Secrets Manager CLI
The Keeper Secrets Manager CLI ("KSM CLI") provides core Secrets Manager Vault interaction from a terminal, shell script or any software that can be launched from a shell.
Get Secrets from the Keeper Vault
Update Secrets from the Keeper Vault
Replace environmental variables with Keeper secrets in scripts and containers
The KSM CLI is different than the Commander CLI. The KSM CLI is specifically for secrets management and the Commander CLI is for general vault and administrative features.
In order to use the Secrets Manager CLI, or environmental variable substitutions for accessing secrets stored in the Keeper Vault, you must first have an Application and Client Device configured. This configuration can be performed in the Keeper Commander CLI.
If you haven't done this yet, please install Commander and check out the Secrets Manager commands:
​Commander Installation and Setup​
​Secrets Manager Commands​
To install the Keeper Secrets Manager CLI please use "pip install'. Note that Python 3 is required.
$ pip3 install keeper_sm_cli
The CLI is initialized by passing in the One Time Access Token when the Client Device was created. After initialization, the CLI can used to obtain secrets. In the example below, replace "XXXX" with the One Time Access Token for your Client Device.
$ ksm profile init --token=XXXX$ ksm secret list
If you are including the CLI within a container with an automated startup, or do not wish to perform a "profile init", a profile can be auto-created if the KSM_TOKEN is set.
Example:
$ KSM_TOKEN="XXXX" ksm secret list
Other environmental variables can also be set. For example, KSM_SERVER must be configured to point to the destination region if your Keeper Enterprise tenant is hosted outside of the US.
Environmental Variable Name | Description |
KSM_TOKEN | The one time access token used to initialize the client device |
KSM_SERVER | The endpoint domain, defaults to US. Either US, EU, AU, US_GOV or a full URL. |
KSM_INI_DIR | The directory where the INI config file is stored for the CLI. |
KSM_INI_FILE | The name of the INI config file for the CLI. |
KSM_CLI_PROFILE | The active profile in the CLI. |
Keeper Secrets Manager commands are run using the ksm program from the command line.
$ ksm <command> <sub-command> <options>
To get help on a particular command, run:
ksm <command> --help
Command | Explanation |
| Retrieve secrets from the vault |
| Manage local configuration profiles |
| Execute scripts with environmental variable substitution |
| Manager CLI configuration |
| Display the CLI version information |
Options
--ini-file </path/to/keeper.ini>
Sets the keeper.ini configuration file. If not set the CLI will check the following directories for the keeper.ini file.
The path defined by the environmental variable
KSM_INI_DIRThe current directory
The user's home directory
${HOME}$env:USERPROFILE
Various system directories
/etc/etc/keeper$env:APPDATA/Keeper$env:ProgamData/Keeper$env:ProgramFiles/Keeper
-p, --profile-name <name> use specified configuration profile
-o, --output <{stdout, stderr, filename}> Sets the output destination
stdout- Print to standard out, the defaultstderr- Print to standard error<filename>- If neither stdout or stderr are used, the CLI will assume the value is a file name and will write all output to that file. It will create the file and overwrite it, if it exists.
​
​
