keeper-admin

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Keeper Commander CLI (keeper)

Commander is Keeper's full-featured admin CLI and terminal UI. Everything available in the Keeper Vault UI and Admin Console can be done via Commander. It authenticates as a user (not a machine application) and provides the full breadth of vault, enterprise, and PAM operations.

Commander是Keeper功能齐全的管理CLI和终端UI。Keeper Vault UI和管理控制台中的所有功能都可以通过Commander实现。它以用户身份（而非机器应用）进行身份验证，提供全范围的保管库、企业和PAM操作能力。

Official documentation

官方文档

Commander CLI - overview, installation, and shell usage
Secrets Manager (KSM) - creating KSM Applications and Client Devices that
```
ksm
```
uses; runtime secret injection belongs in the keeper-secrets skill

Commander CLI - 概述、安装和Shell使用说明
Secrets Manager (KSM) - 创建
```
ksm
```
使用的KSM应用和客户端设备；运行时密钥注入属于keeper-secrets技能的范畴

When to Use Commander vs KSM

何时使用Commander vs KSM

Need	Tool
Enterprise admin (users, teams, roles, nodes)	`keeper`
Create KSM Applications and Client Devices	`keeper`
Password rotation setup/management	`keeper`
Launch remote sessions (SSH, RDP, DB)	`keeper`
Import/export vault data	`keeper`
Interactive vault browsing	`keeper`
Run as REST API service	`keeper`
Compliance reporting and audit	`keeper`
Retrieve secrets for an app at runtime	Use `ksm` - see keeper-secrets skill
Inject secrets into env vars / config files	Use `ksm` - see keeper-secrets skill

需求	工具
企业管理（用户、团队、角色、节点）	`keeper`
创建KSM应用和客户端设备	`keeper`
密码轮换设置/管理	`keeper`
启动远程会话（SSH、RDP、数据库）	`keeper`
导入/导出保管库数据	`keeper`
交互式保管库浏览	`keeper`
作为REST API服务运行	`keeper`
合规报告和审计	`keeper`
运行时为应用检索密钥	使用 `ksm` - 参见keeper-secrets技能
将密钥注入环境变量/配置文件	使用 `ksm` - 参见keeper-secrets技能

Prerequisites

前置条件

Python 3.10+
Install:
```
pip install keepercommander
```
A Keeper account with appropriate admin permissions

Check installation:

keeper version

Python 3.10+
安装：
```
pip install keepercommander
```
拥有对应管理权限的Keeper账号

检查安装：

keeper version

Authentication

身份认证

bash

undefined

bash

undefined

Interactive login (preferred — credentials are not passed as CLI arguments)

交互式登录（推荐 — 凭证不会作为CLI参数传递）

keeper shell

Prompts for email + master password + 2FA

提示输入邮箱 + 主密码 + 2FA

Persistent login (recommended for ongoing CLI use)

持久化登录（推荐长期使用CLI时开启）

keeper shell My Vault> this-device register My Vault> this-device persistent-login ON

Biometric authentication (supported platforms)

生物识别认证（支持的平台可用）

My Vault> biometric register


Do **not** pass master passwords, API tokens, or vault field values on the command
line (e.g. `--password`), in URLs, or in generated scripts—they appear in process
listings and shell history. For automation, use interactive setup once, enable
persistent device login where appropriate, or follow the official Commander CLI
documentation for supported non-interactive patterns.

My Vault> biometric register


**请勿**在命令行（例如`--password`参数）、URL或生成的脚本中传递主密码、API令牌或保管库字段值——这些信息会出现在进程列表和Shell历史中。如需自动化，请先完成一次交互式设置，在合适的场景下开启设备持久化登录，或参考Commander CLI官方文档中支持的非交互式模式。

Vault Operations

保管库操作

Browse & Search

浏览与搜索

bash

My Vault> list                    # List records in current folder
My Vault> ls -l                   # Detailed listing with UIDs
My Vault> search "database"       # Search across all records
My Vault> tree                    # Show folder tree
My Vault> cd "Shared Folder"      # Navigate to folder
My Vault> get <RECORD_UID>        # Show full record details

bash

My Vault> list                    # 列出当前文件夹中的记录
My Vault> ls -l                   # 带UID的详细列表
My Vault> search "database"       # 搜索所有记录
My Vault> tree                    # 展示文件夹树
My Vault> cd "Shared Folder"      # 导航到指定文件夹
My Vault> get <RECORD_UID>        # 展示记录完整详情

Record Management

记录管理

bash

My Vault> add --record-type login --title "New Record" \
  --field login=admin

bash

My Vault> add --record-type login --title "New Record" \
  --field login=admin

Set passwords and other sensitive fields via interactive prompts, or supply values only from the user’s secure input—never embed sample secrets in commands.

通过交互式提示设置密码和其他敏感字段，或仅从用户的安全输入中获取值——切勿在命令中嵌入示例密钥。

My Vault> edit <RECORD_UID>

Or non-interactive field updates for non-secret fields only, e.g. --field login=newuser

或仅对非敏感字段使用非交互式更新，例如 --field login=newuser

My Vault> rm <RECORD_UID>

My Vault> record-history <RECORD_UID>

undefined

My Vault> rm <RECORD_UID>

My Vault> record-history <RECORD_UID>

undefined

Sharing

共享

bash

My Vault> share-record -e user@company.com -a grant -u <RECORD_UID>
My Vault> share-folder -e user@company.com -a grant -u <FOLDER_UID>

bash

My Vault> share-record -e user@company.com -a grant -u <RECORD_UID>
My Vault> share-folder -e user@company.com -a grant -u <FOLDER_UID>

Import / Export

导入/导出

bash

My Vault> import --format json records.json
My Vault> export --format json --output vault_export.json

bash

My Vault> import --format json records.json
My Vault> export --format json --output vault_export.json

Enterprise Administration

企业管理

These commands require enterprise admin privileges.

