Secrets Manager Configuration
Information about Keeper Secrets Manager configuration files

About

Each Keeper Secrets Manager SDK and integration uses a "configuration" to store connection tokens, encryption keys, identifiers and domain information used to authenticate and decrypt data from the Keeper Secrets Manager APIs.
Secrets Manager configurations are created from One Time Access Tokens and have a one to one relationship with client devices.

Configuration Uniformity

All Keeper Secrets Manager SDKs and integrations use the same configuration format. Raw configurations are in JSON format, though some integrations accept base64 format.

Creating a Secrets Manager Configuration

Using a SDK/Integration

Many Keeper Secrets Manager SDKs and Integrations support creating their own configuration file. You need to pass a One Time Access Token, and the configuration is created automatically.

SDK Example

Below is an example of how to use the Python SDK to create a configuration file. The configuration is created when Secrets Manager is initialized with a One Time Access Token.
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_core.storage import FileKeyValueStorage
secrets_manager = SecretsManager(
token='<One Time Access Token>',
config=FileKeyValueStorage('config.json')
)
In this example, the configuration is being saved to a file named "config.json"
When using a SDK to create a configuration, you only need to initialize and create the configuration file once. After the file has been created, you can use the file to initialize the SDK and remove the One Time Access Token.

Integration Example

Below is in example of using the Keeper Secrets Manager Jenkins Plugin.
The Jenkins plugin takes a One Time Access Token to initialize and creates a configuration automatically behind-the-scenes. In this example, simply enter a One Time Access Token in the form and click 'OK'.

Using a CLI Tool

A Secrets Manager configuration can be initialized from a One Time Access Token using the Secrets Manager CLI as well as the Commander CLI tools. Some Keeper Secrets Manager integrations require a pre-initialized configuration and you will need to use the CLI tools to create a configuration in these cases.

Secrets Manager CLI

The Secrets Manager CLI (KSM) tool can initialize a One Time Access Token and create a configuration.
To do this, run the init command
Format
Example
# initialize a configuration in JSON format and display it
$ ksm init default <One Time Access Token>
# initialize a configuration in k8s format and display it
$ ksm init k8s <One Time Access Token>
# initialize a JSON configuration and save it to a file
$ ksm init default --plain <One Time Access Token> > <FILENAME>
# initialize a configuration in JSON and display it
$ ksm init default US:KBChlYeZ15wLzvhLVXmT61euw0DJO0cTVfkD-b-qesw
# initialize a configuration in k8s format and display it
$ ksm init k8s US:KBChlYeZ15wLzvhLVXmT61euw0DJO0cTVfkD-b-qesw
# initialize a configuration and save it to a file
$ ksm init default --plain US:KBChlYeZ15wLzvhLVXmT61euw0DJO0cTVfkD-b-qesw > "ksm-config.json"

Commander CLI

Commander CLI can be used to initialize a One Time Access Token and create Secrets Manager configuration.
Use the secrets-manager client add Command with --config-init to create a configuration. Configurations can be created in json or base64 formats, or in integration-specific formats in some cases. (see the integrations documentation for more information on what format each integration accepts)
Format
Example
my vault> secrets-manager client add --app <APP NAME> --config-init <FORMAT>
# create a json configuration
secrets-manager client add --app MyApp --config-init json --unlock-ip
# create a base64 configuration
secrets-manager client add --app MyApp --config-init b64 --unlock-ip
# create a Kubernetes configuration
secrets-manager client add --app MyApp --config-init k8s --unlock-ip
When initializing a configuration in Commander, typically --unlock-ip should be included in the command. If it is not included, the client device will be locked to the IP Address that Commander is using.
Export as PDF
Copy link
On this page
About
Creating a Secrets Manager Configuration
Using a SDK/Integration
Using a CLI Tool