The Base64 encoded JSON object can be unpacked with various scripts and applications.
Accessing the Parameters on Linux/MacOS
Linux and MacOS has no built in JSON parser, so, in order to parse JSON, a tool like jq is required.
#!/usr/bin/env bash# Without this the script might report a success if something fails# in the script.set-opipefail-eIFS=read-rparamsjson=$(echo "$params" |base64-d)$( echo "$json" |jq-r 'keys[] as $k | "export \($k)=\(.[$k])"' )echo"providerRecordUid=$providerRecordUid"echo"resourceRecordUid=$resourceRecordUid"echo"userRecordUid=$userRecordUid"echo"newPassword=$newPassword"echo"oldPassword=$oldPassword"echo"user=$user"# Record data is another Base64 JSON. An values can be obtained by using 'jq'recordJson=$(echo "$records" |base64-d)title=$(echo "$recordJson" |jq-r ".[] | select(.uid==\"$providerRecordUid\").title")echo"Provider Title=$title"
Keeper will execute this as follows:
history-c&&echo"BASE64=="|/path/to/script.sh
MacOS history is not like Linux history. Linux uses history -c, macOS uses local HISTSIZE=0 to clear the history. This mainly affects SSH connections where BASH is not forced.
Accessing the Parameters on Windows
Begin {# Executes once before first item in pipeline is processed}Process {# Stop if error. If not set, result value will be True and assumed there# was no problems. $ErrorActionPreference ="Stop"# Executes once for each pipeline object $JSON = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($_)) $Params=($JSON |ConvertFrom-Json)Write-Output"providerRecordUid=$($Params.providerRecordUid)"Write-Output"resourceRecordUid=$($Params.resourceRecordUid)"Write-Output"userRecordUid=$($Params.userRecordUid)"Write-Output"newPassword=$($Params.newPassword)"Write-Output"oldPassword=$($Params.oldPassword)"Write-Output"user=$($Params.user)" $recordsJSON = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Params.records)) $records = ($recordsJSON |ConvertFrom-Json) $title = ($records |Where-Object {$_.uid-eq $Params.providerRecordUid}).titleWrite-Output"Provider Title=$title"}End {# Executes once after last pipeline object is processed}
Keeper will execute this as follows:
"BASE64=="|.\script.ps1; Clear-History
Accessing the Parameters with other Applications
The post rotation script is not limited to shell scripts. Applications can be written in languages like Python or C# to get the piped parameters.
Since the UIDs of the Rotation involved records are passed in the params, Application can also use the KSM SDKs to get additional information about the records.
For more information on the available SDKs, visit:
#!/usr/bin/env python3import sysimport base64import jsonfrom keeper_secrets_manager_core import SecretsManager# sys.stdin is not an array, it can not subscripted (ie sys.stdin[0])for base64_params in sys.stdin: params = json.loads(base64.b64decode(base64_params).decode())print(f"providerRecordUid={params.get('providerRecordUid')}")print(f"resourceRecordUid={params.get('resourceRecordUid')}")print(f"userRecordUid={params.get('userRecordUid')}")print(f"newPassword={params.get('newPassword')}")print(f"oldPassword={params.get('oldPassword')}")print(f"user={params.get('user')}") records = json.loads(base64.b64decode(params.get('records')).decode())print("Provider Title="f"{next((x for x in records if x['uid'] == params.get('providerRecordUid')), None).get('title')}") ksm =SecretsManager(config=...) resource_records = ksm.get_secrets(params.get('userRecordUid'))[0]break
The next section will go over the results from the Post Rotation Scripts, post execution.
