Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Password Rotation in the Azure Environment
In this section, you will learn how to rotate user credentials within the Azure network environment across various target systems. Rotation works on the devices configured and attached to the Azure Active Directory (Azure AD) which can also be your default directory.
Keeper can rotate the password for Azure AD users, service accounts, local admin users, local users, managed services, databases and more.
Configurations for the Azure Active Directory are defined in the PAM Configuration section of Keeper Secrets Manager.
Configurations for the Azure AD joined devices are defined in the PAM Directory, PAM Machine, and PAM Database record types. The following table shows the supported Azure AD joined devices with Keeper Rotation and their corresponding PAM Record Type:
Configurations for Azure Directory User's credentials are defined in the PAM User records.
Prior to rotating user credentials within your Azure environment, you need to make sure you have the following information and configurations in place:
All Azure AD joined devices that you want to use with Rotation need to be created and configured within your Azure Active Directory
To successfully configure and setup Rotation within your Azure Network, the following values are needed for your PAM Configuration:
Make sure all the Azure services or Azure AD joined devices you plan on using for rotation have access to the Azure Active Directory. For more information, visit this page
Create a custom role to allow application to access/perform actions on various Azure resources. For more information on custom role setup, visit this page
At a high level, the following steps are needed to successfully rotate passwords on your Azure network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials
Create PAM User records that contain the user's information
Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the Azure environment setting
Configure Rotation settings on the PAM User records and/or PAM Machine, PAM Database, PAM Directory records
The next section of the documentation covers the Azure Environment Setup.
The following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the Azure network:
Step by step guides for performing rotation on any target system
The setup and configuration of Keeper Rotation is defined by the use case. Keeper supports any cloud or on-prem environment.
Looking for a specific use case we don't cover? Please email feedback@keepersecurity.com.
Rotating Azure AD Admin and User passwords with Keeper
In this guide, you will learn how to rotate passwords for Azure AD users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the Azure AD user accounts to be rotated are stored in the PAM User record.
This guide assumes the following tasks have already taken place:
The Keeper Gateway uses Azure APIs to rotate the credentials defined in the PAM User records.
Note: You can skip this step if you already have a PAM Configuration set up for Azure.
Prior to setting up the PAM Configuration, make sure that:
We recommend installing the Keeper Gateway service in a machine within the Azure environment in order to rotate other types of targets.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration Record with your information:
Keeper Rotation uses the Azure Graph API to rotate the PAM User records in your Azure environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the pre-requisites.
The following table lists all the required fields that needs to be filled on the PAM User record with your information:
There should only be one PAM User record for each Azure AD user. Having multiple PAM User records with the same user/login will cause conflicts.
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should select the PAM Configuration setup previously.
The "Resource Credential" field should be empty / not selected.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with "Can Edit" rights to a PAM User record has the ability to set up rotation for that record.
Setting up your Azure environment to work with Keeper Secrets Manager
In order to set up your Azure environment, the following steps must be taken:
Create an Azure application in the default Azure Active Directory.
Get values for the Keeper PAM Configuration from this new application.
Grant permissions to the application to access the Azure Active Directory.
Create a custom role to allow the application to access/perform actions on various Azure resources.
Go to the Azure portal > Home and click on Azure Active Directory in the left side vertical menu. Select App Registrations, and then New Registration. Give the new application a name and select Single tenant for Supported accounts types. Then click the Register button at the bottom.
In the Overview of the application, the Application (client) ID UUID is shown. This is the Client Id field of the Keeper PAM Configuration record. The Directory (tenant) ID is also shown. This is the Tenant Id field of the Keeper PAM Configuration record. Save these values for later.
Next click on the Add a certification or secret for Client credentials. On the next page, click on New client secret, give the client secret a Description, and select a desired Expires date, and click Add.
The page will refresh showing the secret Value. Copy the Value (not Secret ID) into the Keeper PAM Configuration "Client Secret" field. Save this value for later.
At this point, all the required the PAM Configuration fields should be filled in. You also have an Azure application that cannot do anything yet.
In order for the Azure tenant service principal/application to rotate Azure Active Directory users or Azure Active Directory Domain Service users, the application must be a assigned to an Administrative role.
From the Azure portal go to Home > Azure Active Directory > Roles and administrators, and click on the Administrative role to use (such as Privileged Authentication Administrator). The correct role depends on what privileges are needed for your use case. Custom roles can be used.
Global Administrator - It is not recommended to use a Global Administrator on a service principal. However, it will allow both administrator and user passwords to be rotated.
To add the application, click Add assignments and Search for the service principal/application that was created, click it, and then Add.
Roles need to be attached to the Azure Application (also called a Service Principle here) in order to rotate passwords of target resources. This is done in the Subscription section of the Azure portal.
Go to the Azure portal > Home > Subscriptions then select your subscription. Click on Access control (IAM), and then Roles.
Click Add on the top menu, and then Add custom role. Jump to the JSON tab. Click on Edit and paste the JSON object from below, modifying it according to your setup.
This is a complete list of all of the permissions that Keeper Gateway can use, if applicable. Only include those that are needed for your setup.
Change the following before you save:
<ROLE NAME>: Role Name, e.g. "Keeper Secrets Manager"
<DESCRIPTION>: Description, e.g. "Role for password rotation"
<SUBSCRIPTION ID>: Subscription ID of this Azure subscription
Click Save.
When done, click Review + create, and click Create.
Once the role is created, it needs to be assigned to the Application (Service Principle). Click View in the Details column.
A panel will appear on the right side of the screen. Click Assignments, and then Add assignment.
Enter in the new role's name in the search bar on the Role tab, then double click it to select it. Move to the Members tab. Click Select members. In the panel that opens, enter the name of the Azure application, select the current application, and click Select.
Go to the Review + assign tab click Review + assign.
🎉 At this point, you have created the necessary roles and applications within your Azure environment.
Azure AD Joined Device | Corresponding PAM Record Type |
---|---|
Field | Description |
---|---|
For a high-level overview on the rotation process in the Azure network, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
Your Azure environment is per our documentation
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
- Can change the password for any user, including a Global Administrator user.
