App Name: MyApplication
App UID: ji__h4gaY3xvQdatVY_ffA
Client Device 1
=============================
Name: Device1
Short ID: nWThUIbR
Created On: 2021-10-11 16:26:21
First Access: 2021-10-11 16:27:05
Last Access: 2021-10-11 16:49:47
IP Lock: Disabled
IP Address: --
Application Access
Share Type UID Title Permissions
------------ ---------------------- ---------------------- -------------
FOLDER J6xMIXKiwMqIyYJL7kd3xw Secrets Editable
RECORD mux0ZaWKd-h8maggFzy1rw Database Login Read-Only
Commands
secrets-manager app create command
Command: secrets-manager app create
Detail: Create a new application that will be used to link clients to secrets
Parameters:
Name of the application
Example:
My Vault> secrets-manager app create PythonApp
Application was added successfullysecrets-manager app get command
Command: secrets-manager app get
Detail: Display information about a specified application
Parameters:
Name or UID of the application
Examples:
My Vault> secrets-manager app get PythonApp
Secrets Manager Application
App Name: PythonApp
App UID: ji__hxgaY3xvQdefVY_ffA
Client Device 1
=============================
Name: Device1
Short ID: nWThUIbR
Created On: 2021-10-11 16:26:21
First Access: 2021-10-11 16:27:05
Last Access: 2021-10-11 16:49:47
IP Lock: Disabled
IP Address: --
Application Access
Share Type UID Title Permissions
------------ ---------------------- ---------------------- -------------
FOLDER J62WIXgJwMqIyYJL7kd3xw Secrets Editable
RECORD mux0ZaWKd-vpmaggFzLkrw Database Login Read-Onlysecrets-manager app remove command
Command: secrets-manager app remove
Detail: Remove an application
Parameters:
Name or UID of the application
Examples:
My Vault> secrets-manager app remove PythonApp
This Application (uid: 2lj-PaoQp281mTV7GWK5Bw) has 5 client(s), 1 shared folder(s), and 10 record(s).
Are you sure you want to delete this application [y/n]: >? y
>? y
Removed Application uid: 2lj-PaoQp281mTV7GWK5Bw
My Vault> secrets-manager app remove KtU4eAzor5IpqRW3x4A8FA
This Application (uid: KtU4eAzor5IpqRW3x4A8FA) has 12 client(s), 1 shared folder(s), and 4 record(s).
Are you sure you want to delete this application [y/n]: >? y
>? y
Removed Application uid: KtU4eAzor5IpqRW3x4A8FAsecrets-manager app share command
Sharing an application to a user provides them with access to Gateways, Devices and Folders associated
Command: secrets-manager app share
Detail: Share an application and associated gateways and configurations with another user.
Parameters:
Name or UID of the application
Email of the user to share with
Examples:
secrets-manager app share KtU4eAzor5IpqRW3x4A8FA --email user@company.comsecrets-manager app unshare command
Command: secrets-manager app unshare
Detail: Unshare an application from a user.
Parameters:
Name or UID of the application
Email of the user to remove from the application
Examples:
secrets-manager app unshare KtU4eAzor5IpqRW3x4A8FA --email user@company.comsecrets-manager app list command
Command: secrets-manager app list
Detail: List all created applications
Example:
My Vault> secrets-manager app list
List of all Applications
Title Uid
--------- ----------------------
PythonApp oXMfwo-hzZNRqMXGvJlccQ
TestApp KtU4eAzor5IpqRW3x4A8FA
secrets-manager share add command
Command: secrets-manager share add
Detail: Add secret (record or shared folder) to an Application
Switches:
--secret , -s <SECRET'S UID> secret to share. can be folder or record UID
--app, -a <APPLICATION RECORD UID> application to share with
--editable, -e Allow edits to the records
Examples:
My Vault> secrets-manager share add --app PythonApp --secret="-XMfwo-hzZNRqMXGvJlccQ"
Successfully added new record uid=E7YS6Yqmhsip52DzwdC9gw to app uid=oXMfwo-hzZNRqMXGvJlccQsecrets-manager share remove command
Command: secrets-manager share remove
Detail: Remove secret (record or shared folder) from an Application
Switches:
--secret , -s <SECRET'S UID> secret to share. can be folder or record UID
--app, -a <APPLICATION RECORD UID> application to share with
Examples:
My Vault> secrets-manager share remove --app PythonApp --secret="-XMfwo-hzZNRqMXGvJlccQ"
Secret share was successfully removed from the applicationsecrets-manager client add command
Command: secrets-manager client add
Detail: Add a Client to an Application that will be used to connect to the application. The output of this command is a one-time token which is used for initializing the Client device through the Secrets Manager SDK.
