# Secrets Manager Share Commands

### Overview

Controls which **records or folders** (secrets) are accessible to a Secrets Manager App.

* User "share" secrets with an App by linking them via this command.
* User can also choose whether the app has **read-only** or **editable** access.

### Commands Supported

* [Secrets manager Share Command](#secrets-manager-share)
* [Secrets Manager Unshare Command](#secrets-manager-unshare)

### Secrets Manager Share

This command associates a vault folder or record with a Secrets Manager Application, granting the app access to those secrets.

<details>

<summary>DotNet CLI</summary>

**Command:** `ksm`

**Action:** `share`

**Flags:**

* `--folder` : Shared Folder UID or name. "share", "unshare" only
* `-e, --can-edit` : Can secret be edited? "share", "unshare" only
* `--help` : Display this help screen.
* `--version` : Display version information.
* `value pos. 0` : KSM command: "view", "create", "delete", "share", "unshare", "add-client",\
  "delete-client", "list", "app-share", "app-unshare"
* `value pos. 1` : Secret Manager application UID or Title

**Example:**

```bash
My Vault > ksm share ksm_app_uid --folder folder_uid
  Application UID: ksm_app_uid
               Title: Test_Example Application

Shares
  #  Share Type    Share UID               Share Title                    Editable  Created           
---  ------------  ----------------------  -----------------------------  --------  ------------------
  1  SharedFolder  ksm_app_uid             Example Resources                 X         5/2/2025 9:53 AM

Devices
  #  Name                  Device ID  Created             Last Accessed     
---  --------------------  ---------  ------------------  ------------------
  1  Exmaple Application    4xeebo     5/2/2025 9:53 AM    7/8/2025 10:56 AM  
```

</details>

<details>

<summary>DotNet SDK</summary>

**Function:** `ShareToSecretManagerApplication`

```csharp
 Task<SecretsManagerApplication> ShareToSecretManagerApplication(string applicationId,
            string sharedFolderOrRecordUid, bool canEdit);
```

**Arguments:**

`applicationId` - ID of ksm application to whom the folder or record is being shared

`sharedFolderOrRecordUid` ID of record or shared folder

`canEdit` - Boolean whether the permission to be edited is to be given or not

</details>

<details>

<summary>PowerCommander</summary>

**Command:** `Grant-KeeperSecretManagerFolderAccess`

**Aliases :** `ksm-share`

**Flags:**

* `-App` : Application UID
* `-Secret` : UID of the Secret/Record/Folder

**Example:**

```powershell
PS > Grant-KeeperSecretManagerFolderAccess -App ksm_app_uid  -Secret record_uid   

Uid                    Title                    IsExternalShare DeviceCount ShareCount
---                    -----                    --------------- ----------- ----------
ksm_app_uid            Example Application         False           7           6
```

</details>

<details>

<summary>Python CLI</summary>

**Command**: `secret-manager-share --command=<add/remove>`

**Parameters**:

* `--command` Add or remove
* `-a` `--app` Application Name or UID
* `-s` `--secret` Record UID - space separated (e.g., "uid1 uid2 uid3")

**Options**:

* -e --editable Is this share going to be editable or not

**Example:**

```sh
My Vault> secrets-manager-share --command='add' -e -a='ksm_uid' -s='record_uid'

Successfully added secrets to app uid=ksm_uid, editable=True:
record_uid  Record
Share updates processed successfully
My Vault>
```

</details>

<details>

<summary>Python SDK</summary>

**Function:**

```python
master_key = vault.vault_data.get_record_key(record_uid=app_uid)
if not master_key:
    raise ValueError(f"Could not retrieve app key for application {app_uid}")

added = ksm_management.KSMShareManagement.add_secrets_to_ksm_app(
    vault=vault,
    enterprise=enterprise_data,
    app_uid=app_uid,
    master_key=master_key,
    secret_uids=secret_uids,
    is_editable=is_editable,
)
print(f"Added {len(added)} secret(s) to KSM app '{app_uid_or_name}' (editable={is_editable}):")
for secret_uid, secret_type in added:
    print(f"  {secret_uid}  ({secret_type})")
```

</details>

### Secrets Manager Unshare

This command removes a previously shared folder or record from a Secrets Manager Application, revoking its access to that secret.

<details>

<summary>DotNet CLI</summary>

**Command:** `ksm`

**Action:** `unshare`

**Flags:**

* `--folder` : Shared Folder UID or name. "share", "unshare" only
* `-e, --can-edit` : Can secret be edited? "share", "unshare" only
* `value pos. 1` : Secret Manager application UID or Title

**Example:**

```bash
My Vault > ksm unshare ksm_app_uid --folder folder_uid
  Application UID: ksm_app_uid
               Title: Test_Example Application

Shares
  #  Share Type    Share UID               Share Title                    Editable  Created           
---  ------------  ----------------------  -----------------------------  --------  ------------------

Devices
  #  Name                  Device ID  Created             Last Accessed     
---  --------------------  ---------  ------------------  ------------------
  1  Exmaple Application    4xeebo     5/2/2025 9:53 AM    7/8/2025 10:56 AM    
```

</details>

<details>

<summary>DotNet SDK</summary>

**Function:** `UnshareFromSecretManagerApplication`

```csharp
Task<SecretsManagerApplication> UnshareFromSecretManagerApplication(string applicationId,
            string sharedFolderOrRecordUid);
```

**Arguments:**

`applicationId` - ID of ksm application to whom the folder or record is being unshared

`sharedFolderOrRecordUid` ID of record or shared folder whose permissions are being revoked

</details>

<details>

<summary>PowerCommander</summary>

**Command**: `Revoke-KeeperSecretManagerFolderAccess`

**Alias:** `ksm-unshare`

**Flags**:

* `-App` : Application UID
* `-Secret` : UID of the Secret/Record/Folder

**Example:**

```powershell
PS > Revoke-KeeperSecretManagerFolderAccess -App ksm_app_uid  -Secret record_uid 

Uid                    Title                    IsExternalShare DeviceCount ShareCount
---                    -----                    --------------- ----------- ----------
ksm_app_uid            Example Application         False           7           5
```

</details>

<details>

<summary>Python CLI</summary>

**Command**: `secret-manager-share --command=<add/remove>`

**Parameters**:

* `--command` Add or remove
* `-a` `--app` Application Name or UID
* `-s` `--secret` Record UID - space separated (e.g., "uid1 uid2 uid3")

**Example:**

```sh
My Vault> secrets-manager-share --command='remove' -a='ksm_uid' -s='record_uid'
Shared secrets were successfully removed from the application
```

</details>

<details>

<summary>Python SDK</summary>

**Function:**

```python
ksm_management.KSMShareManagement.remove_secrets_from_ksm_app(
    vault=vault,
    app_uid=app_uid,
    secret_uids=secret_uids,
)
```

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/commander-sdk/keeper-commander-sdks/sdk-command-reference/secrets-manager-commands/secrets-manager-share-commands.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.