> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/secrets-manager/about/pam-record-types.md). # PAM Record Types ## About Privileged Access Manager (PAM) record types represent the privileged resources Keeper manages — users, machines, databases, directories, browser sessions — and the gateway configurations that rotate and connect to them. The Secrets Manager SDKs read these like any other record; identify them by the record's type (for example `record.type == "pamUser"`). PAM resource records link to the `pamUser` credentials that operate them. Retrieving those links is covered on the [Linked Credentials](/keeperpam/secrets-manager/about/linked-credentials.md) page. For the standard (non-PAM) field and record types, see [Field/Record Types](/keeperpam/secrets-manager/about/field-record-types.md). {% hint style="info" %} PAM records carry the same `fileRef` and `oneTimeCode` fields as standard records. Most PAM resource records also hold a `trafficEncryptionSeed` used to derive PAM tunnel session keys — it is generated automatically and not something you set. {% endhint %} ## PAM Field Types These field types appear on PAM records in addition to the standard field types. ### pamHostname A dictionary value (an alias of the standard `host` field) containing: * `hostName` — Hostname or IP * `port` — Remote port Example: ``` {"hostName": "10.0.0.5", "port": "22"} ``` ### pamSettings Connection and port-forward settings for a PAM resource (SSH/RDP/VNC/Kubernetes). A dictionary value containing: * `allowSupplyHost` — whether a host may be supplied at connect time * `connection` — connection settings object * `portForward` — port-forwarding settings object ### pamRemoteBrowserSettings Settings for a remote browser isolation (RBI) session. A dictionary value containing: * `connection` — connection settings object ### rbiUrl A string value. The target URL for a browser-isolation session. ### script A post-rotation script reference. A dictionary value containing: * `fileRef` — UID of the script file attachment * `command` — command to run * `recordRef` — array of related record UIDs ### databaseType A dropdown (string enum) selecting the database engine. Known values: ``` postgresql, postgresql-flexible, mysql, mysql-flexible, mariadb, mariadb-flexible, mssql, oracle, mongodb ``` ### directoryType A dropdown (string enum) selecting the directory type. Known values: `active_directory`, `openldap`. Default: `active_directory`. ### trafficEncryptionSeed A base64 string (32 random bytes) used to derive PAM tunnel session keys. Generated automatically on first tunnel start if absent. ### pamResources Used by the configuration record types to declare the gateway and the resource set it manages. A dictionary value containing: * `controllerUid` — the Keeper Gateway UID * `folderUid` — the folder the configuration governs * `resourceRef` — array of resource record UIDs ## PAM Resource Record Types {% hint style="info" %} Only a few fields are required by the record type itself (`pamUser` login, `pamMachine` hostname and port, `pamRemoteBrowser` URL). The Keeper Vault enforces additional requirements when you create a resource for connections or rotation (for example a PAM configuration, an administrative credential, and a database type) — see the [admin PAM resource guides](/keeperpam/privileged-access-manager/getting-started/pam-resources/pam-user.md). {% endhint %} ### pamUser (PAM User) The credential record other PAM resources link to. | Field Type | UI Fields | | ---------- | ---------------------- | | login | Login *(required)* | | password | Password | | secret | Private PEM Key | | secret | Private Key Passphrase | | secret | Public Key | | text | Distinguished Name | | text | Connect Database | | checkbox | Managed User | | script | Rotation Scripts | ### pamMachine (PAM Machine) An SSH/RDP/VNC/Kubernetes/RBI host. | Field Type | UI Fields | | ----------- | ------------------------------------------ | | pamHostname | Hostname or IP Address / Port *(required)* | | pamSettings | PAM Settings | | text | Operating System | | text | Instance Name | | text | Instance ID | | text | Provider Group | | text | Provider Region | | script | Rotation Scripts | ### pamDatabase (PAM Database) A database host. | Field Type | UI Fields | | ------------ | ----------------------------- | | pamHostname | Hostname