Secrets Manager Configuration

Information about Keeper Secrets Manager configuration files


Each Keeper Secrets Manager SDK and integration uses a "configuration" to store connection tokens, encryption keys, identifiers and domain information used to authenticate and decrypt data from the Keeper Secrets Manager APIs.

Secrets Manager configurations are created from One Time Access Tokens and have a one to one relationship with client devices.

Configuration Uniformity

All Keeper Secrets Manager SDKs and integrations use the same configuration format. Raw configurations are in JSON format, though some integrations accept base64 format.

Creating a Secrets Manager Configuration

In the Keeper Vault

A Secrets Manager configuration can be created in the Keeper Vault when creating a new Secrets Manager device.

First navigate to the Secrets Manager tab, and select an Application from the list.

Then, select the "Devices" tab in the right-hand application pane, and click "Edit" to go into edit mode.

From the edit view, you can click "Add Device" to create a new Secrets Manager device to the application.

The Add Device menu will appear. Enter a name for this device, and then select "Configuration File" from the method dropdown.

After Configuration File is selected, you are given options for receiving the configuration. You can choose to generate a configuration in Base64 or json format, and download the configuration to a file, or copy it to the clipboard.

Most Secrets Manager integrations use a base64 string, but you may need a json file in some circumstances.

When ready, click the download or copy button to receive you configuration. Note that when you do this the first time, the device will be created. You are able to download or copy the configuration multiple times.

Using a SDK/Integration

Many Keeper Secrets Manager SDKs and Integrations support creating their own configuration file. You need to pass a One Time Access Token, and the configuration is created automatically.

SDK Example

Below is an example of how to use the Python SDK to create a configuration file. The configuration is created when Secrets Manager is initialized with a One Time Access Token.

from keeper_secrets_manager_core import SecretsManager
from import FileKeyValueStorage

secrets_manager = SecretsManager(
    token='<One Time Access Token>',

In this example, the configuration is being saved to a file named "config.json"

When using a SDK to create a configuration, you only need to initialize and create the configuration file once. After the file has been created, you can use the file to initialize the SDK and remove the One Time Access Token.

Integration Example

Below is in example of using the Keeper Secrets Manager Jenkins Plugin.

The Jenkins plugin takes a One Time Access Token to initialize and creates a configuration automatically behind-the-scenes. In this example, simply enter a One Time Access Token in the form and click 'OK'.

Using a CLI Tool

A Secrets Manager configuration can be initialized from a One Time Access Token using the Secrets Manager CLI as well as the Commander CLI tools. Some Keeper Secrets Manager integrations require a pre-initialized configuration and you will need to use the CLI tools to create a configuration in these cases.

Secrets Manager CLI

The Secrets Manager CLI (KSM) tool can initialize a One Time Access Token and create a configuration.

To do this, run the init command

# initialize a configuration in JSON format and display it
$ ksm init default <One Time Access Token>

# initialize a configuration in k8s format and display it
$ ksm init k8s <One Time Access Token>

# initialize a JSON configuration and save it to a file
$ ksm init default --plain <One Time Access Token> > <FILENAME>

Commander CLI

Commander CLI can be used to initialize a One Time Access Token and create Secrets Manager configuration.

Use the secrets-manager client add Command with --config-init to create a configuration. Configurations can be created in json or base64 formats, or in integration-specific formats in some cases. (see the integrations documentation for more information on what format each integration accepts)

my vault> secrets-manager client add --app <APP NAME> --config-init <FORMAT>

When initializing a configuration in Commander, typically --unlock-ip should be included in the command. If it is not included, the client device will be locked to the IP Address that Commander is using.

Last updated