Automation Commands

Streamline administrative workflows by automating complex, multi-step processes on the Keeper platform

Overview

Automation Commands provide a unified way to automate credential provisioning for users in the organization. Using a single Commander action, the admin can create PAM Users, apply rotation settings, perform immediate password updates through the Keeper Gateway, and deliver credentials via one-time share links. The result is a repeatable, error-resistant workflow that accelerates employee onboarding and ensures security best practices are followed every time.

Commands

Credential-Provision

Automates the end-to-end process of creating PAM User credentials with password rotation, folder organization, one-time share creation and secure email delivery.

Use Case

• Onboarding new employees with their SSO identity provider credentials
• Automating the process of end-user password resets
• Creating on-demand credentials for any connected KeeperPAM service account

Details

The credential-provision command orchestrates multiple Commander operations in a single workflow. It accepts a YAML configuration file as the request parameters, and it processes the workflow in a single action.

1. Parse Configuration - Validates the provided YAML configuration file
2. Duplicate Detection - Checks for existing PAM Users to prevent conflicts
3. Password Generation - Creates secure passwords meeting complexity requirements
4. PAM User Creation - Creates PAM User record in specified folder
5. Rotation Configuration - Links to PAM Configuration and sets rotation schedule
6. Immediate Rotation - Performs on-demand rotation of the password in the target directory via the Keeper Gateway
7. Share URL Generation - Creates a one-time expiring share link to the recipient
8. Email Delivery - Sends welcome email with credentials to the recipient

This automation eliminates manual steps, ensures proper security configuration, and provides a consistent provisioning experience.

Parameters

• -config </path/to/file> - Path to YAML configuration file containing provisioning settings
• -config-b64 <base64 encoded file> - YAML configuration encoded in base64 format

Optional Parameters

• --dry-run - Validate configuration without creating resources
• --format=<json\|text> - Output format (default: text)

Prerequisites

In order to utilize this automation command, the following needs to be set up:

• An Email Configuration set up for mail delivery
• An active KeeperPAM license
• PAM Configuration created for Active Directory, AWS, Azure or GCP depending on the target
• A Keeper Gateway set up which is able to rotate credentials in the target system

YAML Configuration Structure

In the example YAML configuration below, Sarah Jones is a new employee that is being onboarded to Company.com. The identity provider / IGA / HR system (such as Workday, Aquera, Sailpoint, ConductorOne, etc) triggers a request to Keeper that performs the following:

• Identifies the user in the target directory
• Rotates the password in the directory, according to the desired complexity rules
• Saves the password as a PAM User record in the Commander user's vault
• Configures automated password rotation of the record for once per week
• Delivers the credential to the new employee's personal email address through a one-time share link
• One-time share link expires in 7 days

User Section

The "user" section identifies the end-user identity in the target directory.

Account Section

The "account" section identifies the PAM Configuration and user ID in the target directory.

Vault Section

The "vault" section controls where the PAM User record is stored in the vault.

To find the Application Folder, see the Vault > Secrets Manager > PAM Configurations > Application Folder setting.

Example: If the gateway folder is My Infrastructure and the vault.folder parameter is Users/Service Accounts, the final path becomes My Infrastructure/Users/Service Accounts.

{gateway_application_folder}/{vault.folder}        

PAM Section

The "pam" section controls the password rotation settings.

Rotation Schedule (6-field CRON) Format: second minute hour day month day-of-week

Password Complexity Format: "length,uppercase,lowercase,digits,special"

Email Section

The "email" section defines the delivery settings and email template containing the credentials.

Share URL Expiration Time Format: y (year), mo (month), d (day), h (hour), mi (minute)

Executing the Automation

The process of executing the Keeper automation is as follows:

1. Create a YAML file that defines the automation parameters
2. Call the Commander command: credential-provision --config="/path/to/test.yaml"
3. Alternatively, use the Commander Service Mode REST API to send the request via HTTPS with: credential-provision --output json --config-b64 <base64 encoded file>

Example Configurations

Active Directory User

Execution

Microsoft Entra ID User

Execution

As a result, the PAM User record is created in the vault, rotated in the target directory and sent to the recipient as a one-time share that expires in 7 days.

Email Template

The recipient will receive an email containing an encrypted one-time share link.

When the user clicks "View Credentials", they are able to decrypt and view the credentials.

System-Specific Requirements

Active Directory - Distinguished Name is REQUIRED for multi-OU environments. Without it, rotation may fail if multiple users have the same username in different OUs.

Azure AD - Username MUST be in email format: user@domain.com OR DOMAIN\user

AWS IAM - Just use a plain username

Related Commands

• pam - PAM subsystem management
• email-config - Email configuration
• sharing - Sharing commands