JetBrains Plugin

Keeper Secrets Manager plugin for JetBrains IDEs development environment

About

JetBrains IDEs are powerful integrated development environments used by millions of developers worldwide for building applications across various programming languages and frameworks. Whether you're developing in Java, Python, JavaScript, or any other supported language, JetBrains IDEs provide comprehensive tools for coding, debugging, and deployment.

The Keeper Security plugin allows JetBrains IDE users to integrate with Keeper Security vault to make managing secrets in development workflows easier and more secure. The plugin enables developers to replace hardcoded secrets with vault references and execute commands with injected credentials without exposing sensitive data.

Features

Secret Management: Save, retrieve, and generate secrets directly from JetBrains IDEs using the Keeper Vault
Secure Execution: Run commands with secrets injected from the Keeper Vault through .env file processing
HTTP Client Integration (IntelliJ IDEA Ultimate / WebStorm / GoLand): Reference vault secrets directly in .http request files using the {{$keeper("uid","field")}} dynamic variable — no plaintext values in request files
Run Configurations: Save a Run Keeper Securely configuration (.env path, working directory, command) under Run → Edit Configurations with output streaming to the Run tool window
Folder Management: Select and manage Keeper vault folders for organized secret storage
Record Operations: Create new records, update existing ones, and retrieve field references
Cross-platform support: Windows, macOS, Linux

Prerequisites

Keeper Commander CLI
- Must be installed and authenticated on your system
- Download from Keeper Commander Installation Guide
- Authenticate using Persistent login or Biometric login
- Keeper Security Account: Active subscription with vault access
System Requirements
- JetBrains IDE: Version 2021.1 or later (IntelliJ IDEA, PyCharm, WebStorm, PhpStorm, RubyMine, CLion, GoLand)
- Java: Version 11 or later
- Python: Version 3.6+ (required for Keeper Commander CLI)

Setup

Installation

Using JetBrains Marketplace

Open your JetBrains IDE
Go to File → Settings → Plugins (or IntelliJ IDEA → Preferences → Plugins on macOS)
Search for "Keeper Security"
Click "Install" and restart the IDE

Authentication

The plugin supports two authentication methods through Keeper Commander CLI:

Method 1: Biometric Authentication

# Login to Keeper
keeper shell

# Register biometric authentication
biometric register

# Follow prompts to set up biometric authentication

Method 2: Persistent Login

# Login to Keeper
keeper shell

# Register device for persistent login
this-device register

# Enable persistent login
this-device persistent-login on

# Verify configuration
this-device

Plugin Verification

Open any JetBrains IDE
Go to Tools → Keeper Vault → Check Keeper Authorization
Verify the authentication status shows success

Usage

All Keeper actions are available through:

Tools Menu: Tools → Keeper Vault → [Action]
Right-click Context Menu: Right-click in editor → [Action]

Available Commands

Command

Description

Use Case

Check Keeper Authorization

Verify Keeper CLI installation and authentication status

Troubleshoot connection issues and verify setup

Get Keeper Secret

Insert existing secrets from vault as references

Retrieve stored secrets without exposing actual values

Add Keeper Record

Save selected text as secret in vault and replace with reference

Replace hardcoded secrets with vault references

Update Keeper Record

Update existing vault record with new value from selected text

Modify existing secrets while maintaining references

Generate Keeper Secret

Generate secure password and store in vault

Create new secure credentials automatically

Get Keeper Folder

Select vault folder for organizing new records

Organize secrets in specific vault folders

Run Keeper Securely

Execute a command with secrets injected from a .env file — either as a one-off from the Tools menu or as a saved run configuration under Run → Edit Configurations

Run applications or scripts with vault-backed environment variables

Get Keeper Secret (in .http file)

Inserts {{$keeper("uid","field")}} at cursor in JetBrains HTTP Client request files (Ultimate / WebStorm only)

