CLI Provisioning with Commander SDK

Keeper Commander is an open-source Python SDK which can perform many vault and administrative functions within the Keeper system.
Keeper supports API-based provisioning through the use of our Python-based Keeper Commander SDK. The Keeper Commander SDK is open source Python code that is available for download from Keeper's Github Repository. The Commander SDK can assist in the following use cases:
Command line access to your Keeper vault
Importing passwords, folders and shared folder
Provisioning users and teams
Pushing records to users and teams
Sharing records and folders with users and teams
Performing targeted password rotation
Since Keeper Commander is an open source SDK and written in Python, it can be customized to meet your needs and integrated into your back-end systems.
For more information about Keeper Commander, visit https://github.com/Keeper-Security/Commander​
Installation - Windows
Download and install WinPython​
From the install folder of WinPython, run the "WinPython Command Prompt"
Install Keeper Commander with pip3:
$ pip3 install keepercommander
Install Keepass library
If you plan to use the Keepass import or export features of Keeper Commander, please follow these instructions.
Upgrading to Latest Code
$ pip3 install --upgrade keepercommander
Please do not upgrade a production system without validation in your test environment as commands and functionality is under rapid development.
Developer Setup
This type of installation assumes you want to view/modify the Python source code (Compatible with Python 3.4+).
Clone/Download the Commander repository
Install Python3 from python.org
Install virtualenv:
$ sudo pip3 install virtualenv
Create and activate the virtual environment for your keeper project:
$ cd /path/to/Commander
$ virtualenv -p python3 venv
$ source venv/bin/activate
$ pip install -r requirements.txt
$ pip install -e .
Keeper supports plugins for various 3rd party systems for password reset integration. Depending on the plugin, you will need to also install the modules required by that plugin. For example, our MySQL plugin requires the PyMySQL module.
See the custom folder for examples on creating your own custom scripts.
Command-line Usage
Commander's command-line interface and interactive shell is a powerful and convenient way to access and control your Keeper vault and perform many administrative operations. To see all available commands, just type:
$ keeper
​
usage: keeper [--server SERVER] [--user USER] [--password PASSWORD]
              [--version] [--config CONFIG] [--debug]
              [command] [options [options ...]]
​
positional arguments:
  command               Command
  options               Options
​
optional arguments:
  --server SERVER, -ks SERVER
                        Keeper Host address.
  --user USER, -ku USER
                        Email address for the account.
  --password PASSWORD, -kp PASSWORD
                        Master password for the account.
  --version             Display version
  --config CONFIG       Config file to use
  --debug               Turn on debug mode
Interactive Shell
To run a series of commands and stay logged in, you will enjoy using Commander's interactive shell.
$ keeper shell
​
  _  __
 | |/ /___ ___ _ __  ___ _ _
 | ' </ -_) -_) '_ \/ -_) '_|
 |_|\_\___\___| .__/\___|_|
              |_|
​
 password manager & digital vault
​
Logging in...
Syncing...
Decrypted [400] Records
​
My Vault>
Type h to display all commands and help information.
Keeper Command Reference
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following features specified by command. Each command supports additional parameters and options. To get help on a particular command, use the -hflag.
Basic Vault Commands
Note: Some commands accept record or shared folder UID parameter. UID values may start with dash character (-) that is interpreted by command parser as an option. To pass a parameter starting with dash separate this parameter with two dashes (--). rmdir -- -Gd9l4daPw-fMd
login Login to Keeper
whoami Information about logged in user
logout Logout from Keeper
shell Use Keeper interactive shell
sync-down or d Download, sync and decrypt vault
list or l List all records or search with a regular expression.
search or s Search all records with a regular expression.
ls List folder contents (try ls -l as well)
tree Display entire folder structure as a tree
cd Change current folder
get Retrieve and display specified Keeper Record/Folder/Team in printable or JSON format.
download-attachment Download all file attachments in specified record
upload-attachment Upload file attachments to the specified record
delete-attachment Delete a file attachment from the specified record. Specify Record UID and Filename (or Attachment ID)
list-sf or lsf Display all shared folders
create-user Create Keeper vault account. Note: If executed by an admin, the user will be provisioned to the Enterprise license.
