Secrets Manager CLI
The Secrets Manager CLI provides shell access to vault secrets


The Keeper Secrets Manager CLI ("KSM CLI") provides core Secrets Manager Vault interaction from a terminal, shell script or any software that can be launched from a shell.

Core Features

    Get Secrets from the Keeper Vault
    Update Secrets from the Keeper Vault
    Replace environmental variables with Keeper secrets in scripts and containers
The KSM CLI is different than the Commander CLI. The KSM CLI is specifically for secrets management and the Commander CLI is for initial setup and administrative functions.

Application and Client Device Setup

In order to use the Secrets Manager CLI, or environmental variable substitutions for accessing secrets stored in the Keeper Vault, you must first have an Application and Client Device configured. Check out the Quick Start Guide to set this up.

Secrets Manager CLI Installation

To install the Keeper Secrets Manager CLI please use "pip install'. Note that Python 3 is required.
$ pip3 install keeper-secrets-manager-cli

Initialize the Client Device

The CLI is initialized by passing in the One Time Access Token when the Client Device was created. After initialization, the CLI can be used to obtain secrets. In the example below, replace "XXXX" with the One Time Access Token for your Client Device.
$ ksm profile init --hostname US --token XXXX
$ ksm secret list
The --host option can be US, EU, AU or GOV_US depending on your region.
If you are including the CLI within a container with an automated startup, or do not wish to perform a "profile init", a profile can be auto-created if the KSM_TOKEN is set.
$ KSM_TOKEN="XXXX" ksm --hostname US secret list
Environmental variables can be set to reduce the command line flags.
Environmental Variable Name
The one time access token used to initialize the client device
The host of your Keeper environment. Either US, EU, AU, US_GOV or a full URL. Defaults to US.
The directory where the INI config file is stored for the CLI.
The name of the INI config file for the CLI.
The active profile in the CLI.

Execution of Commands

Keeper Secrets Manager commands are run using the ksm program from the command line.
$ ksm <command> <sub-command> <options>
To get help on a particular command, run:
ksm <command> --help
To get help on a sub-command, run:
ksm <command> <sub-command> --help
Retrieve secrets from the vault
Manage local configuration profiles
Execute scripts with environmental variable substitution
Manager CLI configuration
Display the CLI version information
--ini-file </path/to/keeper.ini>
Sets the keeper.ini configuration file. If not set the CLI will check the following directories for the keeper.ini file.
    The path defined by the environmental variable KSM_INI_DIR
    The current directory
    The user's home directory
    Various system directories
-p, --profile-name <name> use specified configuration profile
-o, --output <{stdout, stderr, filename}> Sets the output destination
    stdout - Print to stdout (default)
    stderr - Print to stderr
    <filename> - Send output to a specified text file
Last modified 13d ago