Inject vault secrets directly into HTTP requests without exposing values

Basic Secret Management

Retrieving Existing Secrets

# Position cursor where you want the secret reference
database_password = |

# Use: Tools → Keeper Vault → Get Keeper Secret
# Select record and field from vault
# Result:
database_password = keeper://abc123def456/field/password

Adding New Secrets

// Select the secret text
const apiKey = "sk-1234567890abcdef";

// Use: Right-click → Add Keeper Record
// Enter title and field name
// Result:
const apiKey = keeper://new-record-uid/field/api_key;

Generating Secure Passwords

# Position cursor
admin_password: |

# Use: Tools → Keeper Vault → Generate Keeper Secret
# Enter record details
# Result:
admin_password: keeper://generated-record-uid/field/password

Secure Command Execution

Environment File Setup

Create a .env file with Keeper references, for example:

DATABASE_URL=keeper://db-record-uid/field/connection_string
API_KEY=keeper://api-record-uid/field/key
SECRET_KEY=keeper://app-record-uid/field/secret
JWT_SECRET=keeper://auth-record-uid/field/jwt_key

Running Commands with Injected Secrets

Option 1: Quick run (right-click action)

Right-click in your project → Run Keeper Securely
Select or confirm the .env file
Enter your command (e.g., python3 app.py)
Plugin fetches secrets and creates terminal with injected environment variables

# Plugin executes your command with actual values:
python3 app.py
# Environment contains:
# DATABASE_URL=postgresql://user:pass@host:5432/db
# API_KEY=ak_live_1234567890abcdef
# SECRET_KEY=super-secret-key-value
# JWT_SECRET=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Option 2: Saved Run Configuration (recommended for repeat runs)

Available since plugin version 1.1.0.

Go to Run → Edit Configurations… → + → Run Keeper Securely
Fill in the three fields:
- Environment file (.env) — path to your .env file containing keeper:// references
- Working directory — leave empty to use the project root
- Command — the command to run (e.g. python main.py, node app.js)
Click OK and run with the standard Run/Debug toolbar buttons
Output and errors stream directly into the Run tool window — supports re-running, stopping, and full output history

New configurations automatically prefill the Python interpreter (from project SDK or detected venv) and common entry scripts (main.py / app.py / run.py) when found in the project root.

Complete Workflow Example

# 1. Start with hardcoded secrets (bad practice)
import os
import requests

DB_PASSWORD = "hardcoded_password_123"
API_TOKEN = "secret_api_token_xyz"

# 2. Select and replace with vault references
# Use: Add Keeper Record for each secret
DB_PASSWORD = keeper://db-creds-uid/field/password
API_TOKEN = keeper://api-creds-uid/field/token

# 3. Create .env file for secure execution
# .env contents:
# DB_PASSWORD=keeper://db-creds-uid/field/password
# API_TOKEN=keeper://api-creds-uid/field/token

# 4. Run application securely
# Use: Run Keeper Securely with command "python3 my_app.py"

HTTP Client Integration

Available since plugin version 1.1.0.
Requirement: This feature requires an IDE that bundles the JetBrains HTTP Client plugin — IntelliJ IDEA Ultimate, WebStorm, or GoLand. IntelliJ IDEA Community Edition does not include it. The rest of the Keeper plugin works normally on Community.

The Keeper plugin registers a $keeper dynamic variable for the JetBrains HTTP Client. Use it in any .http or .rest file to reference a vault secret without typing the actual value.

