Inputs and Outputs
Description of the input parameters passed into PAM Scripts
Overview
Upon successful rotation of credentials on a PAM record, Keeper executes the attached Post-Rotation scripts with parameters containing information on the involved records, credentials, and user.
Inputs
The Keeper Gateway executes PAM scripts and provides inputs to the script through stdin parameters. These parameters are placed in a Base64 encoded JSON object and piped to the script.
For example, the Keeper Gateway will essentially execute the script on a Linux machine as follows:
Windows:
The following keys can be found in this base64 encoded JSON object:
Key | Description |
---|---|
| The UID of the PAM Configuration record |
| The UID of the PAM Resource record |
| The UID of the PAM User record |
| The new password generated for the User |
| The previous password for the User |
| The username for the User |
| Base64-encoded JSON array of record dictionaries |
Additional Info on records
field
records
fieldThe records key value is a Base64, JSON array of dictionaries. This array will include the following data:
PAM Configuration information
Related PAM Machine, PAM Database, or PAM Directory Record Data
Additional Records supplied when uploading the post-rotation scripts
User Record Data
Each dictionary object will contain:
uid
- The UID of the Vault record.title
- The title of the Vault record.The rest of the dictionary will contain key/value pairs of the record's data where the key will be the label of the field. If the field does not contain a label, the field type will be used. If the key already exists, a number will be added to the key.
Outputs
Upon execution of the PAM Script, an array is returned containing instances of RotationResult
for each script that was executed. The class RotationResult
has the following attributes:
uid
- Keeper Vault record UID that has the script attachedcommand
- Command that was issued to the shell.system
- Operating system the script will run upon.title
- Title of the script attached to the Keeper Vault record.name
- Name of the script attached to the Keeper Vault record.success
- Was the script successful?Linux and macOS - Script returned in a 0 return code.
Windows - Script returned a True status.
stdout
- The standard out from the execution of the script.stderr
- The standard error from the execution of the script.
Additionally, the following methods can be used to determine if the script was a success, or not:
Method | Descripton |
---|---|
| boolean, return True if failure, False if success |
| boolean, returns True if success, False if failure |
With this, it is possible to customize logging:
Errors
The class RotationResult
has attribute stderr
which logs the errors from execution of the script.
Please note
Although post rotation script results and information are available via the RotationResult
class, errors and outputs of scripts are based on the type of shell the script is executed on. Keeper does not check the stdout or errors of the scripts as Keeper does not know what defines as an error for a customer-controlled script.
For example, if a BASH script does not contain a set -e
, the script will continue even if part of the script fails. If the script exits with a 0
return code, the script will be flagged as successful.
Therefore, it is up to the customer to properly handle the outputs and errors of the script.
Last updated