Switches:
--name [CLIENT NAME] : Name of the client (Default: Random 10 characters string)
--first-access-expires-in-min [MIN] : First time access expiration (Default 60, Max 1440)
--access-expire-in-min [MIN] : Client access expiration (Default: no expiration)
--unlock-ip : Does not lock IP address to first requesting device
--count [NUM] : Number of tokens to generate (Default: 1)
--config-init [json, b64 or k8s] : Initialize configuration string from a one-time token
--name [NAME] name of the client
Example 1: Create a new device called "Test 1" and produce a One Time Access Token.
My Vault> sm client add --app Ansible --name "Test 1"
Successfully generated Client Device
====================================
One-Time Access Token: US:_wYNCeeLmBSdDgkcE77NyMcO-6DqLutNO1NylWVyco
Name: Test 1
IP Lock: Enabled
Token Expires On: 2021-09-30 22:52:46
App Access Expires on: Never
Example 2: Create a new device called "Test 2" and produce a fully initialized JSON config file without IP lock. This config file can be loaded into a device directly.
My Vault> sm client add --app Ansible --name "Test 2" --unlock-ip --config-init=json
Successfully generated Client Device
====================================
Initialized Config: {"hostname": "keepersecurity.com","clientId": "XXX","privateKey": "XXX","serverPublicKeyId": "10","appKey": "XXX"}
Name: Test 2
IP Lock: Disabled
Token Expires On: 2021-09-30 22:54:11
App Access Expires on: NeverExample 3: Create a new device called "Test 3" and produce a fully initialized base64 config string without IP lock. This config file can be loaded into a device as a single string instead of using a JSON config file.
My Vault> sm client add --app Ansible --name "Test 3" --unlock-ip --config-init=b64
Initialized Config: eyJob3N0bmFtJjbGllbnRJZCI6I3lHbXZodUZFITEhBbDhBRmVHK1owSDcrN2czOVMvNGkvTU1lcVhhVi92cTc4S3FqM2VuZkdtQkQzNmhsQT09IiweXFHU000OUFnRUdDQ3FHU000OUF3RUhCRzB3YXdJQkFRUWdqN2diVXM2bXVl0bXA0WjlnR0ttaFJBTkNBQVNrdTZCN3dPclpXSGdhR1lzNE1uRGNyZE5xdXYyRkYmNQWTF3S090ZHppME03c05PTnA4cXppU0VLejhUUGVTIiwic2VydmVyUHVibGljS2V5SWQiOiAiMTAiLCJhcHBLZXkiOiAiUFlqdlcrVTqdUljdUh6UzJHcz0ifQ==
Name: Test 3
IP Lock: Disabled
Token Expires On: 2021-09-30 22:59:09
App Access Expires on: NeverExample 4: Create a new device called "Test 4" and produce a fully initialized Kubernetes config without IP lock. The YAML output can be cut-n-pasted into a file and applied to create as a Kubernetes secret.
My Vault> sm client add --app Nginx --name "Test 4" --unlock-ip --config-init=k8s
apiVersion: v1
data:
config: eyJob3N0bmFtJjbGllbnRJZCI6I3lHbXZodUZFITEhBbDhBRmVHK1owSDcrN2czOVMvNGkvTU1lcVhhVi92cTc4S3FqM2VuZkdtQkQzNmhsQT09IiweXFHU000OUFnRUdDQ3FHU000OUF3RUhCRzB3YXdJQkFRUWdqN2diVXM2bXVl0bXA0WjlnR0ttaFJBTkNBQVNrdTZCN3dPclpXSGdhR1lzNE1uRGNyZE5xdXYyRkYmNQWTF3S090ZHppME03c05PTnA4cXppU0VLejhUUGVTIiwic2VydmVyUHVibGljS2V5SWQiOiAiMTAiLCJhcHBLZXkiOiAiUFlqdlcrVTqdUljdUh6UzJHcz0ifQ==
kind: Secret
metadata:
name: ksm-config
namespace: default
type: Opaque
Name: Test 4
IP Lock: Disabled
Token Expires On: 2021-09-30 22:59:09
App Access Expires on: Neversecrets-manager client remove command
Command: secrets-manager client remove
Detail: Remove a client from an Application
Switches:
--client <CLIENT ID> client to remove from the application
--app, -a <APPLICATION RECORD UID> application
--force don't ask for approval
Examples:
My Vault> secrets-manager client remove --app PythonApp --client MyClient
Are you sure you want to delete 3 matching clients from this application? [y/n]:
>? y
Client removal was successfulLast updated
Was this helpful?