- Can change the password for any user, except a Global Administrator user.
Azure AD Domain Services
PAM Directory
Virtual Machines
PAM Machine
Managed Databases
PAM Database
Client ID
The application/client id (UUID) of the Azure application
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID of your subscription to use Azure services (i.e. Pay-As-You-GO)
Tenant ID
The UUID of the Azure Active Directory
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites |
Application Folder | Select the Shared folder that will contain the PAM User records |
Admin Credentials Record | Not required |
Azure ID | A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Client ID | The unique Application (client) ID assigned to your app by Azure AD when the application was registered |
Client Secret | The client credentials secret for the Azure application. It’s random looking text. |
Subscription ID | The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services. |
Tenant ID | The UUID of the Azure Active Directory |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. The username has to be in one of the following formats:
|
Password | Providing a password is optional. Performing a rotation will set one if this field is left blank. |
Rotating local and remote user accounts on Azure Virtual Machines with Keeper
In this guide, you'll learn how to rotate Azure Virtual Machine local and remote user accounts within the Azure environment using Keeper Rotation. For a high-level overview on the rotation process in the Azure network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created.
Your Azure environment is configured
A Keeper Rotation gateway is already installed, running, and is able to communicate via SSH or WinRM with your target Azure Virtual Machine(s).
PowerShell is available on all Windows machines and bash on all Linux machines
Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record should contain an administrative credential that has the rights to change passwords for users on the machine.
Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each user account that will be rotated. The PAM Machine record can also be rotated.
The following table lists all the required fields that needs to be filled on the PAM Machine records.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
Make sure the following items are completed first:
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
PAM Machine records have been created for each target machine
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration.
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
If a Gateway has already been deployed to an existing PAM Configuration, you can simply adjust the configuration to include additional Administrative Resource Credentials as needed.
In the example below, there are 5 local admin PAM Machine records, one for each VM in Azure. Each of the accounts is used to rotate credentials for local users in each respective machine.
Keeper Rotation will use the credentials in the PAM Machine record to rotate the credentials of accounts referenced by the PAM User records.
The following table lists all the required fields that need to be filled on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine admin credential specific to this user's machine.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
Optionally, the PAM Machine credential can also be rotated. Select the PAM Machine record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine which can rotate the credential.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Rotating Admin/Regular Azure SQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure SQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure SQL is an Azure managed resource where the SQL Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the SQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure SQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Admin/Regular Azure MariaDB Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure MariaDB Users and Admin accounts on your Azure environment using Keeper Rotation. Azure MariaDB is an Azure managed resource where the MariaDB Admin Credentials are defined in the PAM Database record type and the configurations of the MariaDB Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the MariaDB server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure MariaDB Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Admin/Regular Azure MySQL Single or Flexible Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure MySQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure MySQL is an Azure managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the MySQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure MySQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
For Azure Managed SQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the Azure network, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your Azure SQL Server Database
If the Gateway is installed on a Linux or macOS server, install the
Your Azure environment is per our document
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
For Azure Managed MariaDB database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the Azure network, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your Azure MariaDB Server Database
Your Azure environment is per our document
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
For Azure Managed MySQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the Azure network, visit this .
In 2024, Azure is going to sunset the non-flexible MySQL managed services. Most likely the term flexible will be removed. See:
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your Azure MySQL Server Database
Your Azure environment is per our document
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
Title
Name of the Record e.g. Windows Machine 1
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway, e.g. 10.0.1.4
Port
Typically 5985 or 5986 for WinRM, 22 for SSH
Login
Username of the Administrator account
Password
Required for WinRM
Optional for SSH if your setup requires a password, otherwise can use PEM key.
Note: The following chars are restricted: " '
Private PEM Key
Required for SSH if not using a password
Operating System
The VM Operating System: Windows
or Linux
SSL Verification
For WinRM, if selected, will use SSL mode port 5986. Ignored for SSH. See this section for troubleshooting tips
Title
Configuration name, example: Azure Demo
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites
Application Folder
Select the Shared folder that contains the PAM Machine record(s)
Resource Credential(s)
Select the PAM Machine record containing the admin credentials with sufficient permissions to rotate local user passwords. Important: If there are multiple machines being rotated, each PAM Machine record needs to be added as a Resource Credential.
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-prod
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered.
Client Secret
The client credentials secret for the Azure application.
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Keeper record title i.e. Local User1
Login
Case sensitive username of the account being rotated. The username has to be in one of the following formats:
domain\username
username@domain
Password
Account password is optional, rotation will set one if blank
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure SQL database from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1 |
Admin Credentials Record | Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials |
Azure ID | A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Client ID | The unique Application (client) ID assigned to your app by Azure AD when the application was registered |
Client Secret | The client credentials secret for the Azure application |
Subscription ID | The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services. |
Tenant ID | The UUID of the Azure Active Directory |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Account password is optional, rotation will set one if blank |
Connect Database | Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure MariaDB database from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1 |
Admin Credentials Record | Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials |
Azure ID | A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Client ID | The unique Application (client) ID assigned to your app by Azure AD when the application was registered |
Client Secret | The client credentials secret for the Azure application |
Subscription ID | The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services. |
Tenant ID | The UUID of the Azure Active Directory |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Account password is optional, rotation will set one if blank |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure MySQL database from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1 |
Admin Credentials Record | Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials |
Azure ID | A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Client ID | The unique Application (client) ID assigned to your app by Azure AD when the application was registered |
Client Secret | The client credentials secret for the Azure application |
Subscription ID | The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services |
Tenant ID | The UUID of the Azure Active Directory |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Account password is optional, rotation will set one if blank |
Title | Keeper record title Ex: |
Hostname or IP Address | The Database Server name i.e |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | Admin account username that will perform rotation. If the admin in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Admin account password |
Connect Database | Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to |
Database ID | Name of the Azure Database Server i.e. |
Database Type |
|
Provider Group | Azure Resource group name |
Provider Region | Azure Resource region i.e. |
Title | Keeper record title Ex: |
Hostname or IP Address | The Database Server name i.e |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | Admin account username that will perform rotation. If the admin in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Admin account password |
Database ID | Name of the Azure Database Server i.e. |
Database Type |
|
Provider Group | Azure Resource group name |
Provider Region | Azure Resource region i.e. |
Title | Keeper record title Ex: |
Hostname or IP Address | The Database Server name i.e |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | Admin account username that will perform rotation. If the Admin account in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Admin account password |
Database ID | Name of the Azure Database Server i.e. |
Database Type |
|
Provider Group | Azure Resource group name |
Provider Region | Azure Resource region i.e. |
Rotating Admin/Regular Azure PostgreSQL Single or Flexible Database Users with Keeper
In this guide, you'll learn how to rotate passwords for Azure PostgreSQL Database Users and Admin accounts on your Azure environment using Keeper Rotation. Azure PostgreSQL is an Azure managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
For Azure Managed PostgreSQL database, the Azure SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the Azure network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your Azure PostgreSQL Server Database
Your Azure environment is configured per our document
The PAM Database record contains the admin credentials and necessary configurations to connect to the PostgreSQL Server on Azure. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Azure PostgreSQL Server instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Group, Provider Region, and Database ID will enable managing the PAM Database Record through the Azure SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Azure environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Azure environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Password Rotation in the AWS Environment
In this section, you will learn how to rotate user credentials within the AWS Cloud environment across various target systems and services.
