CLI password retrieval
Pull records from the Keeper Vault using Commander commands.

Keeper Secrets Manager

If you are looking for a scalable solution purpose built for retrieving secrets in production environments, you should use Keeper Secrets Manager. This section is a legacy component that requires a master password to be saved, or a token that must be refreshed at most every 30 days.
Legacy Feature Alert
For proper Secrets Management please see the Keeper Secrets Manager.

Password Retrieval API

A common use case for Commander is pulling credentials from the vault to replace hard-coded passwords, and to automate processes within CI/CD pipelines. The recommended architecture is to isolate vault access to specific "service account" vaults in order to limit access. Follow the process below:
  1. 1.
    Create a separate "service account" vault for each set of records that the service needs access to.
  2. 2.
    Set a strong Master Password, 2FA and role enforcement policy on each vault.
  3. 3.
    Share records (either direct share or shared folder) from the source vault to the service account vault.
Once configured, you can simply authenticate to Commander using the service accounts. By isolating the vaults to only contain a set of shared records, you will be limiting the exposure if the process or server becomes compromised. Note that a unique and valid email address must be used for each service account.

Command-line Password Retrieval

The get command allows you to query a stored Keeper password by record UID. For example:
$ keeper --user=<Keeper Email> get --format=password <Record UID>
The password retrieved is written to standard output.
In this case, you will be asked to authenticate. Please see the available Authentication Methods to determine the best solution for your use case.
We do not recommend saving a password in plaintext in production accounts. If you do, please appropriately protect the config.json file with operating system controls

Environmental Variables

Custom environmental variables can be created on the command line and through batch script files in order to perform data substitutions.
A few default variables can be used:
${last_folder_uid} - This contains the last added Folder UID
${last_record_uid} - This contains the last added Record UID
${last_shared_folder_uid} - This contains the last added Shared Folder UID
To add a new environmental variable, use the "set" command:
My Vault> set my_test foo
To use this variable, use ${my_test}
The below example will add a record and then share the record with a user:
My Vault> add --login "testing123" --pass "12345" --url "" "Test from Commander" -f
My Vault> share-record -e [email protected] -a grant -w ${last_record_uid}
Last modified 4mo ago