KeeperPAM Commands

Management of KeeperPAM functionality including Discovery, Rotation, Connections and Tunneling

Overview

KeeperPAM including discovery, password rotation, PAM Configuration and Keeper Gateway configuration can be controlled and managed through Commander using the pam command and sub-commands. These commands support the Password Rotation and Discovery capabilities of Keeper Secrets Manager and KeeperPAM.

pam command

command: pam

Detail: Perform KeeperPAM controls.

My Vault> pam --help
pam command [--options]

Command    Description
---------  -----------------------------
gateway    Manage Gateways
config     Manage PAM Configurations
rotation   Manage Rotations
action     Execute action on the Gateway
tunnel     Manage Tunnels

Sub-Command: gateway

Detail: View, create and remove Keeper Gateway services. To learn more about the Keeper Gateway click here.

My Vault> pam gateway help
pam command [--options]

Command    Description
---------  ------------------
list       List Gateways
new        Create new Gateway
remove     Remove Gateway

Sub-Command: config

Detail: View, create, edit and remove Keeper PAM Configurations. To learn more about PAM Configurations click here.

My Vault> pam config help
pam command [--options]

Command    Description
---------  -------------------------------------------------------------
new        Create new PAM Configuration
edit       Edit PAM Configuration
list       List available PAM Configurations associated with the Gateway
remove     Remove a PAM Configuration

Sub-Command: rotation

Detail: View and create Keeper Rotation configuration for records.

My Vault> pam rotation help
pam command [--options]

Command    Description
---------  -----------------------------------
edit       Edits Record Rotation configuration
list       List Record Rotation configuration
info       Get Rotation Info
script     Add, delete, or edit script field

edit

My Vault> pam rotation edit --help
usage: pam rotation edit [-h] (--record RECORD_NAME | --folder FOLDER_NAME) [--force] [--config CONFIG_UID] [--iam-aad-config IAM_AAD_CONFIG_UID]
                         [--resource RESOURCE_UID] [--schedulejson SCHEDULE_JSON_DATA | --schedulecron SCHEDULE_CRON_DATA | --on-demand]
                         [--complexity PWD_COMPLEXITY] [--admin-user ADMIN] [--enable | --disable]

options:
  -h, --help            show this help message and exit
  --record RECORD_NAME, -r RECORD_NAME
                        Record UID, name, or pattern to be rotated manually or via schedule
  --folder FOLDER_NAME, -fd FOLDER_NAME
                        Used for bulk rotation setup. The folder UID or name that holds records to be configured
  --force, -f           Do not ask for confirmation
  --config CONFIG_UID, -c CONFIG_UID
                        UID of the configuration record.
  --iam-aad-config IAM_AAD_CONFIG_UID, -iac IAM_AAD_CONFIG_UID
                        UID of a PAM Configuration. Used for an IAM or Azure AD user in place of --resource.
  --resource RESOURCE_UID, -rs RESOURCE_UID
                        UID of the resource record.
  --schedulejson SCHEDULE_JSON_DATA, -sj SCHEDULE_JSON_DATA
                        Json of the scheduler. Example: -sj '{"type": "WEEKLY", "utcTime": "15:44", "weekday": "SUNDAY", "intervalCount": 1}'
  --schedulecron SCHEDULE_CRON_DATA, -sc SCHEDULE_CRON_DATA
                        Cron tab string of the scheduler. Example: to run job daily at 5:56PM UTC enter following cron -sc "56 17 * * *"
  --on-demand, -od      Schedule On Demand
  --complexity PWD_COMPLEXITY, -x PWD_COMPLEXITY
                        Password complexity: length, upper, lower, digits, symbols. Ex. 32,5,5,5,5
  --admin-user ADMIN, -a ADMIN
                        UID for the PAMUser record to configure the admin credential on the PAM Resource as the Admin when rotating
  --enable, -e          Enable rotation
  --disable, -d         Disable rotation

list

My Vault> pam rotation list --help
usage: pam rotation list [-h] [--verbose]

optional arguments:
  -h, --help     show this help message and exit
  --verbose, -v  Verbose output

info

My Vault> pam rotation info --help 
usage: dr-router-get-rotation-info-parser [-h] --record-uid RECORD_UID

optional arguments:
  -h, --help            show this help message and exit
  --record-uid RECORD_UID, -r RECORD_UID
                        Record UID to rotate

script

My Vault> pam rotation script --help
pam command [--options]

Command    Description
---------  ---------------------------------
list       List script fields
add        List Record Rotation Schedulers
edit       Add, delete, or edit script field
delete     Delete script field

Sub-Command: action

Detail: Discovery of PAM Resources and privileged accounts through the Keeper Gateway.