Configurations for your AWS environment are defined in the PAM Configuration section of Keeper Secrets Manager. Keeper will use the inherited EC2 instance role where the Gateway is installed to authenticate with the AWS system and perform rotation. If instance roles are not defined, the AWS Access Key ID and Secret Key can be stored in the PAM Configuration record to authenticate and perform rotations.
PAM Configuration records are encrypted in the vault just like other Keeper records
Configurations for managed resources like EC2, RDS, and Directory Services are defined in the PAM Machine, PAM Database, and PAM Directory record types. The following table shows the supported AWS managed resources with Keeper Rotation and their corresponding PAM Record Type:
Configurations for directory users or IAM users are defined in the PAM User record type.
Prior to rotating user credentials within your AWS environment, you need to make sure you have the following information and configurations in place:
To configure and setup Rotation within your AWS environment, the following values are needed in the PAM Configuration:
The Keeper Gateway will always first attempt to use the EC2 instance role to authenticate and perform the rotation. If this fails or is not available on the machine, Keeper will use the Access Key ID and Secret Access Key stored in the PAM Configuration.
Visit the following section for more details on setting up your environment in AWS:
At a high level, the following steps are needed to successfully rotate passwords on your AWS network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database and PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials
Create PAM User records that contain the user's information
Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records
Install a Keeper Gateway and add it to the Secrets Manager application
Create a PAM Configuration with the AWS environment setting
Configure Rotation settings on the PAM User records and/or PAM Machine, PAM Database, PAM Directory records
The following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the Azure network:
Rotating AWS Managed Microsoft AD Service accounts with Keeper
In this guide, you will learn how to rotate Admin and User Accounts of an AWS Managed Microsoft AD service using Keeper Rotation. The Active Directory Service is an AWS managed resource where the Directory Service admin credentials are defined in the PAM Directory record type and the configurations of the AD Users are defined in the PAM User record type.
For Amazon Managed Active Directory Services, the AWS SDK will be used to rotate the password of Directory Admins. User Account passwords will be rotated using LDAP and, in order to successfully rotate, server-side LDAPS must be configured and the Directory Admin, defined in the PAM Directory record type, must be using a SSL Connection.
This guide assumes the following tasks have already taken place:
Keeper Rotation will use the Directory admin credentials of your AWS Managed Directory Service to rotate passwords of Domain Service's directory accounts. These admin credentials can also be used to rotate the passwords of the Directory admin.
The following table lists all the required fields on the PAM Directory Record:
Note: Adding Provider Region and Directory ID will enable managing the PAM Directory Record through the AWS SDK, which is preferred.
This PAM Directory Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating directory users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Directory record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Directory record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Directory credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
The following windows command can be used to get the distinguished name of the Directory user:
If the command does not exist, you need to import the appropriate module with:
For default ports, see
Ex: 1433
For default ports, see
Ex: mariadb=3306
For default ports, see
Ex: mysql=3306
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
AWS Managed Resource | Corresponding Record Type |
---|
To successfully rotate IAM User accounts, an IAM Admin account needs to be created. An IAM Admin account is an IAM User account with the appropriate policy settings configured to access the target resource. For more information on the policy settings, visit this .
To successfully rotate credentials of AWS Managed Resources attached to an EC2 instance, a role with the appropriate policy settings need to be configured and attached to the EC2 instance. For more information on the policy settings, visit this .
Field | Description |
---|
For a high-level overview on the rotation process in the AWS Environment, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS Directory Services
Your AWS environment is per our documentation
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
Title
Keeper record title Ex: Azure PostgreSQL Admin
Hostname or IP Address
The Database Server name i.e testdb-psql.postgresql.database.azure.com
Port
For default ports, see port mapping
i.e. 5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation. If the Admin account in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to template1
.
Database ID
Name of the Azure Database Server i.e. testdb-psql
Database Type
postgresql
or postgresql-flexible
Provider Group
Azure Resource group name
Provider Region
Azure Resource region i.e. East US
Title
Configuration name, example: Azure DB Configuration
Environment
Select: Azure Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Azure PostgreSQL database from the pre-requisites
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials
Azure ID
A unique ID for this instance of Azure. This is for your reference and can be anything, but its recommended to be kept short
Ex: Azure-Prod
Client ID
The unique Application (client) ID assigned to your app by Azure AD when the application was registered
Client Secret
The client credentials secret for the Azure application
Subscription ID
The UUID that identifies your subscription (i.e. Pay-As-You-GO) to use Azure services.
