CLI Provisioning with Commander SDK

Keeper Commander is an open-source Python SDK which can perform many vault and administrative functions within the Keeper system.

Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The Keeper Commander SDK is open source Python code that is available for download from Keeper's Github Repository. The Commander SDK can assist in the following use cases:

  • Command line access to your Keeper vault

  • Importing passwords, folders and shared folder

  • Provisioning users and teams

  • Pushing records to users and teams

  • Sharing records and folders with users and teams

  • Performing targeted password rotation

Since Keeper Commander is an open source SDK and written in Python, it can be customized to meet your needs and integrated into your back-end systems.

For more information about Keeper Commander, visit:

Installation for Windows

  1. Download and install WinPython

  2. From the install folder of WinPython, run the "WinPython Command Prompt"

  3. Install Keeper Commander with pip3

$ pip3 install keepercommander

Install Keepass Library

If you plan to use the Keepass import or export features of Keeper Commander, follow these instructions.

Upgrading to Latest Code

$ pip3 install --upgrade keepercommander

Please do not upgrade a production system without validation in your test environment as commands and functionality is under rapid development.

Developer Setup

This type of installation assumes you want to view/modify the Python source code (Compatible with Python 3.4+).

  1. Clone/Download the Commander repository

  2. Install Python3 from

  3. Install virtualenv:

$ sudo pip3 install virtualenv

Create and activate the virtual environment for your keeper project:

$ cd /path/to/Commander
$ virtualenv -p python3 venv
$ source venv/bin/activate
$ pip install -r requirements.txt
$ pip install -e .

Keeper supports plugins for various 3rd party systems for password reset integration. Depending on the plugin, you will need to also install the modules required by that plugin. For example, our MySQL plugin requires the PyMySQL module.

See the custom folder for examples on creating your own custom scripts.

Command-line Usage

Commander's command-line interface and interactive shell is a powerful and convenient way to access and control your Keeper vault and perform many administrative operations. To see all available commands, just type:

$ keeper
usage: keeper [--server SERVER] [--user USER] [--password PASSWORD]
[--version] [--config CONFIG] [--debug]
[command] [options [options ...]]
positional arguments:
command Command
options Options
optional arguments:
--server SERVER, -ks SERVER
Keeper Host address.
--user USER, -ku USER
Email address for the account.
--password PASSWORD, -kp PASSWORD
Master password for the account.
--version Display version
--config CONFIG Config file to use
--debug Turn on debug mode

Interactive Shell

To run a series of commands and stay logged in, you will enjoy using Commander's interactive shell.

$ keeper shell
_ __
| |/ /___ ___ _ __ ___ _ _
| ' </ -_) -_) '_ \/ -_) '_|
|_|\_\___\___| .__/\___|_|
password manager & digital vault
Logging in...
Decrypted [400] Records
My Vault>

Type h to display all commands and help information.

Keeper Command Reference

Whether using the interactive shell, CLI or JSON config file, Keeper supports the following features specified by command. Each command supports additional parameters and options. To get help on a particular command, use the -hflag.

Basic Vault Commands

Note: Some commands accept record or shared folder UID parameter. UID values may start with dash character (-) that is interpreted by command parser as an option. To pass a parameter starting with dash separate this parameter with two dashes (--). rmdir -- -Gd9l4daPw-fMd

  • login Login to Keeper

  • whoami Information about logged in user

  • logout Logout from Keeper

  • shell Use Keeper interactive shell

  • sync-down or d Download, sync and decrypt vault

  • list or l List all records or search with a regular expression.

  • search or s Search all records with a regular expression.

  • ls List folder contents (try ls -l as well)

  • tree Display entire folder structure as a tree

  • cd Change current folder

  • get Retrieve and display specified Keeper Record/Folder/Team in printable or JSON format.

  • download-attachment Download all file attachments in specified record

  • upload-attachment Upload file attachments to the specified record

  • delete-attachment Delete a file attachment from the specified record. Specify Record UID and Filename (or Attachment ID)

  • list-sf or lsf Display all shared folders

  • create-user Create Keeper vault account. Note: If executed by an admin, the user will be provisioned to the Enterprise license.

