Inputs and Outputs

Description of the input parameters passed into PAM Scripts

Overview

Upon successful rotation of credentials on a PAM record, Keeper executes the attached Post-Rotation scripts with parameters containing information on the involved records, credentials, and user.

Inputs

The Keeper Gateway executes PAM scripts and provides inputs to the script through stdin parameters. These parameters are placed in a Base64 encoded JSON object and piped to the script.

For example, the Keeper Gateway will essentially execute the script on a Linux machine as follows:

history -c && echo "BASE64==......" | /path/to/script.sh

Windows:

"BASE64==......" | .\script.ps1; Clear-History

The following keys can be found in this base64 encoded JSON object:

KeyDescription

providerRecordUid

The UID of the PAM Configuration record

resourceRecordUid

The UID of the PAM Resource record

userRecordUid

The UID of the PAM User record

newPassword

The new password generated for the User

oldPassword

The previous password for the User

user

The username for the User

records

Base64-encoded JSON array of record dictionaries

Additional Info on records field

The records key value is a Base64, JSON array of dictionaries. This array will include the following data:

  • PAM Configuration information

  • Related PAM Machine, PAM Database, or PAM Directory Record Data

  • Additional Records supplied when uploading the post-rotation scripts

  • User Record Data

Each dictionary object will contain:

  • uid - The UID of the Vault record.

  • title - The title of the Vault record.

  • The rest of the dictionary will contain key/value pairs of the record's data where the key will be the label of the field. If the field does not contain a label, the field type will be used. If the key already exists, a number will be added to the key.

Outputs

Upon execution of the PAM Script, an array is returned containing instances of RotationResult for each script that was executed. The class RotationResult has the following attributes:

  • uid - Keeper Vault record UID that has the script attached

  • command - Command that was issued to the shell.

  • system - Operating system the script will run upon.

  • title - Title of the script attached to the Keeper Vault record.

  • name - Name of the script attached to the Keeper Vault record.

  • success - Was the script successful?

    • Linux and macOS - Script returned in a 0 return code.

    • Windows - Script returned a True status.

  • stdout - The standard out from the execution of the script.

  • stderr - The standard error from the execution of the script.

Additionally, the following methods can be used to determine if the script was a success, or not:

MethodDescripton

was_failure

boolean, return True if failure, False if success

was_success

boolean, returns True if success, False if failure

With this, it is possible to customize logging:

Example in Python
for r in results:
    if r.was_failure:
        print(f"For record {r.uid}, the script {r.title} failed: {r.stderr}")

Errors

The class RotationResult has attribute stderr which logs the errors from execution of the script.

Please note

Although post rotation script results and information are available via the RotationResultclass, errors and outputs of scripts are based on the type of shell the script is executed on. Keeper does not check the stdout or errors of the scripts as Keeper does not know what defines as an error for a customer-controlled script.

For example, if a BASH script does not contain a set -e, the script will continue even if part of the script fails. If the script exits with a 0 return code, the script will be flagged as successful.

Therefore, it is up to the customer to properly handle the outputs and errors of the script.

Last updated