Tenant ID
The UUID of the Azure Active Directory
Title
Keeper record title i.e. Azure PostgreSQL User1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@SERVERNAME
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
EC2 | PAM Machine |
RDS | PAM Database |
Directory Service | PAM Directory |
Access Key ID | This is the Access Key ID from the desired Access Key found in the IAM User account
Set this field to |
Secret Access Key | This is the Secret Access Key from the desired Access Key found in the IAM User account
Set this field to |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Directory record in Step 1 |
Admin Credentials Record | Select the PAM Directory record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials |
AWS ID | A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Access Key ID | Set this field to |
Access Secret Key | Set this field to |
Region Names | List of AWS region names, one per line
Example:
|
Title | Keeper record title i.e. |
Login | Username of the Directory Service's user account |
Password | Account password is optional, rotation will set one if blank |
Distinguished Name | Directory Service User Account's Distinguished Name (DN) |
Title | Name of the Record i.e. |
Hostname or IP Address | The Directory DNS Name i.e. |
Port |
Use SSL (checkbox) | Must be checked |
Login | Directory Service Admin Account i.e. |
Password | Directory Service Admin Password |
Distinguished Name | Directory Service Admin Account's Distinguished Name (DN).
Note: If DN is not provided, the following format will be used:
Given domain name is |
Domain Name | The Directory DNS Name Note: This is required if using Login instead of Distinguished Name |
Directory ID | Directory Service's Identifier i.e |
Directory Type | Directory Service Directory type, defaults to |
Provider Region | AWS region name i.e. |
Rotating AWS EC2 Virtual Machine accounts with Keeper
In this guide, you will learn how to rotate AWS EC2 Virtual Machine (VM) Accounts on your AWS Environment using Keeper Rotation. The EC2 VM is an AWS managed resource where the EC2 VM Admin Credentials are defined in the PAM Machine record type and the configurations of the EC2 VM Users are defined in the PAM User record type.
For EC2 VM Accounts, the AWS SDK is not used to rotate the password. Instead, the normal operating system commands are used to change the password. Keeper will connect to the target machine and send command-line commands to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate via SSH or WinRM with your target AWS Virtual Machine(s).
Your AWS environment is configured per our documentation
Keeper can rotate any local user account on either the Gateway machine or any other machine on the network. A PAM Machine record should be created for every machine. This PAM Machine record should contain an administrative credential that has the rights to change passwords for users on the machine.
Once a PAM Machine record is created for every machine, a PAM User record needs to be created for each local user account that will be rotated. The PAM Machine record itself can also be rotated.
Keeper will use the referenced admin credential to rotate the password or SSH key of AWS Virtual Machine users in your AWS environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of these user accounts.
If you are running a rotation on a PAM Machine record which also happens to be the same machine running the Keeper Gateway, Keeper will attempt to rotate the password or SSH key for the account using the keeper-gw user. Assuming that keeper-gw has sudoers privilege, it will be able to perform rotations on the local Gateway machine.
The following table lists all the required fields on the PAM Machine record:
This PAM Machine Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
The PAM Machine record can also be set up for rotation.
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating machine users to the existing PAM Configuration.
Make sure the following items are completed first:
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is provisioned in the Keeper Secrets Manager application you created.
PAM Machine records have been created for each target machine
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields that needs to be filled on the PAM Configuration.
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Add all of the Administrative Resource Credentials to your PAM Configuration required for performing rotation on the target machines. For example, if you are rotating 3 different PAM Machines, those needed to be added as Resource Credentials on the PAM Configuration.
Keeper will use the credentials in the PAM Machine record to rotate the PAM User records in your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields that need to be filled on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
If rotation of the PAM Machine credential is desired, select the PAM Machine record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
When rotating the private PEM Key credential on a target machine or user, Keeper will update the authorized_keys file on the machine with the new public key. The first time that a rotation occurs, the old public key is left intact in order to prevent system lockout. The second public key added to the file contains a comment that serves as an identifier for future rotations. For example:
If the first rotation is successful, you can optionally delete the old public key entry in the authorized_keys file. On subsequent rotations, Keeper will update the line which contains the "keeper-security-xxx" comment.
For Linux user rotations, password-encrypted PEM files are not currently supported.
How to configure your AWS environment for Keeper Rotation
Resources in your AWS environment can be rotated either using EC2 instance roles or using a specified Access Key ID / Secret Access Key configured in the PAM Configuration record.
The role policy must be configured appropriately to enable access to the target AWS resources:
EC2 Role Policy (Preferred)
The following diagram shows the AWS environment hierarchy:
If you are running the Keeper Gateway on an EC2 instance in AWS, this method of configuration using EC2 IAM instance role policy is preferred.
To rotate credentials of AWS Managed Resources from an EC2 instance, a role with the appropriate policy settings can be configured and attached to the EC2 instance instead of using a static Access Key ID / Secret Access Key.
Below is a basic role policy:
To be configured for rotation, the following inline policy can be created with the following JSON:
The steps to create this in the AWS console are below:
Create role with JSON specified above, or click on IAM > Roles > Create Role > Select "AWS Service" with "EC2 use case".
Attach the above policy JSON to the role
In the EC2 instance view, go to Actions > Security > Modify IAM Role > Select this new role.
The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances
and rds:ModifyDBInstance.
However iam:SimulatePrincipalPolicy
is required.
Using EC2 instance role policy is preferred. Alternatively, the AWS Access Key ID and Secret Access Key can be directly set in the PAM Configuration. The IAM Admin account needs to be created with the appropriate policy settings configured to access the target resource in AWS.
An inline policy can be created for a user with the following JSON:
The above JSON can be edited to remove resources not used for rotation. For example, if no RDS resource is used, you can remove rds:DescribeDBInstances
and rds:ModifyDBInstance
However iam:SimulatePrincipalPolicy
is required.
The steps to create the access keys is below:
Create a new IAM user or select an existing user
Attach the inline policy specified above to the user
Open the IAM user > Security credentials > Create access key
Select "Application running outside AWS"
Save the provided Access Key ID / Secret Access Key into the PAM Configuration
Rotating AWS RDS accounts with Keeper
In this section, you will learn how to rotate DB User or Admin credentials on the following AWS Managed Databases:
If you are running a database directly on an EC2 instance in your AWS environment instead of using a managed service, refer to the Local Network > Database documentation for rotating passwords.
