Automation Commands

Streamline administrative workflows by automating complex, multi-step processes on the Keeper platform

Overview

Automation Commands provide a unified way to automate credential provisioning for users in the organization. Using a single Commander action, the admin can create PAM Users, create Active Directory accounts, apply rotation settings, perform immediate password updates through the Keeper Gateway, and deliver credentials via one-time share links or direct vault sharing. The result is a repeatable, error-resistant workflow that accelerates employee onboarding and ensures security best practices are followed every time.

Commands

Command

Alias

Purpose

credential-provision

Automate PAM User credential provisioning with AD account creation, automated rotation, and credential delivery via email or direct vault sharing

credential-provision

Automates the end-to-end process of creating PAM User credentials with optional Active Directory account creation, password rotation, folder organization, and secure credential delivery.

Use Case

Onboarding new employees with their identity provider credentials
Creating Active Directory admin accounts and sharing them to user vaults
Automating the process of end-user password resets
Rotating and delivering on-demand credentials for any KeeperPAM resource
Onboarding existing accounts whose current password is already known (bring-your-own-password)
Provisioning new records without rotating immediately (cron-deferred or manual-trigger workflows)

Details

The credential-provision command orchestrates multiple Commander operations in a single workflow. It accepts a YAML configuration file as the request parameters, and it processes the workflow in a single action.

Parse Configuration - Validates the provided YAML configuration file
Username Resolution - Resolves username from template (e.g., {first_initial}{last_name}.adm)
Duplicate Detection - Checks for existing PAM Users to prevent conflicts
Password Determination - Uses account.existing_password when supplied; otherwise generates a secure password from rotation.password_complexity; falls back to a built-in default when neither is supplied
AD User Creation - Creates user in Active Directory via PAM Gateway (optional, when directory_uid and distinguished_name are provided; skipped when account.existing_password is set — the account is declared to already exist)
AD Group Assignment - Adds user to specified AD groups (optional, when ad_groups are provided; runs regardless of step 5)
PAM User Creation - Creates PAM User record in specified folder
Rotation Configuration - Links to PAM Configuration and sets rotation schedule (skipped entirely when no rotation: section is supplied)
Immediate Rotation - Performs on-demand rotation of the password in the target directory via the Keeper Gateway (skipped when rotation.rotate_on_provision: false, or when step 8 was skipped)
Direct Share - Shares record directly to user's Keeper vault (optional, when delivery section is present)
Email Delivery - Sends welcome email with one-time share URL (optional, when email section is present)

Note: Several steps are conditional:

Steps 4 & 5 (Password Determination & AD User Creation): if account.existing_password is supplied, Commander stores it verbatim in the vault and skips AD user creation — the account is declared to already exist. AD group additions (Step 6) still apply.
Steps 8 & 9 (Rotation Configuration & Immediate Rotation): if the rotation: section is omitted, no rotation is configured for the record. If rotation.rotate_on_provision: false is set, rotation is configured but no immediate rotation fires at provisioning — the scheduled cron (or a manual Rotate Now) handles all subsequent rotations.
Steps 10 and 11 are independent — you can use either, both, or neither. If both delivery and email sections are present, the record is shared to the user's vault AND emailed with a one-time share link. If neither is present, the record is created but not delivered.

This automation eliminates manual steps, ensures proper security configuration, and provides a consistent provisioning experience.

Parameters

-c, --pam-config <UID> - PAM Configuration record UID (determines which Gateway to use). Can also be provided in YAML as account.pam_config_uid (deprecated — use -c instead).
-config </path/to/file> - Path to YAML configuration file containing provisioning settings
--config-base64 <base64 encoded file> - YAML configuration encoded in base64 format (for Service Mode / REST API usage)

Optional Parameters

--dry-run - Validate configuration without creating resources
--output <json|text> - Output format (default: text)

Prerequisites

In order to utilize this automation command, the following needs to be set up:

An active KeeperPAM license
PAM Configuration created for Active Directory, AWS, Azure or GCP depending on the target
A Keeper Gateway set up which is able to rotate credentials in the target system

For email delivery:

An Email Configuration set up for mail delivery

For direct share delivery:

Target user must have an existing Keeper vault

For AD user creation and group assignment:

Gateway v1.8.0 or later
A PAM Directory record (pamDirectory) with directoryType=ad linked to the PAM Configuration
Gateway must have network access to Active Directory

Security Constraints

When account.existing_password is set, Commander enforces two invariants to prevent the supplied password from reaching any target system:

AD-create is skipped. The internal action that normally fires when distinguished_name or ad_groups is set will NOT run. The operator is declaring the account already exists; Commander stores the supplied password in the vault as the source of truth. AD group additions still apply.
Immediate rotation must be explicitly deferred. If a rotation: section is present alongside existing_password, you must set rotation.rotate_on_provision: false — otherwise the configuration is rejected at validation time. This prevents Commander from generating a new password and pushing it to the target at provisioning, which would defeat the bring-your-own-password intent.

To rotate an existing_password-onboarded account, click Rotate Now in the Vault UI (or use pam action rotate <UID>). At that point Commander generates a fresh password and the gateway pushes it to the target.

YAML Configuration Structure

In the example YAML configuration below, Sarah Jones is a new employee that is being onboarded to Company.com. The identity provider / IGA / HR system (such as Workday, Aquera, Sailpoint, ConductorOne, etc) triggers a request to Keeper that performs the following:

Identifies the user in the target directory
Rotates the password in the directory, according to the desired complexity rules
Saves the password as a PAM User record in the Commander user's vault
Configures automated password rotation of the record for once per week
Delivers the credential to the new employee's personal email address through a one-time share link
One-time share link expires in 7 days

user: # Employee information
  first_name: Sarah
  last_name: Admin
  personal_email: sarah.jones@company.com
  department: Marketing
account:  # Target account details
  username: sarah.jones
  distinguished_name: "CN=sarah.jones,OU=Marketing,OU=Corporate,DC=company,DC=com"
vault: # Vault storage configuration (optional)
  folder: "PAM Users/Marketing"
rotation: # Password rotation settings
  schedule: "0 0 0 * * ?" # Every Sunday at midnight
  password_complexity: "32,5,5,5,5"
email: # Email delivery settings
  config_name: "Company SMTP Server"
  send_to: "sarah.jones.demo@gmail.com"
  subject: "Welcome to Company.com - Your Credentials"
  share_url_expiry: "7d"

User Section (Required)

The "user" section identifies the end-user identity in the target directory.

Field

Type

Required

Description

first_name

string

Yes

New User's first name

last_name

string

Yes

Employee's last name

personal_email

string

Yes

Personal email for credential delivery

employee_id

string

Employee identifier

department

string

Department (used for folder organization)

Account Section (Required)

The "account" section identifies the PAM Configuration and user ID in the target directory.

Field

Type

Required

Description

username

string

Yes*

Username for target system

username_template

string

Yes*

Template for deriving username (see Username Templates below)

pam_config_uid

string

No**

UID of PAM Configuration record (deprecated — use -c flag instead)

directory_uid

string

Yes

UID of pamDirectory record for AD user creation

distinguished_name

string

No***

AD Distinguished Name (supports {username} placeholder)

ad_groups

list

List of AD group DNs to add the user to

existing_password

string

Account's current real password. Stored in the vault; never pushed to a target. Use when onboarding an account that already exists in AD. Validator forbids combining this with a rotation that would fire at provisioning — see Security Constraints.

*Either username or username_template is required (not both).

**Required if -c / --pam-config is not provided on the command line.

***Required for Active Directory in multi-OU environments (recommended for all AD deployments). Supports {username} placeholder which is resolved from username or username_template.

