# SaaS Configuration Field Reference
### Overview
Each selected plugin creates a login record with pre-populated custom fields specific to that integration. All fields are blank by default and must be configured before rotation can be performed.
### Okta Configuration Record
| Custom Field Name | Description | Required? |
| ----------------- | ---------------------------------------------------------------------------- | --------- |
| SaaS Type | Okta | Yes |
| Active | Activate/Deactivate a SaaS rotation. The default is active. | No |
| Okta URL | The URL to customer login portal. Where users login in. | Yes |
| Okta Token | The API token created on the **Security** → **API** → **Tokens** admin page. | Yes |
***
### Snowflake Configuration Record
| Custom Field Name | Description | Required? |
| ------------------------ | ----------------------------------------------------------- | --------- |
| SaaS Type | Snowflake | Yes |
| Active | Activate/Deactivate a SaaS rotation. The default is active. | No |
| Snowflake Admin User | An admin username | Yes |
| Snowflake Admin Password | The password for the admin username. | Yes |
| Snowflake Account | The account. It’s is the subdomain of the URL. | Yes |
***
### REST Configuration Record
| Custom Field Name | Description | Required? |
| ----------------- | ------------------------------------------------------------------------- | --------- |
| SaaS Type | REST | Yes |
| Active | Activate/Deactivate a SaaS rotation. The default is active. | No |
| REST Url | URL to the web service. | Yes |
| REST Token | A header Bearer token. This must be static. It cannot be generated. | Yes |
| REST Method | The HTTP Method to use. The default is POST. Valid values are: POST, PUT. | No |
***
### AWS Access Key Configuration Record
| Custom Field Name | Description | Required? |
| ------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- |
| SaaS Type | AWS Access Key | Yes |
| Active | Activate/Deactivate a SaaS rotation. The default is active. | No |
| AWS Access Key ID for the Administrative role | **Admin** Access Key ID | No |
| AWS Secret Access Key for the Administrative role | **Admin** Secret Access Key | No |
| Region Name | Region name. This can be left blank unless GovCloud. A value is required for GovCloud. | No |
| AWS Clean Keys | Remove old Access Keys. If not set, will default to ‘All’
- All - Will remove all the access keys.
- Oldest - Will remove the oldest access key if both Access Key slots are filled.
- Replace - Will replace the Access Key used in the Vault record. If there are two Access Keys, the other will not be removed.
| No |
Note: The admin access key does *not* need to be set if you are using an EC2 instance with an attached IAM role or using an AWS configuration. The plugin will get its credentials from the following in the specified order.
1. SaaS Configuration Record - Ensure that the Access Key and Secret Key
2. AWS PAM Configuration - See the [AWS Environment Setup](/keeperpam/privileged-access-manager/getting-started/pam-configuration/aws-environment-setup.md) for details
#### Assigning Permissions
Ensure that the roles assigned to your AWS PAM Configuration or to the specific administrative access key / secret key include the below policies required to rotate a target access key:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:ListAccessKeys",
"iam:DeleteAccessKey"
],
"Resource": "arn:aws:iam::YOUR_AWS_ACCOUNT_ID_HERE:user/*"
}
]
}
```
***
### Azure Client Secret Configuration Record
| Custom Field Name | Description | Required? |
| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- |
| SaaS Type | Azure Client Secret | Yes |
| Active | Activate/Deactivate a SaaS rotation. The default is active. | No |
| Azure **Target** Object ID | The **target** Azure Entra ID application. This is the object ID of the application which is being rotated. | Yes |
| Expiry Days | The number of days before the secret expires. Default if 365 days. | No |
| Azure Tenant ID | The Directory (tenant) ID of the Azure Entra ID. This for both the admin and target application. | No |
| Azure **Admin** Application ID | The Application (client) ID for the **Administrative** app which is performing the rotation (NOT the target). | No |
| Azure **Admin** Client Secret | This is the Secret **value** for the administrative application. | No |
| Azure Authority | Special URL for MSAL to request tokens. | No |
| Azure Graph Endpoint | Special URL for Azure Graph scope. | No |
| Azure Clean Keys | Remove old Access Keys upon every rotation.
- All - Will remove all the secrets.
- Replace - Will replace the secret used in the Vault record.
| No |
Note: The administrative application ID and client secret does *not* need to be set if you are using a PAM Configuration that already has the necessary Azure permissions.
The plugin will get its credentials from the following in the specified order.
1. SaaS Configuration Record
2. Azure PAM Configuration
#### Assigning Permissions to Admin Application
In order for the target secret to be rotated, the administrative application must have the necessary Azure role permissions.
**Required Microsoft Graph Permissions:**
* `Application.ReadWrite.All`
**How to Assign:**
* Go to **Azure Portal > Azure Active Directory > App registrations**
* Select your Administrative app (the one that will rotate secrets)
* Go to **API permissions > Add a permission**
* Choose **Microsoft Graph**
* Select **Application permissions**
* Search and select:
* `Application.ReadWrite.All`
* Click **Add permissions**
* Then click **Grant admin consent** for the tenant
***
### Cisco IOS XE Configuration Record
| Custom Field Name | Description | Required? |
| ----------------- | ----------------------------------------------------------- | --------- |
| SaaS Type | Cisco IOS XE | Yes |
| Active | Activate/Deactivate a SaaS rotation. The default is active. | No |
| Admin Username | The administrator’s username. | Yes |
| Admin Password | The administrator’s password. | Yes |
| Hostname | Hostname or IP of the web service. | Yes |
| Verify SSL | Verfiy server’s SSL certificate. Default is FALSE. | No |
***
### Cisco Meraki Configuration Record
| Custom Field Name | Description | Required? |
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- |
| SaaS Type | Cisco Meraki | Yes |
| Active | Activate/Deactivate a SaaS rotation. The default is active. | No |
| Admin Email | The administrator’s email address | Yes |
| API Key | The API Key generated in the admin’s profile, in the API access section. | Yes |
| Network ID | The Network ID.
If blank, an attempt will be made to find the network id. If the customer has only one organization, and only one network in that organization, it will use that network id.
| No |
| Verify SSL | Verfiy server’s SSL certificate. Default is FALSE. | No |
API: [Cisco Meraki OpenAPI Document](https://developer.cisco.com/meraki/api-v1/)
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/password-rotation/rotation-use-cases/saas-plugins/saas-configuration-field-reference.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.