Rotating Admin/Regular AWS SQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS MySQL Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for MySQL is an AWS managed resource where the MySQL Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS MySQL Database
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the MySQL RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MySQL RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
636
for LDAPS, for default ports see
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Managed User Type | IAM Policy |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Title
Name of the Record i.e AWS Linux 1
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway
Port
Typically 5985 or 5986 for WinRM, 22 for SSH.
Login
Username of the Admin account
Password
Required for WinRM
Optional for SSH if your admin user logs in with a password, otherwise the PEM key is utilized.
Note: The following chars are restricted: " '
Private PEM Key
Required for SSH if not using a password
Operating System
The VM Operating System, i.e Windows
or Linux
SSL Verification
For WinRM, if selected, will use SSL mode port 5986. Ignored for SSH.
Title
Configuration name, example: AWS VM Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Active Directory server from the prerequisites
Application Folder
Select the Shared folder that contains the PAM Machine record in Step 1
Admin Credentials Record
Select the PAM Machine record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the directory user account's credentials
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Secret Access Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title i.e. AWS Machine1 ec2-user
Login
Case sensitive username of the user account being rotated, e.g. ec2-user
.
Password
This is only required if the user logs in with a password. If the password is left blank, performing a rotation will set one.
Private PEM Key
This is only required if you are planning to rotate the PEM key instead of rotating a password.
Rotation uses local credentials and no specific AWS permissions are needed.
Rotation uses AWS APIs for PAM Database records and requires: iam:GetUser iam:SimulatePrincipalPolicy rds:ModifyDBInstance rds:DescribeDBInstances
For managing PAM Database or PAM User Records via SQL no AWS permissions are needed.
Rotation uses AWS APIs for PAM Directory records and requires:
iam:SimulatePrincipalPolicy ds:DescribeDirectories ds:ResetUserPassword ds:DescribeLDAPSSettings ds:DescribeDomainControllers
Rotation uses AWS APIs for PAM User records and requires:
iam:SimulatePrincipalPolicy iam:UpdateLoginProfile iam:GetUser
Title
Keeper record title Ex: AWS MySQL Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Database ID
The AWS DB instance ID
Database Type
mysql
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL RDS Instance
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Rotating AWS IAM account passwords with Keeper
In this guide, you will learn how to rotate passwords for AWS IAM users. In Keeper, the PAM Configuration contains all of the information needed to rotate passwords. The record containing the AWS IAM user accounts to be rotated are stored in the PAM User record.
For a high-level overview on the rotation process in the AWS cloud environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed and running
Your AWS environment is configured per our documentation
The Keeper Gateway uses AWS APIs to rotate the credentials defined in the PAM User records.
In this folder, you’ll create records for the AWS IAM accounts that you’ll rotate. You will create a PAM User record for each user that will be rotated.
Keeper Rotation uses the AWS API to rotate the PAM User records in your AWS environment. The PAM User records need to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Note: You can skip this step if you already have a PAM configuration set up.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Select the PAM User record(s) from Step 2, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field is not needed
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
Note: The user must have AWS Console access and at minimum have a temporary password set in the AWS Console before the password can be rotated.
Rotating Admin/Regular AWS SQL Server Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS SQL Server Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for SQL Server is an AWS managed resource where the SQL Server Admin Credentials are defined in the PAM Database record type and the configurations of the SQL Server Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS SQL Server Database
If the Gateway is installed on a Linux or macOS server, install the Microsoft ODBC driver
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the SQL Server RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the SQL Server RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Password Rotation in the Local Network Environment
In this section, you will learn how to rotate user credentials within a Local Network environment across various target systems.
A local network is configured by setting the Local Network as your environment in the PAM Configuration Record. Using this Local Network setting will only allow rotation on the local machine and all interactions with the operating system are done via Bash or PowerShell.
At a high level, the following steps are needed to successfully rotate passwords on your local network:
Create Shared Folders to hold the PAM records involved in rotation
Create PAM Machine, PAM Database, PAM Directory records that contain credentials with the necessary permissions to rotate and update the user's credentials
Create PAM User records that contain the user's information
Create a Secrets Manager Application and assign it to the shared folders that hold the PAM records
Configure the Gateway and add it to the Secrets Manager application
Create a PAM Configuration
Configure Rotation settings on the PAM User records
The following pages cover these steps in more details on how to successfully rotate passwords in different scenarios on the local network:
Rotating Admin/Regular AWS PostgreSQL Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS PostgreSQL Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for PostgreSQL is an AWS managed resource where the PostgreSQL Admin Credentials are defined in the PAM Database record type and the configurations of the PostgreSQL Users are defined in the PAM User record type.
This guide assumes the following tasks have already taken place:
The PAM Database record contains the admin credentials and necessary configurations to connect to the PostgreSQL RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the PostgreSQL RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this .
Keeper Secrets Manager is enabled for your and your
Keeper Rotation is enabled for your
A Keeper Secrets Manager has been created
A Keeper Rotation is already installed, running, and is able to communicate with your AWS PostgreSQL Database
Your AWS environment is per our documentation
Field | Description |
---|
Field | Description |
---|
For more details on all the configurable fields in the PAM Network Configuration record, visit this .
Field | Description |
---|
Title
Keeper record title i.e. AWS user: TestUser
Login
Case sensitive username of the account being rotated.
This is the last section of the ARN: ...:user/TestUser
Password
Providing a password is optional. Performing a rotation will set one if this field is left blank.
Distinguished Name
This is the full ARN of the user identity, e.g: arn:aws:iam::123456789:user/TestUser
Title
Configuration name, example: AWS IAM Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application.
Application Folder
Select the Shared folder from Step 1 that contains the PAM User record(s) which will be rotated.
Admin Credentials Record
This is not required for IAM User rotations. It may be required for other use cases.
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title Ex: RDS SQL Server Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 1433
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master
.
Database ID
The AWS DB instance ID
Database Type
mssql
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your SQL Server RDS Instance
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to master
.
