Docker Compose
Installation of Keeper Automator using the Docker Compose method

This guide provides step-by-step instructions to publish Keeper Automator on any Linux instance that can run Docker.
Make sure you already have your SSL Certificate! If not, please follow the steps in the Create SSL Certificate page.
- Data is preserved between container updates
- Future updates are simple to install and maintain
Instructions for installing Automator using the Docker Compose method are below.
Instructions for installing Docker and Docker Compose vary by platform. Please refer to the official documentation below:
For Amazon Linux 2 instances, a good tutorial on docker-compose installation is here:
Note: The new version of Docker Compose is run using the command:
docker compose
The older version uses a dash, e.g.:
docker-compose
After installing, you may still need to start the Docker service, if it's not running.
sudo service docker start
Then configure the service to start automatically
sudo systemctl enable docker.service
To allow non-root users to run Docker (and if this meets your security requirements), run this command:
sudo chmod 666 /var/run/docker.sock
Save the snippet below as the file
docker-compose.yml
on your server, in the location where you will be executing docker compose commands.services:
automator:
container_name: "automator"
restart: on-failure:5
image: "keeper/automator:latest"
ports:
- 443:443
volumes:
- automatordata:/usr/mybin/config
volumes:
automatordata:
docker compose pull
docker compose up -d
docker cp ssl-certificate.pfx automator:/usr/mybin/config/
docker cp ssl-certificate-password.txt automator:/usr/mybin/config/
docker compose restart
At this point, the service is running but it is not able to communicate with Keeper yet.
On your workstation, server or any computer, install the Keeper Commander CLI. This is just used for initial setup. The installation instructions including binary installers are here:
Installing Keeper Commander
After Commander is installed, you can type
keeper shell
to open the session, then login using the login
command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.(7) Initialize with Commander
Login to Keeper Commander and activate the Automator using a series of commands, starting with
automator create
My Vault> automator create --name="My Automator" --node="Azure Cloud"
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.

Automator Create
The output of the command will display the Automator settings, including metadata from the identity provider.
Automator ID: 1477468749950
Name: My Automator
URL:
Enabled: No
Initialized: No
Skills: Device Approval
Note that the "URL" is not populated yet. Edit the URL with the FQDN you selected.
My Vault> automator edit --url=https://automator.lurey.com "My Automator"
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
My Vault> automator setup "My Automator"
Initialize the Automator with the new configuration
My Vault> automator init "My Automator"
Enable the service
My Vault> automator enable "My Automator"
At this point, the configuration is complete.
For automated health checks, you can use the below URL:
https://<server>/health
Example:
$ curl https://automator.lurey.com/health
OK
The Automator logs can be monitored by using the Docker Compose command:
docker compose logs -f
When activating Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:
- Login to the Keeper Admin Console
- Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.
- Click on "Export SP Cert".
- In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.
- On the "Encryption" tab, replace the old certificate with this new cert.
- On the "Signature" tab, Add/Replace the new SP certificate with this new cert.
We recommend restricting network access to the service. Please see the Network Config section for a list of IP addresses to allow.
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.




Last modified 3mo ago