Command line tool for Keeper Secrets Manager
Project description
Keeper Secrets Manager CLI
The Keeper Secrets Manager command line interface
For more information see our official documentation page https://docs.keeper.io/secrets-manager/secrets-manager/secrets-manager-command-line-interface
Change History
1.4.0
- Fix: KSM-975 - Binary install keyring warning gave pip install advice that does not apply to a frozen binary; bracket syntax in the pip advice also caused zsh glob errors. Now detects
sys.frozento show binary-appropriate help text and single-quotes the bracket expression for zsh compatibility. - Fix: KSM-1014 - The frozen-binary keyring-unavailable warning told users to download a non-existent
-keyringversion of the binary. Keyring ships as the selectable "OS Keyring Support" component inside the single installer on every OS, so the warning now directs users to re-run the installer and enable that component. - Fix: KSM-980 - Binary install created
keeper.iniin the current working directory instead of the user's home directory. Now detectssys.frozeninConfig.get_default_ini_file()and uses$HOME/%USERPROFILE%for binary installs, matching the existinglaunched_from_appbehaviour. - Fix: KSM-981 -
ksm secret getdid not surface linked records (PAM credential records were invisible). Now passesrequest_links=Trueto the server so linked record UIDs are returned, includes alinksarray in JSON output, and shows a Links table in text output. - Fix: KSM-1015 - links output made interpretable. Each link entry in JSON output gains a
decodedobject (plain link data parsed;ai_settings/jit_settingsdecrypted with the record key via the SDK'sKeeperRecordLink), while the rawrecordUid/data/pathfields are preserved untouched. The text Links table now shows three columns - Linked Record UID (self-links labeled(self)), Path, and decoded Link Data - so PAMmetasettings and AI/JIT configuration are distinguishable from links to other records. Requires keeper-secrets-manager-core >= 17.3.0. - Fix: KSM-1003 - Binary install wrote
ksm_cache.binto the current working directory when caching was enabled (sibling to KSM-980). The CLI now setsKSM_CACHE_DIRto the same directory it resolves forkeeper.inibefore loading the SDK core, so the cache co-locates with the ini in$HOME/%USERPROFILE%for binary installs; pip/source installs are unchanged. - Fix: KSM-1005 -
ksm shellcrashed on launch (UpdateChecker.check() takes 1 positional argument but 3 were given) on any fresh install after theupdate-checker1.0.0 release madecheck()keyword-only. The CLI now calls it with keyword arguments (compatible with both 0.18.0 and 1.0.0, no version pin needed), and theshellstartup update check is wrapped in try/except so a failed update check can never block the shell from starting.
1.3.0
- Feature: KSM-800 - OS-native keyring storage for CLI configuration
- New profiles store configuration in the OS keyring by default (macOS Keychain, Windows Credential Manager, Linux Secret Service)
- Existing
keeper.iniprofiles continue to work without migration - Added
--ini-fileflag to opt into explicit file-based storage - Added
keyringas an optional dependency:pip install keeper-secrets-manager-cli[keyring]
- Fix: KSM-814 -
--ini-fileflag now respected by all profile and config subcommands:profile list,profile active,profile export,profile import,profile init,profile setup;config show,config color,config cache,config record-type-dir,config editor - Fix: KSM-691 - keeper.ini now written with owner-only permissions (0600)
- Breaking: KSM-799, KSM-817 - Minimum Python raised from 3.7 to 3.10
- Breaking: KSM-817 - boto3 is now an optional dependency; AWS sync users must install the
[aws]extra:pip install keeper-secrets-manager-cli[aws] - Dependency: Updated keeper-secrets-manager-core to >=17.2.0 and keeper-secrets-manager-helper to >=1.1.0
- Security: KSM-761 - Fixed CVE-2026-23949 (jaraco.context path traversal vulnerability)
- Fix: Updated prompt-toolkit from ~=2.0 to >=3.0 (fixes dependency resolution conflicts)
- Fix: KSM-804 - Warn on stderr when keyring is active but empty and a keeper.ini file exists at CWD or standard locations, including hint to use
--ini-file - Fix: KSM-805 - SHA-256 integrity hash now persisted as a separate Keychain entry and verified on every load; tampered entries raise a
KsmCliIntegrityExceptionwith a clear recovery hint - Fix: KSM-810 - Added
ksm profile delete <name>command; fixed keyring storage to clear the active profile pointer when the active profile is deleted, preventing a broken state on subsequent invocations - Fix: KSM-702 - Record create payload now always includes
