A test Keeper Vault account. You can start a free trial from our website.
Secrets Manager and Record Types enabled on your account. Contact your Keeper account manager or email [email protected] to request access.
If you use Slack, Click Here to join the Keeper community beta Slack channel and join the #secrets-manager channel.
Once Secrets Manager is enabled on your account, it needs to be enabled for your role. This can be done via the commander CLI, as noted below.
You'll need the ability to install Python version (3.6+)
PIP version 21+ (Included in Python)
In this exercise you will setup Secrets, create an Application, and configure a Client in order to access your secrets using Keeper Secrets Manager.
In the Keeper Vault user interface, create a Shared Folder and Secrets.
Copy the Shared Folder UID as seen in the screenshot below.
Run Keeper Commander by typing
keeper shell then login with your Keeper email:
$ keeper shell_ __| |/ /___ ___ _ __ ___ _ _| ' </ -_) -_) '_ \/ -_) '_||_|\_\___\___| .__/\___|_|vXX.X.X |_|password manager & digital vaultNot logged in> login [email protected]
After logging in:
Create a Secret
Create a Shared Folder
Move the secret into the Shared Folder.
Example commands are shown below:
My Vault> add --login admin --pass "46$$62512%Rd1" --url "192.168.1.1" -t "My Test Secret"My Vault> mkdir -sf -a "DevOps Secrets"My Vault> mv "My Test Secret" "DevOps Secrets"
The Commander CLI can be used to create an Application. In the example below, replace
XXX with the Shared Folder UID or Record UID from your vault.
My Vault> secrets-manager app create MyApplicationMy Vault> secrets-manager share add --app MyApplication --secret XXX
A Client Device can be a project, application, CI/CD pipeline or any other endpoint that is granted access to the Keeper secrets. Create a client device to generate a One Time Access Token, which is used to initialize a device.
My Vault> secrets-manager client add --app MyApplicationSuccessfully generated Client Device====================================One-Time Access Token: 4d8THSdmLZOeqZubMNqKWKcrgh7SyQiAQ9afVI0IL0IIP Lock: EnabledToken Expires On: 2021-08-26 12:03:23App Access Expires on: Never
Everything needed for a client to successfully connect has been completed. 🎉
Next we'll access your secrets using the Secrets Manager CLI. Typically this is done on another device using a SDK or plugin, but for this example we will use the CLI.
Now that we have a One Time Access Token, the Secrets Manager CLI
ksm can be used on the target machine to retrieve secrets from the Vault.
Install the Secrets Manager CLI
$ pip3 install keeper-secrets-manager-cli
Initialize the CLI using your one time token
$ ksm profile init --token=PASTE_TOKEN_HERE
To retrieve a list of all secrets, use the
ksm secret list command:
$ ksm secret list
Fore more detailed usage information about the Secrets Manager CLI, follow the instructions in the Secrets Manager CLI page.
Schedule time with the Secrets Manager team to discuss your use case
Integrate the SDK into your software
Learn more about the Secrets Manager CLI
Learn more about Integrations
Have questions? Contact [email protected] or use the Slack Channel.