Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The Keeper Commander SDK is open source Python code that is available for download from Keeper's Github Repository. The Commander SDK can assist in the following use cases:
Command line access to your Keeper vault
Importing passwords, folders and shared folder
Provisioning users and teams
Pushing records to users and teams
Sharing records and folders with users and teams
Performing targeted password rotation
Since Keeper Commander is an open source SDK and written in Python, it can be customized to meet your needs and integrated into your back-end systems.
For more information about Keeper Commander, visit: https://github.com/Keeper-Security/Commander
Download and install WinPython
From the install folder of WinPython, run the "WinPython Command Prompt"
Install Keeper Commander with pip3
$ pip3 install keepercommander
If you plan to use the Keepass import or export features of Keeper Commander, follow these instructions.
$ pip3 install --upgrade keepercommander
Please do not upgrade a production system without validation in your test environment as commands and functionality is under rapid development.
This type of installation assumes you want to view/modify the Python source code (Compatible with Python 3.4+).
Clone/Download the Commander repository
Install Python3 from python.org
Install virtualenv:
$ sudo pip3 install virtualenv
Create and activate the virtual environment for your keeper project:
$ cd /path/to/Commander$ virtualenv -p python3 venv$ source venv/bin/activate$ pip install -r requirements.txt$ pip install -e .
Keeper supports plugins for various 3rd party systems for password reset integration. Depending on the plugin, you will need to also install the modules required by that plugin. For example, our MySQL plugin requires the PyMySQL module.
See the custom folder for examples on creating your own custom scripts.
Commander's command-line interface and interactive shell is a powerful and convenient way to access and control your Keeper vault and perform many administrative operations. To see all available commands, just type:
$ keeperusage: keeper [--server SERVER] [--user USER] [--password PASSWORD][--version] [--config CONFIG] [--debug][command] [options [options ...]]positional arguments:command Commandoptions Optionsoptional arguments:--server SERVER, -ks SERVERKeeper Host address.--user USER, -ku USEREmail address for the account.--password PASSWORD, -kp PASSWORDMaster password for the account.--version Display version--config CONFIG Config file to use--debug Turn on debug mode
To run a series of commands and stay logged in, you will enjoy using Commander's interactive shell.
$ keeper shell_ __| |/ /___ ___ _ __ ___ _ _| ' </ -_) -_) '_ \/ -_) '_||_|\_\___\___| .__/\___|_||_|password manager & digital vaultLogging in...Syncing...Decrypted [400] RecordsMy Vault>
Type h
to display all commands and help information.
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following features specified by command
. Each command supports additional parameters and options. To get help on a particular command, use the -h
flag.
Basic Vault Commands
Note: Some commands accept record or shared folder UID parameter. UID values may start with dash character (-) that is interpreted by command parser as an option. To pass a parameter starting with dash separate this parameter with two dashes (--). rmdir -- -Gd9l4daPw-fMd
login
Login to Keeper
whoami
Information about logged in user
logout
Logout from Keeper
shell
Use Keeper interactive shell
sync-down
or d
Download, sync and decrypt vault
list
or l
List all records or search with a regular expression.
search
or s
Search all records with a regular expression.
ls
List folder contents (try ls -l
as well)
tree
Display entire folder structure as a tree
cd
Change current folder
get
Retrieve and display specified Keeper Record/Folder/Team in printable or JSON format.
download-attachment
Download all file attachments in specified record
upload-attachment
Upload file attachments to the specified record
delete-attachment
Delete a file attachment from the specified record. Specify Record UID and Filename (or Attachment ID)
list-sf
or lsf
Display all shared folders
create-user
Create Keeper vault account. Note: If executed by an admin, the user will be provisioned to the Enterprise license.
list-team
or lt
Display all teams
Record Management Commands
add
Add a record to the vault
rm
Remove record
append-notes
or an
Append notes to existing record
Folder Management Commands
mkdir
Create folder
rmdir
Remove folder and its content
mv
Move record or folder
ln
Create a link between record or folder
Password Rotation Commands
rotate
or r
Rotate password in record
Import and Export Commands
import
Import data from local file to Keeper. JSON, CSV, Keepass formats accepted. Keepass import includes all file attachments.
export
Export data from Keeper to local file or stdout. JSON, CSV, Keepass file formats supported. Keepass exports include all file attachments.
Folder and Record Sharing Commands
share-record
or sr
Grant or revoke record's user access
share-folder
or sf
Grant or revoke shared folder's user access or record permission
Enterprise Console Management Commands
enterprise-info
or ei
Display enterprise information
Parameters:
--nodes
Show node structure in a tree form
--users
Show users in a list view
--roles
Show all roles in a list view
--teams
Show all teams in a list view
--node
Specify a single node to limit view
--v
Verbose mode
enterprise-user <email>
or eu <email>
Enterprise user management
Parameters:
--expire
Expire the master password for the user
--lock
Unlock the user account
--unlock
Lock the user account
--add
Invite a new user to join the enterprise
--delete
Delete the user and all stored vault records (use with caution)
--name
Rename a user's display name
--node
Move user into a node
--add-role
Add a user to a role
--remove-role
Remove a user from a role
--add-team
Add a user to a team
--remove-team
Remove a user from a team
If no parameters are provided, displays information about specified email
enterprise-role <Role ID>
or er <Role ID>
Enterprise role management
Parameters:
--add-user
Add a user to a specified role
--remove-user
Remove a user from a specified role
If no parameters are provided, displays information about specified role
enterprise-team <Team ID>
or et <Team ID>
Enterprise team management
Parameters:
--add
Create a new team in the root node
--node
Move a team into the specified node
--add-user
Add a user to a team
--remove-user
Remove a user from a team
--name
Change the Team name
--delete
Delete a team
--restrict-edit
Restrict record edit on the team
--restrict-share
Restrict record re-sharing on the team
--restrict-view
Restrict record viewing on the team
If no parameters are provided, displays information about specified team
enterprise-push <Record Template File Name>
Populate users' vaults with default records
Parameters:
--syntax-help
Displays information of record template file format
--team TEAM_NAME or TEAM UID
Populate all team users' vaults
--user USER_EMAIL
Populate user's vault
file
JSON file name containing template records
audit-log
Export audit and event logs to SIEM - See Details
--target=splunk
Export events to Splunk HTTP Event Collector
--target=sumo
Export events to Sumo Logic HTTP Event Collector
--target=syslog
Export events to a local file in syslog format
--target=syslog-port
Export events in syslog format to TCP port. Both plain and SSL connections are supported
--target=azure-la
Export events to Azure Log Analytics to custom log named Keeper_CL
audit-report
Generate ad-hoc customized audit event reports in raw and summarized formats - See Details
Parameters:
--report-type
{raw,dim,hour,day,week,month,span}
--report-format
{message,fields} output format (raw reports only)
--columns COLUMNS
Can be repeated. (ignored for raw reports)
--aggregate
{occurrences,first_created,last_created} aggregated value. Can be repeated. (ignored for raw reports)
--timezone TIMEZONE
return results for specific timezone
--limit LIMIT
maximum number of returned rows
--order
{desc,asc} sort order
--created CREATED
Filter: Created date. Predefined filters: today, yesterday, last_7_days, last_30_days, month_to_date, last_month, year_to_date, last_year
--event-type EVENT_TYPE
Filter: Audit Event Type
--username USERNAME
Filter: Username of event originator
--to-username TO_USERNAME
Filter: Username of event target
--record-uid RECORD_UID
Filter: Record UID
--shared-folder-uid SHARED_FOLDER_UID
Filter: Shared Folder UID
The full documentation and example code can be on the following page.