KeeperPAM Commands
Management of KeeperPAM functionality including Discovery, Rotation, Connections and Tunneling
Overview
KeeperPAM including discovery, password rotation, PAM Configuration and Keeper Gateway configuration can be controlled and managed through Commander using the pam
command and sub-commands. These commands support the Password Rotation and Discovery capabilities of Keeper Secrets Manager and KeeperPAM.
pam command
command: pam
Detail: Perform KeeperPAM controls.
My Vault> pam --help
pam command [--options]
Command Description
--------- -----------------------------
gateway Manage Gateways
config Manage PAM Configurations
rotation Manage Rotations
action Execute action on the Gateway
tunnel Manage Tunnels
Sub-Command: gateway
Detail: View, create and remove Keeper Gateway services. To learn more about the Keeper Gateway click here.
My Vault> pam gateway help
pam command [--options]
Command Description
--------- ------------------
list List Gateways
new Create new Gateway
remove Remove Gateway
Sub-Command: config
Detail: View, create, edit and remove Keeper PAM Configurations. To learn more about PAM Configurations click here.
My Vault> pam config help
pam command [--options]
Command Description
--------- -------------------------------------------------------------
new Create new PAM Configuration
edit Edit PAM Configuration
list List available PAM Configurations associated with the Gateway
remove Remove a PAM Configuration
Sub-Command: rotation
Detail: View and create Keeper Rotation configuration for records.
My Vault> pam rotation help
pam command [--options]
Command Description
--------- -----------------------------------
edit Edits Record Rotation configuration
list List Record Rotation configuration
info Get Rotation Info
script Add, delete, or edit script field
edit
My Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG_UID] [--iam-aad-config IAM_AAD_CONFIG_UID]
[--resource RESOURCE_UID] [--schedulejson SCHEDULE_JSON_DATA | --schedulecron SCHEDULE_CRON_DATA | --on-demand]
[--complexity PWD_COMPLEXITY] [--admin-user ADMIN] [--enable | --disable]
options:
-h, --help show this help message and exit
--record RECORD_NAME, -r RECORD_NAME
Record UID, name, or pattern to be rotated manually or via schedule
--folder FOLDER_NAME, -fd FOLDER_NAME
Used for bulk rotation setup. The folder UID or name that holds records to be configured
--force, -f Do not ask for confirmation
--config CONFIG_UID, -c CONFIG_UID
UID of the configuration record.
--iam-aad-config IAM_AAD_CONFIG_UID, -iac IAM_AAD_CONFIG_UID
UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
--resource RESOURCE_UID, -rs RESOURCE_UID
UID of the resource record.
--schedulejson SCHEDULE_JSON_DATA, -sj SCHEDULE_JSON_DATA
Json of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY", "intervalCount": 1}'
--schedulecron SCHEDULE_CRON_DATA, -sc SCHEDULE_CRON_DATA
Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17 * * *"
--on-demand, -od Schedule On Demand
--complexity PWD_COMPLEXITY, -x PWD_COMPLEXITY
Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5
--admin-user ADMIN, -a ADMIN
UID for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when rotating
--enable, -e Enable rotation
--disable, -d Disable rotation
list
My Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]
optional arguments:
-h, --help show this help message and exit
--verbose, -v Verbose output
info
My Vault> pam rotation info --help
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotate
script
My Vault> pam rotation script --help
pam command [--options]
Command Description
--------- ---------------------------------
list List script fields
add List Record Rotation Schedulers
edit Add, delete, or edit script field
delete Delete script field
Sub-Command: action
Detail: Discovery of PAM Resources and privileged accounts through the Keeper Gateway.
My Vault> pam action help
pam command [--options]
Command Description
------------ ---------------------
gateway-info Info command
discover Discover command
rotate Rotate command
job-info View Job details
job-cancel View Job details
debug PAM debug information
gateway-info
My Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID
--verbose, -v Verbose Output
discover
My Vault> pam action discover --help
pam command [--options]
Command Description
--------- ----------------------------------
start Start a discovery process
status Status of discovery jobs
remove Cancel or remove of discovery jobs
process Process discovered items
rule Manage discovery rules
discover start
My Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
[--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
[--cred-file CREDENTIAL_FILE]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--resource RESOURCE_UID, -r RESOURCE_UID
UID of the resource record. Set to discover specific resource.
--lang LANGUAGE Language
--include-machine-dir-users
Include directory users found on the machine.
--inc-azure-aadds Include Azure Active Directory Domain Service.
--skip-rules Skip running the rule engine.
--skip-machines Skip discovering machines.
--skip-databases Skip discovering databases.
--skip-directories Skip discovering directories.
--skip-cloud-users Skip discovering cloud users.
--cred CREDENTIALS List resource credentials.
--cred-file CREDENTIAL_FILE
A JSON file containing list of credentials.
discover status
My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Show only discovery jobs from a specific gateway.
--job-id JOB_ID, -j JOB_ID
Detailed information for a specific discovery job.
--history Show history
discover remove
My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job id.
discover process
My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]
options:
-h, --help show this help message and exit
--job-id JOB_ID, -j JOB_ID
Discovery job to process.
--add-all Respond with ADD for all prompts.
--debug-gs-level DEBUG_LEVEL
GraphSync debug level. Default is 0
discover rule
My Vault> pam action discover rule --help
pam command [--options]
Command Description
--------- --------------
add Add a rule
list List all rules
remove Remove a rule
update Update a rule
discover rule add
My Vault> pam action discover rule add --help
usage: dr-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case] [--shared-folder-uid SHARED_FOLDER_UID]
--statement STATEMENT
options:
-h, --help show this help message and exit
--gateway GATEWAY, -g GATEWAY
Gateway name of UID.
--action {add,ignore,prompt}, -a {add,ignore,prompt}
Action to take if rule matches
--priority PRIORITY, -p PRIORITY
Rule execute priority
--ignore-case Ignore value case. Rule value must be in lowercase.
--shared-folder-uid SHARED_FOLDER_UID
Folder to place record.
--statement STATEMENT, -s STATEMENT
Rule statement
rotate
My Vault> pam action rotate --help
usage: dr-rotate-command [-h] --record-uid RECORD_UID
optional arguments:
-h, --help show this help message and exit
--record-uid RECORD_UID, -r RECORD_UID
Record UID to rotate
job-info
My Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
job-cancel
My Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id
positional arguments:
job_id
optional arguments:
-h, --help show this help message and exit
--gateway GATEWAY_UID, -g GATEWAY_UID
Gateway UID. Needed only if there are more than one gateway running
Last updated