Secrets Manager CLI

The Secrets Manager CLI provides shell access to vault secrets

Overview

The Keeper Secrets Manager CLI ("KSM CLI") provides core Secrets Manager Vault interaction from a terminal, shell script or any software that can be launched from a shell.

Core Features:

  • Get Secrets from the Keeper Vault

  • Update Secrets from the Keeper Vault

  • Replace environmental variables with Keeper secrets in scripts and containers

The KSM CLI is different than the Commander CLI. The KSM CLI is specifically for secrets management and the Commander CLI is for general vault and administrative features.

Application and Client Device Setup

In order to use the Secrets Manager CLI, or environmental variable substitutions for accessing secrets stored in the Keeper Vault, you must first have an Application and Client Device configured. This configuration can be performed in the Keeper Commander CLI.

If you haven't done this yet, please install Commander and check out the Secrets Manager commands:

Commander Installation and Setup

Secrets Manager Commands

Secrets Manager CLI Installation

To install the Keeper Secrets Manager CLI please use "pip install'. Note that Python 3 is required.

$ pip3 install keeper_sm_cli

Initialize the Client Device

The CLI is initialized by passing in the One Time Access Token when the Client Device was created. After initialization, the CLI can used to obtain secrets. In the example below, replace "XXXX" with the One Time Access Token for your Client Device.

$ ksm profile init --token=XXXX
$ ksm secret list

If you are including the CLI within a container with an automated startup, or do not wish to perform a "profile init", a profile can be auto-created if the KSM_TOKEN is set.

Example:

$ KSM_TOKEN="XXXX" ksm secret list

Other environmental variables can also be set. For example, KSM_SERVER must be configured to point to the destination region if your Keeper Enterprise tenant is hosted outside of the US.

Environmental Variable Name

Description

KSM_TOKEN

The one time access token used to initialize the client device

KSM_SERVER

The endpoint domain, defaults to US. Either US, EU, AU, US_GOV or a full URL.

KSM_INI_DIR

The directory where the INI config file is stored for the CLI.

KSM_INI_FILE

The name of the INI config file for the CLI.

KSM_CLI_PROFILE

The active profile in the CLI.

Execution of Commands

Keeper Secrets Manager commands are run using the ksm program from the command line.

$ ksm <command> <sub-command> <options>

To get help on a particular command, run:

ksm <command> --help

Command

Explanation

secret

Retrieve secrets from the vault

profile

Manage local configuration profiles

exec

Execute scripts with environmental variable substitution

config

Manager CLI configuration

version

Display the CLI version information

Options

--ini-file </path/to/keeper.ini>

Sets the keeper.ini configuration file. If not set the CLI will check the following directories for the keeper.ini file.

  • The path defined by the environmental variable KSM_INI_DIR

  • The current directory

  • The user's home directory

    • ${HOME}

    • $env:USERPROFILE

  • Various system directories

    • /etc

    • /etc/keeper

    • $env:APPDATA/Keeper

    • $env:ProgamData/Keeper

    • $env:ProgramFiles/Keeper

-p, --profile-name <name> use specified configuration profile

-o, --output <{stdout, stderr, filename}> Sets the output destination

  • stdout - Print to standard out, the default

  • stderr - Print to standard error

  • <filename> - If neither stdout or stderr are used, the CLI will assume the value is a file name and will write all output to that file. It will create the file and overwrite it, if it exists.