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL RDS Instance |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1 |
Admin Credentials Record | Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts |
AWS ID | A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: |
Access Key ID | Set this field to |
Access Secret Key | Set this field to |
Title | Keeper record title i.e. |
Login | Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as |
Password | Account password is optional, rotation will set one if blank |
Connect Database | Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1 |
Title | Keeper record title Ex: |
Hostname or IP Address | The RDS Endpoint i.e. |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | Admin account username that will perform rotation |
Password | Admin account password |
Connect Database | Optional database that will be used when connecting to the database server.
For example, PostgreSQL requires a database and so this will default to |
Database ID | The AWS DB instance ID |
Database Type |
|
Provider Region | The region your Amazon RDS instance is using. i.e |
Rotating Windows User Accounts on Local Network
In this guide, you'll learn how to rotate Windows user accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed and showing online
Connection Method Choose one of the following methods to enable on your target Windows Machine(s):
WinRM: Enabled and running on port 5986.
Verification: Run winrm get winrm/config
to verify that WinRM is running.
OR
SSH: Enabled and running on port 22.
Verification: Run ssh [your-user]@[your-machine] -p 22
to verify that SSH is running.
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Machine Record.
The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:
This PAM Machine Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating Windows users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Machine record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating active directory accounts remotely using LDAP
In this guide, you'll learn how to remotely rotate Active Directory accounts via LDAP using Keeper Rotation.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate via LDAPs to your directory server.
Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.
The admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM configuration setup.
A PAM Configuration associates a Keeper Gateway with credentials. If you don't have a PAM Configuration set up yet for this use case, create one. On the left menu of the Vault, select "Secrets Manager", then select the "PAM Configurations" tab and create a new configuration for Active Directory rotation.
Keeper Rotation will use the credentials in the "PAM Directory" record to rotate "PAM User" records in your environment.
The user credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites.
The following PowerShell command can be used to get the correct DN for the user: Get-ADUser -Identity bsmith -Properties DistinguishedName
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with Can Edit rights to a PAM User record has the ability to set up rotation for that record.
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Directory" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.
Rotating Admin/Regular AWS Oracle Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS Oracle Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for Oracle is an AWS managed resource where the Oracle Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS Oracle Database
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the Oracle RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the Oracle RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Admin/Regular AWS MariaDB Database Users with Keeper
In this guide, you'll learn how to rotate passwords for AWS MariaDB Database User and Admin accounts on your AWS environment using Keeper Rotation. RDS for MariaDB is an AWS managed resource where the MariaDB Admin Credentials are defined in the PAM Database record type and the configurations of the MySQL Users are defined in the PAM User record type.
For Amazon RDS, the AWS SDK will be used to rotate the password of Database Admin Accounts. To rotate the passwords of Regular Database Users, Keeper connects to the DB instance with the provided admin credentials and executes the necessary SQL statements to change the password. For a high-level overview on the rotation process in the AWS Environment, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role
Keeper Rotation is enabled for your role
A Keeper Secrets Manager application has been created
A Keeper Rotation gateway is already installed, running, and is able to communicate with your AWS MariaDB Database
Your AWS environment is configured per our documentation
The PAM Database record contains the admin credentials and necessary configurations to connect to the MariaDB RDS instance on AWS. Keeper Rotation will use these provided configurations to rotate passwords of regular database user accounts in the MariaDB RDS instance. These provided admin credentials need to also have sufficient database permissions to successfully change the credentials of the database user accounts.
The following table lists all the required fields on the PAM Database Record:
Note: Adding Provider Region and Database ID will enable managing the PAM Database Record through the SDK.
This PAM Database Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users
If you already have a PAM Configuration for your AWS environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration".
The following table lists all the required fields on the PAM Configuration Record:
For more details on all the configurable fields in the PAM Network Configuration record, visit this page.
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your AWS environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Linux User Accounts on Local Network
In this guide, you'll learn how to rotate Linux user accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Machine Record.
The following table lists all the required fields that needs to be filled on the PAM Machine Record with your information:
This PAM Machine Record with the admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating Linux users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Machine record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Machine credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Mac User Accounts with Keeper Rotation
In this guide, you'll learn how to remotely rotate MacOS accounts via SSH using Keeper Rotation.
This guide assumes the following tasks have already taken place:
Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be joined to a domain, or a full admin account, but the account needs to be able to successfully change passwords for other accounts.
The admin credential needs to be in a shared folder that is shared to the KSM applicaiton created in the pre-requisites. Only the KSM applicaiton needs access to this privileged account, it does not need to be shared with any users.
Note: You can skip this step if you already have a PAM configuration setup.
In the left menu of the vault, select "Secrets Manager", then select the "PAM Configurations" tab. Create a new configuration:
Keeper Rotation will use the credentials in the PAM Machine record to rotate the PAM User records in your environment.
The user credential needs to be in a shared folder that is shared to the KSM applicaiton created in the pre-requisites.
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with edit
rights to a PAM User record has the abilty to setup rotation for that record.
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Machine" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
The RDS Port, for default ports see
i.e. 5432
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Keeper Secrets Manager is enabled for your and your .
Keeper Rotation is enabled for your .
A Keeper Secrets Manager has been created.
A Keeper Rotation is already installed, running, and is able to communicate via to your MacOS device.
Field | Description |
---|
Field | Description |
---|
Field | Description |
---|
Title
Name of the Record ex: "Local Windows Admin"
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway (internal) or "localhost"
Port
22 for SSH, 5985 (HTTP) or 5986 (HTTPS) for WinRM
Login
Username of the Admin account
Password
Required for WinRM
Optional for SSH if your setup requires a password, otherwise can use PEM key.
Note: The following chars are restricted: " '
Private PEM Key
Required for SSH if not using a password
Title
Configuration name, example: Windows LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Windows devices
Application Folder
Select the Shared folder that contains the PAM Machine record in Step 1.
Admin Credentials Record
Select the PAM Machine record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Record Type
PAM Directory
Title
Keeper record title
Hostname or IP Address
IP address, hostname or FQDN of the directory server. Examples: 10.10.10.10
, dc01.mydomain.local
Port
636
- LDAPs is required for rotation. Note: LDAP over port 389
is insecure, and does not support credential rotation.
