EC2 Cloud Connector

Retrieve Cloud Connector Secrets from KSM


You can store SSH Keys and Windows passwords in your Keeper vault for connecting to EC2 instances alongside the KCM Cloud Connector.

See the AWS EC2 Discovery documentation for more details on connecting KCM with AWS EC2 instances.



The feature must first be enabled using either the Docker environment variable or the guacamole properties.

Docker Environment Variable

For Auto Docker Install and Docker Compose Install methods, in the keeper/guacamole-db-mysql image, a new environmental variable must be defined:


This must contain a Keeper Secrets Manager configuration. It can be the same config used with the KSM_CONFIG variable.

For example:

        image: keeper/guacamole:2
        restart: unless-stopped

For Advanced Linux Install method, update the file.

Property NameDefault ValueDescription



Enable the use of Cloud Connect credentials from KSM connected vaults

Remove volume mount for PEM key files

If you are using Keeper to store the PEM key files, you can remove the volume mount in the Docker Compose file that references the location /var/lib/guac_keys/ as this will not be used.

Configure a Record for use with Cloud Connect

The EC2 cloud connector recognizes Keeper records with specific fields automatically.

To create a record for use with the EC2 Cloud connector, you can either create a record that contains a pem file attachment containing your key, or a record that contains the key as text.

PEM File Record

Create a new record which will contain the pem file. The File Attachment record type is a good match, but any type other than General will work.

The record can have any title, In this example we're using "AWS key: my-machine"

With the record created, attach the pem file.

Optionally, if you include a Hostname/IP and Port field in your record, KCM will automatically associate the pem file with EC2 connections having a matching Hostname/IP.

Lastly, ensure that the new record is in a shared folder that is accessible to KCM via the Secrets Manager vault connection.

Private Key Record

Create a new record which will contain your machine's private key. The record is required to have a "private key" field. The SSH standard record type can be used for this.

The record can have any title.

The new record will need a custom text field named "Instance ID". Add a "Text" type custom field from the Custom Field menu, click "Edit Label" and enter "Instance ID".

The Instance ID field can also be titled anything which begins with "AWS" or "EC2"

With the record ready, enter your machine's private key into the Private Key field, and your AWS instance ID in the new custom field.

Lastly, make sure that the record is in a shared folder that is accessible to KCM via Secrets Manager integration.

Optionally, if you include a Hostname and Port field in your record, KCM will automatically associate the private key with EC2 connections with a matching IP address

The record is now complete, and will be picked up automatically by KCM if the feature is enabled.

Last updated