Username Templates

The username_template field supports the following variables, resolved from the user section:

Variable

Example Input

Result

{first_name}

Felipe

felipe

{last_name}

Dias

dias

{first_initial}

Felipe

{last_initial}

Dias

{email_prefix}

fdias@company.com

fdias

All output is lowercased. Variables can be combined:

username_template: "{first_initial}{last_name}.adm"    # fdias.adm
username_template: "{first_name}.{last_name}"           # felipe.dias
username_template: "{email_prefix}.admin"               # fdias.admin

Vault Section (Optional)

The "vault" section controls where the PAM User record is stored in the vault.

Field

Type

Required

Description

Default

folder

string

Subfolder path relative to gateway application folder, or a folder UID

PAM Users/{department}

To find the Application Folder, see the Vault > Secrets Manager > PAM Configurations > Application Folder setting.

Example: If the gateway folder is My Infrastructure and the vault.folder parameter is Users/Service Accounts, the final path becomes My Infrastructure/Users/Service Accounts.

{gateway_application_folder}/{vault.folder}

Rotation Section (Optional)

Controls password rotation settings. Omit this section entirely to indicate Commander should not manage rotation for the new record. When present, exactly one of schedule or on_demand: true must be specified (mutually exclusive).

Field

Type

Required

Description

schedule

string

Yes*

6-field CRON expression

on_demand

boolean

Yes*

Configures rotation for manual triggering only; no cron schedule is stored.

password_complexity

string

Yes

Password complexity rules

rotate_on_provision

boolean

No (default true)

When false, skips the immediate rotation at provisioning time. The configured schedule (or manual Rotate Now) handles all subsequent rotations.

* - Exactly one of schedule or on_demand is required when the section is present.

Rotation Schedule (6-field CRON) Format: second minute hour day month day-of-week

"0 0 0 * * 0"      # Every Sunday at midnight
"0 0 2 * * *"      # Every day at 2 AM
"0 0 3 * * 1,5"    # Monday and Friday at 3 AM
"0 0 0 1 * *"      # First of month at midnight
"0 30 1 * * 1-5"   # Weekdays at 1:30 AM

Password Complexity Format: "length,uppercase,lowercase,digits,special"

"32,5,5,5,5"       # 32 chars: 5 upper, 5 lower, 5 digits, 5 special
"16,3,3,3,3"       # 16 chars: 3 upper, 3 lower, 3 digits, 3 special
"64,10,10,10,10"   # 64 chars: 10 upper, 10 lower, 10 digits, 10 special

Delivery Section (Optional)

The "delivery" section controls direct vault sharing. When present, the PAM User record is shared directly to the specified user's Keeper vault. This section is independent from the email section — you can use either, both, or neither.

Field

Type

Required

Description

Default

share_to

string

Yes

Keeper vault email of recipient

transfer_ownership

boolean

Transfer record ownership to recipient

false

permissions.can_edit

boolean

Allow recipient to edit the record

false

permissions.can_share

boolean

Allow recipient to share the record

false

Warning: transfer_ownership is incompatible with password rotation. Transferring ownership moves the record out of the Gateway's control, which prevents automated password rotation. Use can_edit: true instead if the user needs to manage the record while keeping rotation active.

Email Section (Optional)

The "email" section controls email delivery with a one-time share link. When present with a valid config_name, a one-time share URL is generated and emailed to the recipient. This section is independent from the delivery section — you can use either, both, or neither.

Field

Type

Required

Description

Default

config_name

string

Yes

Email configuration name from Admin Console

send_to

string

Yes

Recipient email

"example@gmail.com"

subject

string

Email subject line

"Your New Credentials"

share_url_expiry

string

Share URL expiration time

"7d"

Share URL Expiration Time Format: y (year), mo (month), d (day), h (hour), mi (minute)

"7d"    # 7 days
"24h"   # 24 hours
"60mi"  # 60 minutes (use 'mi' NOT 'm')
"1mo"   # 1 month
"1y"    # 1 year

Executing the Automation

CLI Execution

The process of executing the Keeper automation is as follows:

Create a YAML file that defines the automation parameters

Call the Commander command:

credential-provision -c <PAM-CONFIG-UID> --config /path/to/config.yaml

# With pam_config_uid in YAML (deprecated — use -c instead)
credential-provision --config /path/to/config.yaml
# Dry run (validation only)
credential-provision -c <PAM-CONFIG-UID> --config /path/to/config.yaml --dry-run
# JSON output
credential-provision -c <PAM-CONFIG-UID> --config /path/to/config.yaml --output json

Service Mode / REST API Execution

For automated workflows triggered by JIRA, Okta, or other systems, use the Commander Service Mode REST API:

# Start Commander Service Mode with credential-provision enabled
service-create -p 5555 -q y -c "credential-provision,share-record,sync-down"
service-start

Then call the REST API:

POST /api/v2/executecommand-async
Headers:
  Content-Type: application/json
  api-key: <your-api-key>

Body:
{
  "command": "credential-provision -c <PAM-CONFIG-UID> --config-base64 <BASE64-YAML> --output json"
}

Check the result:

GET /api/v2/result/<request-id>
Headers:
  api-key: <your-api-key>

Example Configurations

Creates an AD admin account in a specific OU, adds to AD groups, configures rotation, and shares directly to the user's Keeper vault.

user:
  first_name: John
  last_name: Doe
  personal_email: john.doe@company.com

account:
  username_template: "{first_initial}{last_name}.adm"
  directory_uid: "XXXX-XXXX-XXXX"
  distinguished_name: "CN={username},OU=DomainAdmins,DC=company,DC=com"
  ad_groups:
    - "CN=Domain Admins,CN=Users,DC=company,DC=com"
    - "CN=VPN-Users,CN=Users,DC=company,DC=com"

vault:
  folder: "PAM-Admin"

rotation:
  schedule: "0 0 3 ? * 2"
  password_complexity: "24,4,4,4,4"

delivery:  # Direct vault sharing
  share_to: "john.doe@company.com"
  permissions:
    can_edit: true
    can_share: false

Execution

My Vault> credential-provision -c boj-GDQmTV-VGgBC3VRsow --config test.yaml
Loading configuration from: test.yaml
Resolved username: jdoe.adm
✅ Configuration validated
✅ AD user created: jdoe.adm
   Added jdoe.adm to AD group: CN=Domain Admins,CN=Users,DC=company,DC=com
   Added jdoe.adm to AD group: CN=VPN-Users,CN=Users,DC=company,DC=com
✅ Added to AD groups: CN=Domain Admins,CN=Users,DC=company,DC=com, CN=VPN-Users,CN=Users,DC=company,DC=com
✅ PAM User record created: g28IrIrHEfL1xnaEgeww7g
Selected 1 PAM record(s) for rotation
✅ Rotation configured
✅ Password rotation submitted
Record "g28IrIrHEfL1xnaEgeww7g" access permissions has been granted to user 'john.doe@company.com'
✅ Record shared to john.doe@company.com

Creates an AD admin account, shares to the user's vault, AND sends an email with a one-time share link.

user:
  first_name: Felipe
  last_name: Dias
  personal_email: fdias@company.com

account:
  username_template: "{first_initial}{last_name}.adm"
  directory_uid: "XXXX-XXXX-XXXX"
  distinguished_name: "CN={username},OU=DomainAdmins,DC=company,DC=com"

rotation:
  schedule: "0 0 3 ? * 2"
  password_complexity: "24,4,4,4,4"

delivery:  # Share to vault
  share_to: "fdias@company.com"
  permissions:
    can_edit: true

email:  # Also send email
  config_name: "Company-Mail-Server"
  send_to: "fdias@gmail.com"
  share_url_expiry: "7d"

Execution:

My Vault> credential-provision -c boj-GDQmTV-VGgBC3VRsow --config test.yaml
Loading configuration from: test.yaml
Resolved username: fdias.adm
✅ Configuration validated
✅ AD user created: fdias.adm
✅ PAM User record created: h72KxWpEfL1xnaEgeww7g
Selected 1 PAM record(s) for rotation
✅ Rotation configured
✅ Password rotation submitted
Record "h72KxWpEfL1xnaEgeww7g" access permissions has been granted to user 'fdias@company.com'
✅ Record shared to fdias@company.com
✅ Share URL generated for PAM User
[EMAIL] Sending email to fdias@gmail.com via smtp
[EMAIL] SMTP email sent to fdias@gmail.com via smtp.gmail.com
✅ Email with one-time share sent

Active Directory User with Email Delivery

user:
  first_name: John
  last_name: Doe
  personal_email: john.doe@company.com
  department: IT

account:
  username: john.doe-admin
  distinguished_name: "CN=john.doe-admin,CN=Users,DC=company,DC=com"

vault:
  folder: "PAM Users/IT Admins"

rotation:
  schedule: "0 0 3 ? * 2"
  password_complexity: "32,5,5,5,5"

email:  # Email delivery with one-time share link
  config_name: "Company-Mail-Server"
  send_to: "john.doe@gmail.com"

Execution

My Vault> credential-provision -c boj-GDQmTV-VGgBC3VRsow --config test.yaml
Loading configuration from: test.yaml
✅ Configuration validated
Selected 1 PAM record(s) for rotation
✅ PAM User created and linked
✅ Password rotation submitted
✅ Share URL generated for PAM User
[EMAIL] Sending email to john.doe@gmail.com via smtp
[EMAIL] SMTP email sent to john.doe@gmail.com via smtp.gmail.com
✅ Email with one-time share sent
My Vault>

Microsoft Entra ID User

user:
  first_name: Craig
  last_name: Lurey
  personal_email: craig@company.com
account:
  username: craig@company.com
rotation:
  schedule: "0 0 0 * * ?"
  password_complexity: "32,5,5,5,5"
email:
  config_name: "SMTP-Gmail"
  send_to: "craig@gmail.com"
  subject: "Your Microsoft Login"
  share_url_expiry: "7d"

Execution

My Vault> cp -c hGn4IdC_18KWCo7tPCKoqQ --output json --config test.yaml
Selected 1 PAM record(s) for rotation
[EMAIL] Sending email to craig@gmail.com via smtp
[EMAIL] SMTP email sent to craig@gmail.com via smtp.gmail.com
{
  "success": true,
  "pam_user_uid": "g28IrIrHEfL1xnaEgeww7g",
  "share_url": "https://keepersecurity.com/vault/share/#XXXXXXXX",
  "username": "craig@company.com",
  "employee_name": "Craig Lurey",
  "rotation_status": "synced",
  "email_status": "sent",
  "message": "Credential provisioning complete"
}

As a result, the PAM User record is created in the vault, rotated in the target directory and sent to the recipient as a one-time share that expires in 7 days.

Onboard Existing Account with Bring-Your-Own-Password

Onboards an Active Directory account that already exists in the target directory, using its current password. Commander stores the password in the vault and configures on-demand rotation, but does not touch AD during provisioning. When the operator clicks Rotate Now, Commander generates a fresh password and pushes it to the existing AD account.

user:
  first_name: Service
  last_name: Account
  personal_email: ops@company.com
  department: Infrastructure

account:
  username: svc-existing
  existing_password: "CurrentPasswordOnTargetAccount!"
  distinguished_name: "CN=svc-existing,OU=Service,DC=company,DC=com"

rotation:
  on_demand: true
  password_complexity: "32,5,5,5,5"
  rotate_on_provision: false

email:
  config_name: "Company-Mail-Server"
  send_to: "ops@company.com"

Execution:

My Vault> credential-provision -c boj-GDQmTV-VGgBC3VRsow --config byo-onboard.yaml --output json
{
  "success": true,
  "pam_user_uid": "pv2tDoPpCpqi3LTydG0igA",
  "username": "svc-existing",
  "employee_name": "Service Account",
  "rotation_status": "on_demand",
  "message": "Credential provisioning complete"
}