Syntax

{{$keeper("RECORD_UID", "field-name")}}

RECORD_UID — the Keeper record UID (same as in keeper://UID/field/...)
field-name — the field path (e.g. password, login, custom.api_key)

Example

Authenticated API call

GET https://api.example.com/v1/resource
Authorization: Bearer {{$keeper("abc123def456", "password")}}
Content-Type: application/json

Basic auth

POST https://api.example.com/v1/login
Content-Type: application/json 

{
    "username": "{{$keeper("abc123def456", "login")}}",
    "password": "{{$keeper("abc123def456", "password")}}"
}

Inserting via Get Keeper Secret

Instead of typing the UID manually:

Open a .http file and position the cursor where you want the reference
Tools → Keeper Vault → Get Keeper Secret (or right-click → Get Keeper Secret)
Select a record and field from the vault list
The plugin inserts {{$keeper("uid","field")}} automatically at the cursor

Actions Reference

Check Keeper Authorization

Verifies Keeper CLI installation and authentication status.

Usage: Tools → Keeper Vault → Check Keeper Authorization

Purpose: Troubleshoot connection issues and verify setup

Get Keeper Secret

Retrieves existing secrets from vault as references.

Usage: Position cursor, then Tools → Keeper Vault → Get Keeper Secret

Properties:

Input: Cursor position in editor
Output: Keeper reference inserted at cursor — format depends on the file type:

File type

Inserted format

.env, .py, .js, scripts, etc.

keeper://record-uid/field/field-name

.http / .rest (HTTP Client)

{{$keeper("record-uid","field-name")}}

Add Keeper Record

Creates new vault record from selected text and replaces with reference.

Usage: Select text, then right-click → Add Keeper Record

Properties:

Input: Selected text containing secret
Output: Selected text replaced with Keeper reference
Prompts: Record title, field name

Update Keeper Record

Updates existing vault record with new value from selected text.

Usage: Select text, then right-click → Update Keeper Record

Properties:

Input: Selected text with updated secret value
Output: Text replaced with existing record reference
Selection: Choose existing record and field to update

Generate Keeper Secret

Generates secure password and stores in vault.

Usage: Position cursor, then Tools → Keeper Vault → Generate Keeper Secret

Properties:

Input: Cursor position
Output: Generated secure password reference
Configuration: Automatic strong password generation

Get Keeper Folder

Selects vault folder for organizing new records.

Usage: Tools → Keeper Vault → Get Keeper Folder

Properties:

Purpose: Set default folder for new records
Scope: Applies to current workspace/project
Persistence: Selection remembered across IDE sessions

Run Keeper Securely

Executes commands with secrets injected from .env file.

Usage: Right-click in project → Run Keeper Securely

Properties:

Input: .env file with Keeper references
Process: Fetches actual secret values from vault
Output: Terminal with injected environment variables
Security: No secret values exposed in IDE or file system

Option: Saved Run Configuration (Available since plugin version 1.1.0.)

In addition to the right-click action, Run Keeper Securely is also available as a persistent run configuration type.

Usage: Run → Edit Configurations → + → Run Keeper Securely

Properties:

Environment file: Path to the .env file with keeper:// references (relative or absolute)
Working directory: Directory the command runs in; empty defaults to the project root
Command: Full command string (e.g. python main.py, node server.js, ./gradlew run)
Output: Streams to the Run tool window — supports stop, re-run, and scrollable history
Security: Secrets are resolved in memory and injected as environment variables; no secret values are written to disk

Platforms

The following platforms are supported:

Linux: Ubuntu 18.04+, CentOS 7+, RHEL 7+, Debian 9+, Fedora 30+
macOS: 10.14+ (Mojave and later)
Windows: Windows 10+, Windows Server 2016+

Requirements

JetBrains IDEs

IntelliJ IDEA: 2021.1+
PyCharm: 2021.1+
WebStorm: 2021.1+
PhpStorm: 2021.1+
RubyMine: 2021.1+
CLion: 2021.1+
GoLand: 2021.1+
DataGrip: 2021.1+
Rider: 2021.1+

Dependencies

Java Runtime: 11+ (provided by JetBrains IDE)
Python: 3.6+ (for Keeper Commander CLI)
pip: Latest version (for CLI installation)

PreviousJenkins Plugin NextJira Workflow

Last updated 21 days ago