or IP Address / Port | | databaseType | Database Type | | checkbox | Use SSL *(default: on)* | | text | Database ID | | pamSettings | PAM Settings | | text | Provider Group | | text | Provider Region | | script | Rotation Scripts | ### pamDirectory (PAM Directory) An LDAP / Active Directory host. | Field Type | UI Fields | | ------------- | ----------------------------------------------- | | pamHostname | Hostname or IP Address / Port | | directoryType | Directory Type *(Active Directory or OpenLDAP)* | | checkbox | Use SSL | | text | Domain Name | | multiline | Alternative IPs | | text | Directory ID | | text | User Match | | pamSettings | PAM Settings | | text | Provider Group | | text | Provider Region | | script | Rotation Scripts | ### pamRemoteBrowser (PAM Remote Browser) A browser-isolated session record. | Field Type | UI Fields | | ------------------------ | ------------------- | | rbiUrl | URL *(required)* | | pamRemoteBrowserSettings | Connection Settings | {% hint style="info" %} `pamRemoteBrowser` is referred to internally as `RFT_PAM_BROWSER` in the GraphSync graph. Both names mean the same record type — use `pamRemoteBrowser` in SDK code. {% endhint %} ## PAM Configuration Record Types Configuration records tie a Keeper Gateway to the resources it manages and rotates. Every configuration type requires a `pamResources` field (gateway + resource set) and a `schedule` field labeled `defaultRotationSchedule`. ### pamAwsConfiguration (PAM AWS Configuration) | Field Type | UI Fields | | ------------ | -------------------------------------- | | pamResources | Gateway and Resources *(required)* | | schedule | Default Rotation Schedule *(required)* | | text | AWS ID *(required)* | | secret | Access Key ID | | secret | Access Secret Key | | multiline | Region Names | | multiline | Port Mapping | | script | Rotation Scripts | ### pamAzureConfiguration (PAM Azure Configuration) | Field Type | UI Fields | | ------------ | -------------------------------------- | | pamResources | Gateway and Resources *(required)* | | schedule | Default Rotation Schedule *(required)* | | text | Azure ID *(required)* | | secret | Client ID *(required)* | | secret | Client Secret *(required)* | | secret | Subscription ID *(required)* | | secret | Tenant ID *(required)* | | multiline | Resource Groups | | multiline | Port Mapping | | script | Rotation Scripts | ### pamGcpConfiguration (PAM GCP Configuration) | Field Type | UI Fields | | ------------ | -------------------------------------- | | pamResources | Gateway and Resources *(required)* | | schedule | Default Rotation Schedule *(required)* | | text | GCP ID *(required)* | | email | Google Admin Email | | json | Service Account Key *(required)* | | multiline | GCP Region Name | | multiline | Port Mapping | | script | Rotation Scripts | ### pamDomainConfiguration (PAM Domain Configuration) | Field Type | UI Fields | | ------------ | -------------------------------------- | | pamResources | Gateway and Resources *(required)* | | schedule | Default Rotation Schedule *(required)* | | pamHostname | Hostname or IP Address / Port | | text | Domain ID | | text | User Match | | checkbox | Use SSL | | checkbox | Scan Domain Controller CIDR | | text | Network CIDR | | multiline | Port Mapping | | script | Rotation Scripts | ### pamLocalConfiguration (PAM Local Configuration) | Field Type | UI Fields | | ------------ | -------------------------------------- | | pamResources | Gateway and Resources *(required)* | | schedule | Default Rotation Schedule *(required)* | | text | Local ID *(required)* | | multiline | Port Mapping | | script | Rotation Scripts | ### pamNetworkConfiguration (PAM Network Configuration) | Field Type | UI Fields | | ------------ | -------------------------------------- | | pamResources | Gateway and Resources *(required)* | | schedule | Default Rotation Schedule *(required)* | | text | Network ID | | text | Network CIDR | | multiline | Port Mapping | | script | Rotation Scripts | ## Reading a PAM Record Type Get the schema for any PAM record type with Keeper Commander, the same way as a custom record type: ``` My Vault> rti --format json -lr pamUser --output pamUser.json ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.keeper.io/keeperpam/secrets-manager/about/pam-record-types.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.