Accessing Parameters


The Base64 encoded JSON object can be unpacked with various scripts and applications.

Accessing the Parameters on Linux/MacOS

Linux and MacOS has no built in JSON parser, so, in order to parse JSON, a tool like jq is required.

#!/usr/bin/env bash

# Without this the script might report a success if something fails
# in the script.
set -o pipefail -e

IFS= read -r params
json=$(echo "$params" | base64 -d)
$( echo "$json" | jq -r 'keys[] as $k | "export \($k)=\(.[$k])"' )

echo "providerRecordUid=$providerRecordUid"
echo "resourceRecordUid=$resourceRecordUid"
echo "userRecordUid=$userRecordUid"
echo "newPassword=$newPassword"
echo "oldPassword=$oldPassword"
echo "user=$user"

# Record data is another Base64 JSON. An values can be obtained by using 'jq'
recordJson=$(echo "$records" | base64 -d)
title=$(echo "$recordJson" | jq -r ".[] | select(.uid==\"$providerRecordUid\").title")
echo "Provider Title=$title"

Keeper will execute this as follows:

history -c && echo "BASE64==" | /path/to/

MacOS history is not like Linux history. Linux uses history -c, macOS uses local HISTSIZE=0 to clear the history. This mainly affects SSH connections where BASH is not forced.

Accessing the Parameters on Windows

Begin {
    # Executes once before first item in pipeline is processed

Process {
    # Stop if error. If not set, result value will be True and assumed there
    # was no problems.
    $ErrorActionPreference = "Stop"

    # Executes once for each pipeline object    
    $JSON = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_))
    $Params=($JSON | ConvertFrom-Json)

    Write-Output "providerRecordUid=$($Params.providerRecordUid)"
    Write-Output "resourceRecordUid=$($Params.resourceRecordUid)"
    Write-Output "userRecordUid=$($Params.userRecordUid)"
    Write-Output "newPassword=$($Params.newPassword)"
    Write-Output "oldPassword=$($Params.oldPassword)"
    Write-Output "user=$($Params.user)"
    $recordsJSON = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Params.records))
    $records = ($recordsJSON | ConvertFrom-Json)
    $title = ($records | Where-Object {$_.uid -eq $Params.providerRecordUid}).title
    Write-Output "Provider Title=$title"

End {
    # Executes once after last pipeline object is processed

Keeper will execute this as follows:

"BASE64==" | .\script.ps1; Clear-History

Accessing the Parameters with other Applications

The post rotation script is not limited to shell scripts. Applications can be written in languages like Python or C# to get the piped parameters.

Since the UIDs of the Rotation involved records are passed in the params, Application can also use the KSM SDKs to get additional information about the records.

For more information on the available SDKs, visit:

Accessing the parameters with Python

#!/usr/bin/env python3

import sys
import base64
import json

from keeper_secrets_manager_core import SecretsManager

# sys.stdin is not an array, it can not subscripted (ie sys.stdin[0])
for base64_params in sys.stdin:
    params = json.loads(base64.b64decode(base64_params).decode())

    records = json.loads(base64.b64decode(params.get('records')).decode())
    print("Provider Title="
        f"{next((x for x in records if x['uid'] == params.get('providerRecordUid')), None).get('title')}")

    ksm = SecretsManager(config=...)
    resource_records = ksm.get_secrets(params.get('userRecordUid'))[0]

The next section will go over the results from the Post Rotation Scripts, post execution.

Last updated