Use SSL
Must be enabled
Login
Username of the account performing the LDAP rotation. Example: rotationadmin
Password
Admin account password
Domain Name
Domain name of the Active Directory. Example: mydomain.local
Other fields
These should be left blank
Title
Configuration name, example: LDAP Rotation
Environment
Select: Local Network
Gateway
Select the Gateway that has access to your Active Directory server from the pre-requisites
Application Folder
Select the Shared folder that contains the PAM Directory record above
Admin Credentials Record
Select the PAM Directory record, this list is filtered to records in the application folder
Add Resource Credential
Add any optional credentials to be attempted in addition to the primary credential
Default Rotation Schedule
Optional
Other fields
These should be left blank
Record Type
PAM User
Title
Keeper record title
Login
Username of the account being rotated. Example: bsmith
Password
Account password is optional, rotation will set one if blank
Distinguished Name
The LDAP DN for the user
Other fields
These should be left blank
Title
Keeper record title Ex: AWS Oracle Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 1521
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
Database ID
The AWS DB instance ID
Database Type
oracle
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle RDS Instance
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1
Title
Keeper record title Ex: AWS MariaDB Admin
Hostname or IP Address
The RDS Endpoint i.e. rdsdb.ckivswes.us-east-2.rds.amazonaws.com
Port
The RDS Port, for default ports see port mapping
i.e. 3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
Admin account username that will perform rotation
Password
Admin account password
Database ID
The AWS DB instance ID
Database Type
mariadb
Provider Region
The region your Amazon RDS instance is using. i.e us-east-2
Title
Configuration name, example: AWS RDS Configuration
Environment
Select: AWS
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB RDS Instance
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate the credentials of regular database user accounts
AWS ID
A unique ID for this instance of AWS. This is for your reference and can be anything, but its recommended to be kept short
Ex: AWS-1
Access Key ID
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Access Key ID.
Access Secret Key
Set this field to USE_INSTANCE_ROLE
if you are using EC2 role policy (default). Otherwise use a specific Secret Access Key.
Title
Keeper record title i.e. AWS DB User 1
Login
Case sensitive username of the account being rotated. If the user in the DB user table is in a Host other than %, add the Host value to the user name as USERNAME@HOST
Password
Account password is optional, rotation will set one if blank
Title
Name of the Record ex: "Local Linux Admin"
Hostname or IP Address
Machine hostname or IP as accessed by the Gateway (internal) or "localhost"
Port
22 for SSH
Login
Username of the Admin account
Password
Depends on your SSH setup.
Your SSH setup may require a password, otherwise optional.
Note: The following char are restricted: " '
Private PEM Key
Required for SSH if not using a password
Title
Configuration name, example: Linux LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has SSH access to your Linux devices
Application Folder
Select the Shared folder that contains the PAM Machine record in Step 1.
Admin Credentials Record
Select the PAM Machine record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Record Type | PAM Machine |
Title | Keeper record title |
Hostname or IP Address | IP address or hostname of the directory MacOS device. Use localhost if the gateway is installed on the device. Examples: |
Port | SSH port, typically: |
Use SSL | Must be enabled |
Login | Username of the account performing the LDAP rotation. Example: |
Password | Admin account password |
Operating System | For Mac OS rotation, use: |
Other fields | These should be left blank |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that has SSH access to your MacOS devices |
Application Folder | Select the Shared folder that contains the PAM Machine record above. |
Admin Credentials Record | Select the admin record record, this list is filtered to records in the application folder |
Add Resource Credential | Add any optional credentials to be attempted in addition to the primary credential |
Default Rotation Schedule | Optional |
Other fields | These should be left blank |
Record Type | PAM User |
Title | Keeper record title |
Login | Case sensitive username of the account being rotated. Example: |
Password | Account password is optional, rotation will set one if blank |
Other fields | These should be left blank |
Rotating Local Network MySQL database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MySQL Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MySQL database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network MariaDB database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MariaDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MariaDB database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network PostgreSQL database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local Postgres Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your Postgres database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network MongoDB database accounts with Keeper Rotation
In this guide, you'll learn how to rotate Local MongoDB User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this page.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate to your MongoDB Database
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network Oracle database accounts with Keeper Rotation
This guide assumes the following tasks have already taken place:
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Rotating Local Network Microsoft SQL Server database accounts with Keeper Rotation
This guide assumes the following tasks have already taken place:
Keeper Rotation will use an admin credential to rotate credentials of other accounts in your local environment. These admin credentials need to have the sufficient permissions in order to successfully change the credentials of other accounts.
In this guide, we will store the admin credentials in a PAM Database Record.
The following table lists all the required fields that needs to be filled on the PAM Database Record with your information:
If you already have a PAM Configuration for your Local environment, you can simply add the additional Resource Credentials required for rotating database users to the existing PAM Configuration.
If you are creating a new PAM Configuration, login to the Keeper Vault and select "Secrets Manager", then select the "PAM Configurations" tab, and click on "New Configuration". The following table lists all the required fields on the PAM Configuration Record:
Keeper Rotation will use the credentials in the PAM Database record to rotate the PAM User records on your Local environment. The PAM User credential needs to be in a shared folder that is shared to the KSM application created in the prerequisites.
The following table lists all the required fields on the PAM User record:
Select the PAM User record(s) from Step 3, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Any user with edit
rights to a PAM User record has the ability to setup rotation for that record.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Select the PAM Database record from Step 1, edit the record and open the "Password Rotation Settings".
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the PAM Database credential setup from Step 1.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
If the desired Admin Credential is not showing in the rotation settings screen, go to Secrets Manager > PAM Configuration > and add the necessary resource credentials.
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
Field | Description |
---|---|
In this guide, you'll learn how to rotate Local Oracle Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this .
Keeper Secrets Manager is enabled for your and your .
Keeper Rotation is enabled for your .
A Keeper Secrets Manager has been created.