custom: []; previously the key was silently omitted when no custom fields were set - Fix: KSM-815 - Profile name is now validated before redeeming the one-time token; invalid names (containing whitespace or exceeding 64 characters) are rejected immediately, preventing the token from being consumed on a failed init
- Fix: KSM-818 -
ksm shellno longer crashes on any command when click>=8.2 is installed; pinned click-repl to <0.3.0 (0.3.0 incompatible with click>=8.2) - Fix: KSM-820 -
ksm secret get --jsonnow outputs custom fields under"custom"key (was"custom_fields"), matching the canonical V3 record format used by Commander and the Keeper Vault - Fix: KSM-828 - Unit tests no longer write mock data to the real system keyring; added
KeyringConfigStorage.is_availablemock to all tests that callProfile.init()as scaffolding (secret_test.py,exec_test.py,secret_inflate_test.py) - Fix: KSM-829 - Profile name validation before OTT redemption now uses the same strict pattern as keyring storage (
[a-zA-Z0-9_-]{1,64}); previously the early check allowed path-traversal characters and special characters through, consuming the one-time token before the stricter validator fired - Fix: KSM-831 -
--ini-fileno longer fails withMissing import dependencies: boto3for non-AWS profiles;AwsConfigProviderimport is now deferred to theawsstorage branch in_load_config, so users without the[aws]extra are unaffected - Fix: KSM-832 - removed lkru utility integration;
is_available()now correctly returnsFalsewhenkeyringis not installed or no Secret Service daemon is running, falling back tokeeper.inifile storage in both cases
1.2.0
- KSM-649 Added AWS KMS JSON support for sync command
- KSM-465 Implemented ksm interpolate command for shell built-in compatibility
1.1.7
- KSM-668 Restored ? command to cli
1.1.6
- KSM-558 Fixed crashes with mutually required options in shell mode
- KSM-567 Added KSM_CLI_TOKEN environment variable
- KSM-568 Removed dependency on legacy distutils
- KSM-644 Added delete-attachment option
- Bumping KSM SDK to 17.0.0 and helper module to 1.0.6
1.1.5
- Bumping KSM SDK to 16.6.5
1.1.4
- KSM-507: Added
ksm secret deletecommand - KSM-508: Added search by title to
ksm secret listcommand - KSM-509: Added
ksm folder ...commands
1.1.3
- KSM-496: Added upload file option
- KSM-495: Added query option to ksm secret list command
- KSM-494: Added folder support to secret list command
- KSM-493: Added CLI options to update title and notes
- KSM-492: Added clone option
- KSM-485: Added sub-folder support to ksm secret add command
1.1.1
- KSM-429 - Add
--profile-nametoksm profile importcommand
1.1.0
- KSM-395 - New feature to load configurations from AWS Secrets Manager
1.0.17
- KSM-392 - Ability to update fields where the label is a blank string (
"") - Pinned KSM Core version to 16.5.1
1.0.16
- KSM-362 - Synchronize secrets to GCP
- Dropped support for Python 3.6 (EOL 2021-12-23)
1.0.15
- Update pinned KSM SDK version. The KSM SDK has been updated to use OpenSSL 3.0.7 which fixes CVE-2022-3602, CVE-2022-3786.
1.0.14
- Accept JSON via the KSM_CONFIG environmental variable. K8S secrets will show up as JSON in the environmental variable.
- Add
--rawparameter tosecret getcommand. When using--querythis flag will remove the double quotes around the value, if a string. - Add
synccommand to sync Vault secrets to AWS and Azure secret managers.
1.0.13
- For the Windows and macOS application create the keeper.ini file in the user's "HOME" directory.
1.0.12
- Fix problem with the same temp file being opened when exporting profile. Was causing a
Permission deniederror.
1.0.11
- Fix missing linefeed when selecting
immutablefor k8s token init.
1.0.10
- Prevent keeper.ini from being created when using config from environment variables.
- Fixed problem with params that use '=' from converting the value to lowercase.
- Throw exception is record(s) do not exist for
get
1.0.9
- Fixed environment variables starting with "keeper", that are not notation, from throwing an error.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file keeper_secrets_manager_cli-1.4.0.tar.gz.
File metadata
- Download URL: keeper_secrets_manager_cli-1.4.0.tar.gz
- Upload date:
- Size: 81.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
74184de301031b255c8f5d0e5293fab119715dfc23d35e820e424dc808713325
|
|
| MD5 |
cec8b9151a8f2ffc9865adfaee7f550e
|
|
| BLAKE2b-256 |
0b749192235bcd8cc931c10bafb83a02155937cdded393865462e2171e7aa673
|
File details
Details for the file keeper_secrets_manager_cli-1.4.0-py3-none-any.whl.
File metadata
- Download URL: keeper_secrets_manager_cli-1.4.0-py3-none-any.whl
- Upload date:
- Size: 85.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c5f796ca792515d767c11aeade92746cc970d46c9eeb4c561903f2fbecf6c215
|
|
| MD5 |
a12b812d32b4527e8917c5ac2beefff5
|
|
| BLAKE2b-256 |
400ca4c7ff3cc7a544923f5932357141d40f17facda9fe960d56acd5242d581c
|