Example post-rotation scripts that simply echo the input parameters
The below example post-rotation scripts simply echo the input parameters in various languages and platforms. The output of the print statements can be found in the Keeper Gateway log file.
Note: For this example, jq needs to be installed to parse the JSON. Attach this as a PAM script and perform the rotation. The Gateway logfile will contain the output.
decode-and-echo.sh
#!/bin/bash# Read the Base64 encoded JSON input and decode itdecoded_json=$(cat|base64--decode)# Extract the "records" field, which is Base64 encoded, and decode it separatelyrecords_base64=$(echo"$decoded_json"|jq-r'.records')# Decode the Base64 "records" field and pretty-print the JSONdecoded_records=$(echo"$records_base64"|base64--decode|jq'.')# Print the entire decoded JSON, replacing "records" with the decoded versionecho"$decoded_json"|jq--argjsonrecords"$decoded_records"'.records = $records'
PowerShell Script
Attach this as a PAM script and perform the rotation. The Keeper Gateway logfile will contain the output.
Begin {# Executes once before first item in pipeline is processed}Process {# Stop if error. If not set, result value will be True and assumed there# was no problem. $ErrorActionPreference ="Stop"# Executes once for each pipeline object $JSON = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_)) $Params = ($JSON |ConvertFrom-Json)Write-Output"providerRecordUid=$($Params.providerRecordUid)"Write-Output"resourceRecordUid=$($Params.resourceRecordUid)"Write-Output"userRecordUid=$($Params.userRecordUid)"Write-Output"newPassword=$($Params.newPassword)"Write-Output"oldPassword=$($Params.oldPassword)"Write-Output"user=$($Params.user)" $recordsJSON = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Params.records)) $records = ($recordsJSON |ConvertFrom-Json)# Output full JSON for recordsWrite-Output"Full Records JSON: $recordsJSON"# Extract the provider title from the records $title = ($records |Where-Object {$_.uid-eq $Params.providerRecordUid}).titleWrite-Output"Provider Title=$title"# Loop through all records and display detailsforeach ($record in $records) {Write-Output"Record UID=$($record.uid)"Write-Output"Record Title=$($record.title)"Write-Output"Record Type=$($record.type)"Write-Output"Record Details=$($record.details |ConvertTo-Json)" }}End {# Executes once after last pipeline object is processed}
Keeper Secrets Manager SDKs
The post rotation script is not limited to shell scripts. Applications can be written in languages like Python or C# to get the piped parameters. Since the UIDs of the Rotation involved records are passed in the params, the post-rotation script can use the Keeper Secrets Manager SDKs to get additional information.
#!/usr/bin/env python3import sysimport base64import jsonfrom keeper_secrets_manager_core import SecretsManager# sys.stdin is not an array, it can not subscripted (ie sys.stdin[0])for base64_params in sys.stdin: params = json.loads(base64.b64decode(base64_params).decode())print(f"providerRecordUid={params.get('providerRecordUid')}")print(f"resourceRecordUid={params.get('resourceRecordUid')}")print(f"userRecordUid={params.get('userRecordUid')}")print(f"newPassword={params.get('newPassword')}")print(f"oldPassword={params.get('oldPassword')}")print(f"user={params.get('user')}") records = json.loads(base64.b64decode(params.get('records')).decode())print("Provider Title="f"{next((x for x in records if x['uid'] == params.get('providerRecordUid')), None).get('title')}") ksm =SecretsManager(config=...) resource_records = ksm.get_secrets(params.get('userRecordUid'))[0]break