A Keeper Rotation is already installed, running, and is able to communicate to your Oracle database
Field | Description |
---|
Field | Description |
---|
Field | Description |
---|
In this guide, you'll learn how to rotate Local MS SQL Server Database User and/or Admin accounts within your local network using Keeper Rotation. For a high-level overview on the rotation process in the local network, visit this .
Keeper Secrets Manager is enabled for your and your .
Keeper Rotation is enabled for your .
A Keeper Secrets Manager has been created.
A Keeper Rotation is already installed, running, and is able to communicate to your MySQL database
If the Gateway is installed on a Linux or macOS server, install the
Field | Description |
---|
Field | Description |
---|
Field | Description |
---|
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mysql=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Database Type
mysql
Title
Configuration name, example: MySQL LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MySQL database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate credentials
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mariadb=3306
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Database Type
maridb
or maridb-flexible
Title
Configuration name, example: MariaDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MariaDB database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate credentials
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: postgresql=5432
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server. For example, PostgreSQL requires a database and so this will default to template1.
Database Type
postgresql
or postgresql-flexible
Title
Configuration name, example: Postgresql LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your PostgreSQL database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1 This is the record with the admin credentials and sufficient permissions to rotate credentials
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server. For example: PostgreSQL requires a database and so this will default to template1.
Title
Keeper record title Ex: dbadmin
Hostname or IP Address
Server address - doesn't need to be publicly routable
Port
For default ports, see port mapping
Ex: mongodb=27017
Use SSL
Check to perform SSL verification before connecting, if your database has SSL configured
Login
The admin account that will perform rotation
Password
Admin account password
Connect Database
Optional database that will be used when connecting to the database server.
For example, MongoDB requires a database and so this will default to admin
.
Database Type
mongodb
Title
Configuration name, example: MongoDB LAN Configuration
Environment
Select: Local Network
Gateway
Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MongoDB database
Application Folder
Select the Shared folder that contains the PAM Database record in Step 1
Admin Credentials Record
Select the PAM Database record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials
Record Type
PAM User
Title
Keeper record title
Login
Case sensitive username of the db account being rotated. Example: msmith
Password
Account password is optional, rotation will set one if blank
Connect Database
Optional database that will be used when connecting to the database server.
For example: MongoDB requires a database and so this will default to admin
.
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your Oracle database |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1. |
Admin Credentials Record | Select the PAM Database record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials |
Record Type | PAM User |
Title | Keeper record title |
Login | Case sensitive username of the db account being rotated. Example: |
Password | Account password is optional, rotation will set one if blank |
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that is configured on the Keeper Secrets Manager application and has network access to your MS SQL Server database |
Application Folder | Select the Shared folder that contains the PAM Database record in Step 1. |
Admin Credentials Record | Select the PAM Database record created in Step 1. This is the record with the admin credentials and sufficient permissions to rotate credentials |
Record Type | PAM User |
Title | Keeper record title |
Login | Case sensitive username of the db account being rotated. Example: |
Password | Account password is optional, rotation will set one if blank |
Connect Database | Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to |
Title | Keeper record title Ex: |
Hostname or IP Address | Server address - doesn't need to be publicly routable |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | The admin account that will perform rotation |
Password | Admin account password |
Database Type |
|
Title | Keeper record title Ex: |
Hostname or IP Address | Server address - doesn't need to be publicly routable |
Port |
Use SSL | Check to perform SSL verification before connecting, if your database has SSL configured |
Login | The admin account that will perform rotation |
Password | Admin account password |
Connect Database | Optional database that will be used when connecting to the database server.
For example, MS SQL server requires a database and so this will default to |
Database Type |
|
For default ports, see
Ex: oracle=1521
For default ports, see
Ex: mssql=1433
Rotating Okta user accounts using the Okta API
This documentation provides guide how to set up password rotation using Okta and the Keeper PAM Gateway using "NOOP mode". This is a flag set in the Keeper record which tells the Gateway to skip the primary rotation method and directly execute the Post-Rotation script.
This guide includes pre-requisites, step-by-step instructions, and a Python script example.
KSM Application: Ensure that the Keeper Secrets Manager (KSM) application is set up.
Shared Folder: A shared folder should be set up where all the records will be stored.
PAM Configuration: Ensure that the PAM Configuration is set up and that the Gateway is running and attached to this configuration.
Okta API Token: You will need an Okta API Token to interact with the Okta API.
Follow the steps in the official Okta documentation to generate an API token.
Store this API token in a Keeper record. The record can be of any type, but for this example, we will use a "Login" type.
Store the API Token in the "password" field.
Store the Organization URL in the "Website Address" field.
Name this record "Okta API Access Details" as this title will be used to fetch the record in the script later.
Create a new PAM User record to store Okta User details whose password will be rotated.
Set the username to match the Okta user's email address.
Set the password to the current password set for the user.
Okta SDK only supports password rotation if the current password is valid. If the password is incorrect, the rotation will fail.
Attach the below Python script that will perform the password rotation. The script has additional comments inside that describe each line.
Add the "Rotation Credential" record, which is the record created in Step 1 containing the Okta API Token and Organization URL.
Enable No-Operation (NOOP) atomic execution:
In the current PAM User record where user's details are stored, create a new custom text field labeled NOOP
and set its value to True
.
Rotation Type: Set it to "On-Demand" for this example.
Password Complexity: Leave it as default unless you have specific requirements.
Rotation Settings: Point to the PAM Configuration set up earlier.
Administrative Credentials Record: Can should be left empty
Below is a screenshot of a fully loaded Okta Rotation record.
The below steps are related to the environment where the Keeper Gateway is running.
Ensure that the Python environment has all necessary dependencies installed.
If you want to use a virtual environment, add a shebang line at the top of the script.
Ensure that the shebang line does not contain spaces. If it does, create a symbolic link without spaces.
Below is an example to create a symbolic link on Linux:
sudo ln -s "/Users/john/PAM Rotation Example/.venv/bin/python3" /usr/local/bin/pam_rotation_venv_python3
The Python script below is well-commented and follows best practices. It imports necessary modules, initializes variables, and defines functions for various tasks like finding a password by its title, fetching all Okta users, and rotating the password for the particular user.