# PAM Configuration

## Overview In Keeper, the **PAM Configuration** contains essential information of your target infrastructure, settings and associated Keeper Gateway. We recommend setting up one PAM Configuration for each Gateway and network being managed. ## Creating PAM Configuration To create a new PAM Configuration: * Login to the Keeper Vault * Select Secrets Manager and the "PAM Configurations" tab * Click on "New Configuration" ## PAM Configuration Fields When setting up the PAM Configuration, you have the option of choosing one of the following environments: * [Local Network](#local-network-environment) * [AWS](#aws-environment) * [Azure](#aws-environment) * [Google Cloud](#google-cloud-environment) * [Domain Controller](#domain-controller-environment) The following tables provides more details on each configurable fields in the PAM Configuration record regardless of the environment you choose:

Field	Description	Notes
Title	Name of PAM configuration record	Ex: `US-EAST-1 Config`
Gateway	The configured gateway	See docs for more info
Application Folder	The shared folder where the PAM Configuration data will be stored	Best practice is to create a folder with limited access to admins. See Security Note (1) below
PAM Settings	List of Zero-Trust KeeperPAM features that should be enabled	See this section for more info
Default Rotation Schedule	Specify frequency of Rotation	Ex: `Daily`
Port Mapping	Define alternative default ports	Ex: `3307=mysql` See port mapping docs

{% hint style="danger" %} **Security Note (1)**\ \ The PAM Configuration information is stored as a record in the vault inside the specified **Application Folder** and may contain secrets. Therefore, we recommend that the Application Folder should be limited in access to only privileged admins. {% endhint %} The following tables provides more details on each configurable fields in the PAM Network Configuration record based on the environment you chose: ### Local Network Environment

Field Description Notes

Network ID

Unique ID for the network

Field	Description	Notes
Network ID	Unique ID for the network	This is for the user's reference Ex: `My Network`
Network CIDR	Subnet of the IP address	Ex: `192.168.0.15/24` Refer to this for more info

This is for the user's reference

Ex: My Network

Network CIDR Subnet of the IP address Ex: 192.168.0.15/24
Refer to this for more info

### AWS Environment

Field	Description	Notes
AWS ID	A unique id for the instance of AWS	Required, This is for the user's reference Ex: `AWS-US-EAST-1`
Access Key ID	From an IAM user account, the Access key ID from the desired Access key.	Leave Empty when EC2 instance role is assumed.
Secret Access Key	The secret key for the access key.	Leave Empty when EC2 instance role is assumed.
Region Names	AWS region names used for discovery. Separate newline per region	Ex: us-east-2 us-west-1
Port Mapping	Any non-standard ports referenced. Separate newline per entry	Ex: 2222=ssh 3390=rdp

* See additional information on [AWS Environment Setup](/keeperpam/privileged-access-manager/getting-started/pam-configuration/aws-environment-setup.md) ### Azure Environment

Field	Description	Notes
Azure ID	A unique id for your instance of Azure	Required, This is for the user's reference Ex: `Azure-1`
Client ID	The application/client id (UUID) of the Azure application	Required
Client Secret	The client credentials secret for the Azure application	Required
Subscription ID	The UUID of the subscription (i.e. Pay-As-You-GO).	Required
Tenant ID	The UUID of the Azure Active Directory	Required
Resource Groups	A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.

* See additional information on [Azure Environment Setup](/keeperpam/privileged-access-manager/getting-started/pam-configuration/azure-environment-setup.md) ### Google Cloud Environment

Field	Description	Notes
GCP ID	A unique id for the instance of Google Cloud	Required, This is for the user's reference. Example: `GCP-US-CENTRAL1`
Google Workspace Administrator Email	The email address for a Google Workspace administrator account that can be used to manage passwords for GCP Principals.	Leave Empty if no such account exists, or if the environment does not require Principal rotation.
Service Account Key	The service account key in JSON format.	Required. Example: `{ "type": "service_account", "project_id": "<project-id>", "private_key_id": "<private-key-id>", "private_key": "<private-key>", "client_email": "<client-email>", "client_id": "<client-id>", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<app-identifier>.iam.gserviceaccount.com" }`
Region Names	AWS region names used for discovery. Separate newline per region	Example: us-east4 us-south1
Port Mapping	Any non-standard ports referenced. Separate newline per entry	Example: 2222=ssh 3390=rdp

* See additional information on [Google Cloud Environment Setup](/keeperpam/privileged-access-manager/getting-started/pam-configuration/google-cloud-environment-setup.md) ### Domain Controller Environment | Field | Description | Required | | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | | Administrative Credential | Credentials of a domain administrator or an account with equivalent privileges, required to perform full discovery and access all domain resources | Yes | | Hostname and Port | Hostname and port for the domain controller. | Yes | | Domain ID | The FQDN domain used by the Domain Controller. For example, EXAMPLE.COM and not EXAMPLE. | Yes | | Use SSL | If using LDAPS (default 636), check the box. If using LDAP (default 389), uncheck the box. | Yes | | Scan Network | Scan the CIDRs from the domain controller. Default to False. | No | | Network CIDR | Scan additional CIDRs from the field. | No | | Port Mapping | Define alternative default ports | No | ## PAM Features on PAM Configuration The **"PAM Features Allowed"** and **"Session Recording Types Allowed"** sections in the PAM Configuration allow owners to enable or disable KeeperPAM features for resources managed through the PAM configuration:

Field	Description
Rotation	If enabled, allow rotations on privileged user users managed by this PAM configuration
Connections	If enabled, allow connections on resources managed by this PAM configuration
Remote Browser Isolation (RBI)	If enabled, allow RBI sessions on resources managed by this PAM configuration
Tunneling	If enabled, allow tunnels on resources managed by this PAM configuration
Graphical Session Recording	If enabled, visual playback sessions will be recorded for all connections and RBI sessions
Text Session Recording (TypeScript)	If enabled, text input and output logs will be logged for all connections and RBI sessions

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/privileged-access-manager/getting-started/pam-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.