Description of the input parameters passed into PAM Scripts
Upon successful rotation of credentials on a PAM record, Keeper executes the attached Post-Rotation scripts with parameters containing information on the involved records, credentials, and user.
The Keeper Gateway executes the PAM scripts and provides inputs to the script through stdin parameters. These parameters are placed in a Base64 encoded JSON object and piped to the script.
For example, the Keeper Gateway will essentially execute the script on a Linux machine as follows:
Windows:
The following keys can be found in this base64 encoded JSON object:
providerRecordUid
The UID of the PAM Configuration record
resourceRecordUid
The UID of the PAM Resource record
userRecordUid
The UID of the PAM User record
newPassword
The new password generated for the User
oldPassword
The previous password for the User
user
The username for the User
records
Base64-encoded JSON array of record dictionaries
record
fieldsThe record's key values is a Base64, JSON array of dictionaries. This array will include the following data:
PAM Configuration information
Related PAM Machine, PAM Database, or PAM Directory Record Data
Additional Records / Rotation Credentials supplied when uploading the post-rotation scripts
User Record Data
Each dictionary object will contain:
uid
- The UID of the Vault record.
title
- The title of the Vault record.
The rest of the dictionary will contain key/value pairs of the record's data where the key will be the label of the field. If the field does not contain a label, the field type will be used. If the key already exists, a number will be added to the key.
Upon execution of the PAM Script, an array is returned containing instances of RotationResult
for each script that was executed. The class RotationResult
has the following attributes:
uid
- Keeper Vault record UID that has the script attached
command
- Command that was issued to the shell.
system
- Operating system the script will run upon.
title
- Title of the script attached to the Keeper Vault record.
name
- Name of the script attached to the Keeper Vault record.
success
- Was the script successful?
Linux and macOS - Script returned in a 0 return code.
Windows - Script returned a True status.
stdout
- The standard out from the execution of the script.
stderr
- The standard error from the execution of the script.
Additionally, the following methods can be used to determine if the script was a success, or not:
was_failure
boolean, return True if failure, False if success
was_success
boolean, returns True if success, False if failure
With this, it is possible to customize logging:
The class RotationResult
has attribute stderr
which logs the errors from execution of the script.
Although post rotation script results and information are available via the RotationResult
class, errors and outputs of scripts are based on the type of shell the script is executed on. Keeper does not check the stdout or errors of the scripts as Keeper does not know what defines as an error for a customer-controlled script.
For example, if a BASH script does not contain a set -e
, the script will continue even if part of the script fails. If the script exits with a 0
return code, the script will be flagged as successful.
Therefore, it is up to the customer to properly handle the outputs and errors of the script.