PAM Configuration
Creating a PAM Configuration in the Keeper Vault
Last updated
Was this helpful?
Creating a PAM Configuration in the Keeper Vault
Last updated
Was this helpful?
In Keeper, the PAM Configuration contains essential information of your target infrastructure, settings and associated Keeper Gateway. We recommend setting up one PAM Configuration for each Gateway and network being managed.
To create a new PAM Configuration:
Login to the Keeper Vault
Select Secrets Manager and the "PAM Configurations" tab
Click on "New Configuration"
When setting up the PAM Configuration, you have the option of choosing one of the following environments:
The following tables provides more details on each configurable fields in the PAM Configuration record regardless of the environment you choose:
Title
Name of PAM configuration record
Ex: US-EAST-1 Config
Application Folder
The shared folder where the PAM Configuration data will be stored
Best practice is to create a folder with limited access to admins. See Security Note (1) below
PAM Settings
List of Zero-Trust KeeperPAM features that should be enabled
See this section for more info
Default Rotation Schedule
Specify frequency of Rotation
Ex: Daily
Security Note (1) The PAM Configuration information is stored as a record in the vault inside the specified Application Folder and may contain secrets. Therefore, we recommend that the Application Folder should be limited in access to only privileged admins.
The following tables provides more details on each configurable fields in the PAM Network Configuration record based on the environment you chose:
Network ID
Unique ID for the network
This is for the user's reference
Ex: My Network
AWS ID
A unique id for the instance of AWS
Required, This is for the user's reference
Ex: AWS-US-EAST-1
Access Key ID
From an IAM user account, the Access key ID from the desired Access key.
Leave Empty when EC2 instance role is assumed.
Secret Access Key
The secret key for the access key.
Leave Empty when EC2 instance role is assumed.
Region Names
AWS region names used for discovery. Separate newline per region
Ex: us-east-2 us-west-1
Port Mapping
Any non-standard ports referenced. Separate newline per entry
Ex: 2222=ssh 3390=rdp
See additional information on AWS Environment Setup
Azure ID
A unique id for your instance of Azure
Required, This is for the user's reference
Ex: Azure-1
Client ID
The application/client id (UUID) of the Azure application
Required
Client Secret
The client credentials secret for the Azure application
Required
Subscription ID
The UUID of the subscription (i.e. Pay-As-You-GO).
Required
Tenant ID
The UUID of the Azure Active Directory
Required
Resource Groups
A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.
See additional information on Azure Environment Setup
This PAM Configuration type is not yet available, it will be launched in January 2025.
DNS Domain Name
The FQDN domain used by the Domain Controller. For example, EXAMPLE.COM and not EXAMPLE.
Yes
Hostname and Port
Hostname and port for the domain controller.
Yes
Use SSL
If using LDAPS (default 636), check the box. If using LDAP (default 389), uncheck the box.
Yes
Scan Network
Scan the CIDRs from the domain controller. Default to False.
No
Network CIDR
Scan additional CIDRs from the field.
No
Port Mapping
Define alternative default ports
No
The "PAM Features Allowed" and "Session Recording Types Allowed" sections in the PAM Configuration allow owners to enable or disable KeeperPAM features for resources managed through the PAM configuration:
Rotation
If enabled, allow rotations on privileged user users managed by this PAM configuration
Connections
If enabled, allow connections on resources managed by this PAM configuration
Remote Browser Isolation (RBI)
If enabled, allow RBI sessions on resources managed by this PAM configuration
Tunneling
If enabled, allow tunnels on resources managed by this PAM configuration
Graphical Session Recording
If enabled, visual playback sessions will be recorded for all connections and RBI sessions
Text Session Recording (TypeScript)
If enabled, text input and output logs will be logged for all connections and RBI sessions