Record Creation Only (No Delivery)

Creates a PAM User record with rotation configured, but does not share or email the credential. An admin can share the record manually later.

user:
  first_name: System
  last_name: Account
  personal_email: admin@company.com

account:
  username: svc-backup

rotation:
  schedule: "0 0 0 1 * ?"
  password_complexity: "64,10,10,10,10"

Execution:

My Vault> credential-provision -c boj-GDQmTV-VGgBC3VRsow --config test.yaml
Loading configuration from: test.yaml
✅ Configuration validated
✅ PAM User record created: k92IrWpHEfL1xnaEgeww7g
Selected 1 PAM record(s) for rotation
✅ Rotation configured
✅ Password rotation submitted
✅ Record created (no delivery configured)

JSON Output (Service Mode)

{
  "success": true,
  "pam_user_uid": "g28IrIrHEfL1xnaEgeww7g",
  "username": "jdoe.adm",
  "employee_name": "John Doe",
  "rotation_status": "synced",
  "share_status": "shared",
  "shared_to": "john.doe@company.com",
  "message": "Credential provisioning complete"
}

Scheduled Rotation, Skip the Provisioning-Time Rotation

Creates the account with a Commander-generated password and configures cron-based rotation, but does not fire an immediate rotation at provisioning. The first rotation will happen at the next scheduled cron tick.

user:
  first_name: System
  last_name: Service
  personal_email: ops@company.com

account:
  username: svc-staged
  distinguished_name: "CN=svc-staged,CN=Users,DC=company,DC=com"

rotation:
  schedule: "0 0 3 1 * ?"          # First of every month at 3 AM UTC
  password_complexity: "32,5,5,5,5"
  rotate_on_provision: false        # NEW: skip immediate rotation; let cron handle it

Email Template

The recipient will receive an email containing an encrypted one-time share link.

When the user clicks "View Credentials", they are able to decrypt and view the credentials.

AD User Creation

When directory_uid and distinguished_name are provided in the account section, the command creates the user in Active Directory before creating the PAM User record in Keeper.

Requirements:

Gateway v1.8.0+ — AD user creation requires Gateway version 1.8.0 or later. The command will check the Gateway version and skip AD operations with a warning if the Gateway is below this version.
A pamDirectory record with directoryType=ad must exist in the Gateway's shared folder
The pamDirectory record must have admin credentials with permission to create users in the target OU
The directory_uid field must reference this pamDirectory record
ad_groups requires directory_uid to be set — the Gateway needs the PAM Directory record to know which AD to connect to for group operations
AD group DNs must be full distinguished names (e.g., CN=Group-Name,CN=Users,DC=domain,DC=com)

System-Specific Requirements

Active Directory - Distinguished Name is REQUIRED for multi-OU environments. Without it, rotation may fail if multiple users have the same username in different OUs.

Azure AD - Username MUST be in email format: user@domain.com OR DOMAIN\user

AWS IAM - Just use a plain username

pam - PAM subsystem management
email-config - Email configuration
sharing - Sharing commands
service-create - Create Commander Service Mode
service-start - Start Commander Service Mode

PreviousMSP Management Commands NextEmail Configuration Commands

Last updated 29 days ago

Good night

Overview

Commands

credential-provision

Use Case

Details

Parameters

Optional Parameters

Prerequisites

Security Constraints

YAML Configuration Structure

User Section (Required)

Account Section (Required)

Username Templates

Vault Section (Optional)

Rotation Section (Optional)

Delivery Section (Optional)

Email Section (Optional)

Executing the Automation

CLI Execution

Service Mode / REST API Execution

Example Configurations

Active Directory Admin Account with Direct Share

AD Account with Direct Share AND Email

Active Directory User with Email Delivery

Microsoft Entra ID User

Onboard Existing Account with Bring-Your-Own-Password

Record Creation Only (No Delivery)

Scheduled Rotation, Skip the Provisioning-Time Rotation

Email Template

AD User Creation

System-Specific Requirements

Related Commands