  • list-team or lt Display all teams

Record Management Commands

  • add Add a record to the vault

  • rm Remove record

  • append-notes or an Append notes to existing record

Folder Management Commands

  • mkdir Create folder

  • rmdir Remove folder and its content

  • mv Move record or folder

  • ln Create a link between record or folder

Password Rotation Commands

  • rotate or r Rotate password in record

Import and Export Commands

  • import Import data from local file to Keeper. JSON, CSV, Keepass formats accepted. Keepass import includes all file attachments.

  • export Export data from Keeper to local file or stdout. JSON, CSV, Keepass file formats supported. Keepass exports include all file attachments.

Folder and Record Sharing Commands

  • share-record or sr Grant or revoke record's user access

  • share-folder or sf Grant or revoke shared folder's user access or record permission

Enterprise Console Management Commands

  • enterprise-info or ei Display enterprise information


    • --nodes Show node structure in a tree form

    • --users Show users in a list view

    • --roles Show all roles in a list view

    • --teams Show all teams in a list view

    • --node Specify a single node to limit view

    • --v Verbose mode

  • enterprise-user <email> or eu <email> Enterprise user management


    • --expire Expire the master password for the user

    • --lock Unlock the user account

    • --unlock Lock the user account

    • --add Invite a new user to join the enterprise

    • --delete Delete the user and all stored vault records (use with caution)

    • --name Rename a user's display name

    • --node Move user into a node

    • --add-role Add a user to a role

    • --remove-role Remove a user from a role

    • --add-team Add a user to a team

    • --remove-team Remove a user from a team

    • If no parameters are provided, displays information about specified email

  • enterprise-role <Role ID> or er <Role ID> Enterprise role management


    • --add-user Add a user to a specified role

    • --remove-user Remove a user from a specified role

    • If no parameters are provided, displays information about specified role

  • enterprise-team <Team ID> or et <Team ID> Enterprise team management


    • --add Create a new team in the root node

    • --node Move a team into the specified node

    • --add-user Add a user to a team

    • --remove-user Remove a user from a team

    • --name Change the Team name

    • --delete Delete a team

    • --restrict-edit Restrict record edit on the team

    • --restrict-share Restrict record re-sharing on the team

    • --restrict-view Restrict record viewing on the team

    • If no parameters are provided, displays information about specified team

  • enterprise-push <Record Template File Name> Populate users' vaults with default records


    • --syntax-help Displays information of record template file format

    • --team TEAM_NAME or TEAM UID Populate all team users' vaults

    • --user USER_EMAIL Populate user's vault

    • file JSON file name containing template records

  • audit-log Export audit and event logs to SIEM - See Details

    • --target=splunk Export events to Splunk HTTP Event Collector

    • --target=sumo Export events to Sumo Logic HTTP Event Collector

    • --target=syslog Export events to a local file in syslog format

    • --target=syslog-port Export events in syslog format to TCP port. Both plain and SSL connections are supported

    • --target=azure-la Export events to Azure Log Analytics to custom log named Keeper_CL

  • audit-report Generate ad-hoc customized audit event reports in raw and summarized formats - See Details


    • --report-type {raw,dim,hour,day,week,month,span}

    • --report-format {message,fields} output format (raw reports only)

    • --columns COLUMNS Can be repeated. (ignored for raw reports)

    • --aggregate {occurrences,first_created,last_created} aggregated value. Can be repeated. (ignored for raw reports)

    • --timezone TIMEZONE return results for specific timezone

    • --limit LIMIT maximum number of returned rows

    • --order {desc,asc} sort order

    • --created CREATED Filter: Created date. Predefined filters: today, yesterday, last_7_days, last_30_days, month_to_date, last_month, year_to_date, last_year

    • --event-type EVENT_TYPE Filter: Audit Event Type

    • --username USERNAME Filter: Username of event originator

    • --to-username TO_USERNAME Filter: Username of event target

    • --record-uid RECORD_UID Filter: Record UID

    • --shared-folder-uid SHARED_FOLDER_UID Filter: Shared Folder UID

The full documentation and example code can be on the following page.