这些命令需要企业管理员权限。

User Management

用户管理

bash

My Vault> enterprise-user --add user@company.com
My Vault> enterprise-user --invite user@company.com
My Vault> enterprise-user --delete user@company.com
My Vault> enterprise-user --lock user@company.com
My Vault> enterprise-user --unlock user@company.com

bash

My Vault> enterprise-user --add user@company.com
My Vault> enterprise-user --invite user@company.com
My Vault> enterprise-user --delete user@company.com
My Vault> enterprise-user --lock user@company.com
My Vault> enterprise-user --unlock user@company.com

Team & Role Management

团队与角色管理

bash

My Vault> enterprise-team --add "Engineering Team"
My Vault> enterprise-role --add-user user@company.com --role "Admin Role"
My Vault> enterprise-role --enforcement MASTER_PASSWORD_MINIMUM_LENGTH:12

bash

My Vault> enterprise-team --add "Engineering Team"
My Vault> enterprise-role --add-user user@company.com --role "Admin Role"
My Vault> enterprise-role --enforcement MASTER_PASSWORD_MINIMUM_LENGTH:12

Device Approvals

设备审批

bash

My Vault> device-approve             # List pending approvals
My Vault> device-approve --approve <DEVICE_ID>
My Vault> device-approve --deny <DEVICE_ID>

bash

My Vault> device-approve             # 列出待审批请求
My Vault> device-approve --approve <DEVICE_ID>
My Vault> device-approve --deny <DEVICE_ID>

Reporting

报告

bash

My Vault> audit-report --format csv --output audit.csv
My Vault> compliance-report

bash

My Vault> audit-report --format csv --output audit.csv
My Vault> compliance-report

Secrets Manager Administration

Secrets Manager管理

Commander is used to create and manage the KSM Applications and Client Devices that the KSM CLI connects through.

bash

undefined

Commander用于创建和管理KSM CLI连接所需的KSM应用和客户端设备。

bash

undefined

Create an Application

创建应用

My Vault> secrets-manager app create --name "Production App"
--shared-folder <FOLDER_UID>

List Applications

列出所有应用

My Vault> secrets-manager app list

Add a Client Device (generates One-Time Access Token)

添加客户端设备（生成一次性访问令牌）

My Vault> secrets-manager client add --app <APP_UID>
--name "Web Server 1" --unlock-ip

Remove a Client Device

移除客户端设备

My Vault> secrets-manager client remove --app <APP_UID>
--client "Web Server 1"

Share Application with another user

与其他用户共享应用

My Vault> secrets-manager share --app <APP_UID> --email admin2@company.com


The One-Time Access Token output from `client add` is configured on the target
machine using the **keeper-setup** skill (token via `KSM_CLI_TOKEN` or other
supported secure methods—**not** as a literal `--token` argument in shared
examples or chat).

My Vault> secrets-manager share --app <APP_UID> --email admin2@company.com


`client add`命令输出的一次性访问令牌需要在目标机器上通过**keeper-setup**技能配置（令牌通过`KSM_CLI_TOKEN`或其他支持的安全方式传递——**不要**在共享示例或聊天内容中作为字面量`--token`参数出现）。

KeeperPAM Operations

KeeperPAM操作

bash

undefined

bash

undefined

List PAM resources (gateways, connections)

列出PAM资源（网关、连接）

My Vault> pam gateway list My Vault> pam configuration list

Launch SSH session

启动SSH会话

My Vault> connect <RECORD_UID>

Manage password rotation

管理密码轮换

My Vault> pam rotation list My Vault> pam rotation start --record <RECORD_UID>

undefined

My Vault> pam rotation list My Vault> pam rotation start --record <RECORD_UID>

undefined

Service Mode (REST API)

服务模式（REST API）

Commander can run as a headless REST API for automation.

bash

keeper --batch-mode api-server --port 8089

Commander可以作为无头REST API运行，用于自动化场景。

bash

keeper --batch-mode api-server --port 8089

Automation (Batch Commands)

自动化（批量命令）

bash

undefined

bash

undefined

Run commands from a file

从文件运行命令

keeper --batch-mode --commands-file commands.txt

Pipe commands

管道传入命令

echo "list" | keeper --batch-mode --user admin@co.com

undefined

echo "list" | keeper --batch-mode --user admin@co.com

undefined

Guardrails

使用规范

NEVER expose the user's master password in logs, chat, or code.
NEVER print secret field values into chat unless explicitly requested for a specific debugging purpose - and warn the user first.
For destructive operations (delete user, delete record, modify role enforcement), always confirm with the user before executing.
If the user needs runtime secret injection for an application, redirect them to the keeper-secrets skill and KSM CLI.
Commander requires a full user login - it cannot be used in headless environments without persistent login configured.

For detailed command reference, read

references/commander-commands.md

. For

keeper://

URIs and

ksm exec

ksm interpolate

, see Keeper notation and the keeper-secrets skill.

切勿在日志、聊天内容或代码中暴露用户的主密码。
除非用户明确要求用于特定调试目的，否则切勿在聊天中打印密钥字段值——并且需要提前提醒用户。
对于破坏性操作（删除用户、删除记录、修改角色强制规则），执行前务必先与用户确认。
如果用户需要为应用进行运行时密钥注入，请引导他们使用keeper-secrets技能和KSM CLI。
Commander需要完整的用户登录——如果没有配置持久化登录，无法在无头环境中使用。

如需详细的命令参考，请阅读

references/commander-commands.md

。如需了解

keeper://

URI和

ksm exec

ksm interpolate

，请参见Keeper notation和keeper-secrets技能。