My Vault> pam action help
pam command [--options]

Command       Description
------------  ---------------------
gateway-info  Info command
discover      Discover command
rotate        Rotate command
job-info      View Job details
job-cancel    View Job details
debug         PAM debug information

gateway-info

My Vault> pam action gateway-info --help
usage: dr-info-command [-h] [--gateway GATEWAY_UID] [--verbose]

optional arguments:
  -h, --help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID
  --verbose, -v         Verbose Output

discover

My Vault> pam action discover --help
pam command [--options]

Command    Description
---------  ----------------------------------
start      Start a discovery process
status     Status of discovery jobs
remove     Cancel or remove of discovery jobs
process    Process discovered items
rule       Manage discovery rules

discover start

My Vault> pam action discover start --help
usage: dr-discover-start-command [-h] --gateway GATEWAY [--resource RESOURCE_UID] [--lang LANGUAGE] [--include-machine-dir-users] [--inc-azure-aadds]
                                 [--skip-rules] [--skip-machines] [--skip-databases] [--skip-directories] [--skip-cloud-users] [--cred CREDENTIALS]
                                 [--cred-file CREDENTIAL_FILE]

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name of UID.
  --resource RESOURCE_UID, -r RESOURCE_UID
                        UID of the resource record. Set to discover specific resource.
  --lang LANGUAGE       Language
  --include-machine-dir-users
                        Include directory users found on the machine.
  --inc-azure-aadds     Include Azure Active Directory Domain Service.
  --skip-rules          Skip running the rule engine.
  --skip-machines       Skip discovering machines.
  --skip-databases      Skip discovering databases.
  --skip-directories    Skip discovering directories.
  --skip-cloud-users    Skip discovering cloud users.
  --cred CREDENTIALS    List resource credentials.
  --cred-file CREDENTIAL_FILE
                        A JSON file containing list of credentials.

discover status

My Vault> pam action discover status --help
usage: dr-discover-status-command [-h] [--gateway GATEWAY] [--job-id JOB_ID] [--history]

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Show only discovery jobs from a specific gateway.
  --job-id JOB_ID, -j JOB_ID
                        Detailed information for a specific discovery job.
  --history             Show history

discover remove

My Vault> pam action discover remove --help
usage: dr-discover-command-process [-h] --job-id JOB_ID

options:
  -h, --help            show this help message and exit
  --job-id JOB_ID, -j JOB_ID
                        Discovery job id.

discover process

My Vault> pam action discover process --help
usage: dr-discover-command-process [-h] --job-id JOB_ID [--add-all] [--debug-gs-level DEBUG_LEVEL]

options:
  -h, --help            show this help message and exit
  --job-id JOB_ID, -j JOB_ID
                        Discovery job to process.
  --add-all             Respond with ADD for all prompts.
  --debug-gs-level DEBUG_LEVEL
                        GraphSync debug level. Default is 0

discover rule

My Vault> pam action discover rule --help
pam command [--options]

Command    Description
---------  --------------
add        Add a rule
list       List all rules
remove     Remove a rule
update     Update a rule

discover rule add

My Vault> pam action discover rule add --help
usage: dr-discover-rule-add [-h] --gateway GATEWAY --action {add,ignore,prompt} --priority PRIORITY [--ignore-case] [--shared-folder-uid SHARED_FOLDER_UID]
                            --statement STATEMENT

options:
  -h, --help            show this help message and exit
  --gateway GATEWAY, -g GATEWAY
                        Gateway name of UID.
  --action {add,ignore,prompt}, -a {add,ignore,prompt}
                        Action to take if rule matches
  --priority PRIORITY, -p PRIORITY
                        Rule execute priority
  --ignore-case         Ignore value case. Rule value must be in lowercase.
  --shared-folder-uid SHARED_FOLDER_UID
                        Folder to place record.
  --statement STATEMENT, -s STATEMENT
                        Rule statement

rotate

My Vault> pam action rotate --help
usage: dr-rotate-command [-h] --record-uid RECORD_UID

optional arguments:
  -h, --help            show this help message and exit
  --record-uid RECORD_UID, -r RECORD_UID
                        Record UID to rotate

job-info

My Vault> pam action job-info --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id

positional arguments:
  job_id

optional arguments:
  -h, --help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID. Needed only if there are more than one gateway running

job-cancel

My Vault> pam action job-cancel --help
usage: pam-action-job-command [-h] [--gateway GATEWAY_UID] job_id

positional arguments:
  job_id

optional arguments:
  -h, --help            show this help message and exit
  --gateway GATEWAY_UID, -g GATEWAY_UID
                        Gateway UID. Needed only if there are more than one gateway running

Last updated