list-team or lt Display all teams
Record Management Commands
add Add a record to the vault
rm Remove record
append-notes or an Append notes to existing record
Folder Management Commands
mkdir Create folder
rmdir Remove folder and its content
mv Move record or folder
ln Create a link between record or folder
Password Rotation Commands
rotate or r Rotate password in record
Import and Export Commands
import Import data from local file to Keeper. JSON, CSV, Keepass formats accepted. Keepass import includes all file attachments.
export Export data from Keeper to local file or stdout. JSON, CSV, Keepass file formats supported. Keepass exports include all file attachments.
Folder and Record Sharing Commands
share-record or sr Grant or revoke record's user access
share-folder or sf Grant or revoke shared folder's user access or record permission
Enterprise Console Management Commands
enterprise-info or ei Display enterprise information
Parameters:
--nodes Show node structure in a tree form
--users Show users in a list view
--roles Show all roles in a list view
--teams Show all teams in a list view
--node Specify a single node to limit view
--v Verbose mode
enterprise-user <email> or eu <email> Enterprise user management
Parameters:
--expire Expire the master password for the user
--lock Unlock the user account
--unlock Lock the user account
--add Invite a new user to join the enterprise
--delete Delete the user and all stored vault records (use with caution)
--name Rename a user's display name
--node Move user into a node
--add-role Add a user to a role
--remove-role Remove a user from a role
--add-team Add a user to a team
--remove-team Remove a user from a team
If no parameters are provided, displays information about specified email
enterprise-role <Role ID> or er <Role ID> Enterprise role management
Parameters:
--add-user Add a user to a specified role
--remove-user Remove a user from a specified role
If no parameters are provided, displays information about specified role
enterprise-team <Team ID> or et <Team ID> Enterprise team management
Parameters:
--add Create a new team in the root node
--node Move a team into the specified node
--add-user Add a user to a team
--remove-user Remove a user from a team
--name Change the Team name
--delete Delete a team
--restrict-edit Restrict record edit on the team
--restrict-share Restrict record re-sharing on the team
--restrict-view Restrict record viewing on the team
If no parameters are provided, displays information about specified team
enterprise-push <Record Template File Name> Populate users' vaults with default records
Parameters:
--syntax-help Displays information of record template file format
--team TEAM_NAME or TEAM UID Populate all team users' vaults
--user USER_EMAIL Populate user's vault
file JSON file name containing template records
audit-log Export audit and event logs to SIEM - See Details​
--target=splunk Export events to Splunk HTTP Event Collector
--target=sumo Export events to Sumo Logic HTTP Event Collector
--target=syslog Export events to a local file in syslog format
--target=syslog-port Export events in syslog format to TCP port. Both plain and SSL connections are supported
--target=azure-la Export events to Azure Log Analytics to custom log named Keeper_CL
audit-report Generate ad-hoc customized audit event reports in raw and summarized formats - See Details​
Parameters:
--report-type {raw,dim,hour,day,week,month,span}
--report-format {message,fields} output format (raw reports only)
--columns COLUMNS Can be repeated. (ignored for raw reports)
--aggregate {occurrences,first_created,last_created} aggregated value. Can be repeated. (ignored for raw reports)
--timezone TIMEZONE return results for specific timezone
--limit LIMIT maximum number of returned rows
--order {desc,asc} sort order
--created CREATED Filter: Created date. Predefined filters: today, yesterday, last_7_days, last_30_days, month_to_date, last_month, year_to_date, last_year
--event-type EVENT_TYPE Filter: Audit Event Type
--username USERNAME Filter: Username of event originator
--to-username TO_USERNAME Filter: Username of event target
--record-uid RECORD_UID Filter: Record UID
--shared-folder-uid SHARED_FOLDER_UID Filter: Shared Folder UID
​
The full documentation and example code can be found here:
Keeper-Security/Commander
Keeper Commander. Contribute to Keeper-Security/Commander development by creating an account on GitHub.
github.com
​
Email Auto-Provisioning
Roles and Permissions
Last updated 2 months ago