Troubleshooting
Solutions to common Secrets Manager issues

Access Denied

When attempting a Secrets Manager command in Commander, the tool responds with access_denied
Solution
In order to utilize Keeper Secrets Manager, two permission criteria must be met:
  1. 1.
    The Secrets Manager addon must be enabled for your Keeper Account
  2. 2.
    You must be in a role with the Secrets Manager enforcement policy enabled

Enabling the Secrets Manager Addon

To add Secrets Manager to your Keeper account, contact Keeper at [email protected]

Enabling the Secrets Manager Enforcement Policy

You must have Keeper account administrative permissions to create and edit roles
To enable the Secrets Manager enforcement policy, use the following command in Keeper Commander:
1
er --enforcement="allow_secrets_manager:true" "<ROLE NAME>"
Copied!
Replace <ROLE NAME> with the role you would like to set the enforcement policy to.
For example, to set the enforcement on the Keeper Administrator role:
1
er --enforcement="allow_secrets_manager:true" "Keeper Administrator"
Copied!
For more information on creating and editing roles, and adding users to roles, see the Enterprise Management Commands documentation.

Record not Found

When fetching secrets using Secrets Manager, the system responds that the record could not be found.
Solution
There are two reasons that this message may appear:
  1. 1.
    The record that is being searched for is not shared with the Secrets Manager Application
  2. 2.
    The record is a legacy (V2) non-typed record

Share Records with Secrets Manager

Individual records can be shared with a Secrets Manager Application, or a shared folder can be shared with a Secrets Manager Application, which will give access to all records in that folder.
To share records or shared folders with a Secrets Manager Application, in Commander use the following command:
1
sm share add -a <APPLICATION NAME> -s <RECORD OR FOLDER UID>
Copied!

Identify Typed Records

Keeper Secrets Manager supports typed records (V3) only. If a legacy, non-typed record is queried, Secrets Manager will respond that the record cannot be found.
To identify if a record is typed in Commander, use the get command
1
get <UID>
Copied!
If the record has a type (and is compatible with Secrets Manager) it will be displayed in the record information
1
my vault> get pICzm4iw9sW454m2ZR4mmQ
2
3
UID: pICzm4iw9sW454m2ZR4mmQ
4
Type: login
5
Title: My Login
6
(login): john.doe
7
(password): N*3s.kk/Ji20}cJ7
8
Shared: False
9
Last Modified: 2021-10-18 16:08:04
10
Revision: 887800170
Copied!
If the record is not typed (and not compatible with Secrets Manager) it will not have a Type field.
Additionally, you can view all records in the current folder using the ls -l command. The resulting table has a type column. Any records which are blank in the type column are non typed records.
1
My Vault> ls -l
2
# Folder UID Name Flags
3
--- ---------------------- ----------------- -------
4
1 RpdmergF5lpsaID3TcHu8A Devops Secrets S
5
2 461XtX26R1SggIyQDFGfZg Secrets S
6
3 ZDw67iL28d6-YqUVwBHAug Social
7
8
# Record UID Type Title Login URL
9
--- ---------------------- ------------------- ----------------------- --------------------- -------------------
10
1 FyP2it0DzwIDPSbch2WyHw address Bank Address 1
11
2 pICzm4iw9sWS_4m2ZR4mmQ login breached [email protected] keepersecurity.com
12
3 qUX4gSlmDRfM1Kq9lrQi-w databaseCredentials MySQL Database SQL_Admin
13
4 rlr04tiSxFmLmRNjEC7h7Q NonTyped Record legacy test.com
Copied!
In the above example, the bottom record (#4) is not typed, and not compatible with Secrets Manager

Create Typed Records

Typed records can be created in by clicking "Create New" in the vault, or using the add command in Commander.
When choosing a record type, all types are compatible with Secrets Manager except for the "General" type.
General type records are identical to legacy, non typed records.
Replace an existing record
If you have existing non typed records that you would like to use with Secrets Manager, we recommend creating a "Login" type record and copying the information to it.
Login type records have identical fields to legacy non typed Keeper records.
Login type records have the same fields as legacy Keeper records
Copy fields and files into the new typed record
Place the new typed record in a shared folder that your Secrets Manager application can access, or use the UID to share it to an application directly.

Convert Untyped Records

Untyped records can be converted to typed records that Secrets Manager can utilize by using the convert command in Keeper Commander.
Format:
convert <UID> --type <TYPE>
Example:
1
convert Dtvb84zwkBmZgxrUByUfpg --type login
Copied!
The convert command can use patterns to find all relevant records, can recursively apply the conversion to all sub-folders, and supports all record types.
For more information on using the convert command, see the Commander documentation.

Throttling

The Keeper Secrets Manager API throttles connections that make a large number of requests in a short period of time. If your connection is throttled, you may experience slow response time, or errors such as a 503 response code (the actual message depends on the integration/SDK being used).
The current request limit before a connection is throttled is around 15 requests per second.
The throttle limit is measured per IP address
Last modified 5d ago