Secrets Manager CLI
The Secrets Manager CLI provides shell access to vault secrets
Overview
The Keeper Secrets Manager CLI ("KSM CLI") provides core Secrets Manager Vault interaction from a terminal, shell script or any software that can be launched from a shell.
Core Features
Get Secrets from the Keeper Vault
Update Secrets from the Keeper Vault
Integrate with 3rd party CI/CD and other dev tools
Sync secrets between Keeper and external secrets providers
Replace environment variables with Keeper secrets in scripts and containers
Keeper provides 2 different CLI tools. The Secrets Manager CLI is targeted to machine-based secrets management. The Commander CLI is more focused on administrative capabilities.
Application and Client Device Setup
In order to use the Secrets Manager CLI, or environment variable substitutions for accessing secrets stored in the Keeper Vault, you must first have an Application and Client Device configured. Check out the Quick Start Guide to set this up.
Secrets Manager CLI Installation
The KSM CLI is available as a binary application for Windows/Mac/Linux or a pip3 install for any Python environment.
Binary Install Method
The latest binary release can be found on the GitHub repository. Download the installer based on your operating system.
⬇️ Download the Secrets Manager CLI Binary
When launching the CLI in Windows or macOS, the CLI will run in a shell mode. The ksm
command is still available via the command line.
The Linux binary is just an executable and should be moved to a directory in the PATH.
Docker Install Method
See the Docker Container page for installation and setup from Keeper's Docker image.
Pip3 and Python3 Install Method
Please ensure that Python 3.x is installed. If not, use your OS-specific package manager to install it.
Make sure your pip3 is up to date:
Now you can install the Secrets Manager CLI:
To upgrade to the latest version:
This method will install the CLI into the system Python. If you do not have root or admin permissions, you can install the CLI by setting up a virtualenv. If you do not use virtualenv, the module and binary will be install into your $HOME/.local directory for Linux or macOS. You may need to include a PATH to the bin directory.
Installing KSM using virtualenv
For developers, using virtualenv is a clean way to install KSM in an isolated environment.
Then, install ksm to the virtual environment
Source Code
Find the Keeper Secrets Manager CLI source code in the GitHub repository.
Usage
The ksm
CLI tool can be used for the following purposes:
Initialize a configuration file for use in integrations such as Github Actions ("init")
Create a local profile to execute commands as a client device ("profile")
Query the Keeper vault and retrieve secrets ("secret")
Wrap command-line applications for environmental variable substitution ("exec")
Create a local Client Device
The CLI is initialized as a client device by passing in the One Time Access Token in the ksm profile init
command. After initialization, the CLI can be used to obtain secrets. In the example below, replace "XX:XXXX" with the One Time Access Token for your Client Device.
If you are including the CLI within a container with an automated startup, or do not wish to perform a "profile init", a profile can be auto-created if the KSM_TOKEN is set.
Example:
Environment variables can be set to reduce the command line flags.
Environment Variable Name
Description
KSM_TOKEN
The one time access token used to initialize the client device
KSM_HOSTNAME
The host of your Keeper environment. Either US, EU, AU, JP, CA, US_GOV or a full URL. The token will contain the hostname, so this variable is not used in most cases.
KSM_INI_DIR
The directory where the INI config file is stored for the CLI.
KSM_INI_FILE
The name of the INI config file for the CLI.
KSM_CLI_PROFILE
The active profile in the CLI.
KSM_CONFIG
A Base64 config string. The CLI will use this for the default profile.
Execution of Commands
Keeper Secrets Manager commands are run using the ksm
program from the command line.
ksm <command> <sub-command> <options>
To get help on a particular command, run:
ksm <command> --help
To get help on a sub-command, run:
ksm <command> <sub-command> --help
Command
Explanation
secret
Retrieve secrets from the vault
folder
Manage folders
profile
Manage local configuration profiles
init
Initialize one time access token
exec
Execute scripts with environmental variable substitution
config
Manage CLI configuration
version
Display the CLI version information
shell
Start the CLI in an interactive shell mode
quit
Quit the shell mode
Options
--ini-file </path/to/keeper.ini>
Sets the keeper.ini configuration file. If not set the CLI will check the following directories for the keeper.ini file.
The path defined by the environmental variable
KSM_INI_DIR
The current directory
The user's home directory
${HOME}
${HOME}/.config/ksm
$env:USERPROFILE
Various system directories
/etc
/etc/ksm
/etc/keeper
$env:APPDATA/Keeper
$env:ProgamData/Keeper
$env:ProgramFiles/Keeper
-p, --profile-name <name>
use specified configuration profile
-o, --output <{stdout, stderr, filename}>
Sets the output destination
stdout
- Print to stdout (default)stderr
- Print to stderr<filename>
- Send output to a specified text file
--color/--no-color, -c/-nc
Enable or disable color in the output instance.
--cache/--no-cache
Enable or disable using the record cache for this command instance.
Last updated