Support · Installation · License · Related Integrations
The Akeyless PAM Provider allows for the retrieval of stored account credentials from an Akeyless secret.
The Akeyless PAM Provider is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com.
To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.
The Akeyless PAM Provider is used by Command to resolve PAM-eligible credentials for Universal Orchestrator extensions and for accessing Certificate Authorities. When configured, Command will use the Akeyless PAM Provider to retrieve credentials needed to communicate with the target system. There are two ways to install the Akeyless PAM Provider, and you may elect to use one or both methods:
- Locally on the Keyfactor Command server: PAM credential resolution via the Akeyless PAM Provider will occur on the Keyfactor Command server each time an elegible credential is needed.
- Remotely On Universal Orchestrators: When Jobs are dispatched to Universal Orchestrators, the associated Certificate Store extension assembly will use the Akeyless PAM Provider to resolve eligible PAM credentials.
Before proceeding with installation, you should consider which pattern is best for your requirements and use case.
Important
For the most up-to-date and complete documentation on how to install a PAM provider extension, please visit our product documentation
To install Akeyless PAM Provider, it is recommended you install kfutil. kfutil is a command-line tool that simplifies the process of creating PAM Types in Keyfactor Command.
- Akeyless credentials w/ permission to access the secret(s) being used. See the Akeyless documentation for more information on how to configure the different types of auth.
Create the required PAM Types in the connected Command platform.
# Akeyless
kfutil pam types-create -r akeyless-pam -n AkeylessFor full API docs please visit our product documentation
Below is the payload to POST to the Keyfactor Command API
{
"Name": "Akeyless",
"Parameters": [
{
"Name": "Url",
"DisplayName": "Akeyless URL",
"Description": "The URL to the Akeyless instance. Defaults to: https://api.akeyless.io",
"DataType": 1,
"InstanceLevel": false
},
{
"Name": "AccessId",
"DisplayName": "Access ID",
"Description": "The access key ID used to authenticate to Akeyless using `access_key` authentication.",
"DataType": 2,
"InstanceLevel": false
},
{
"Name": "AccessKey",
"DisplayName": "Access Key",
"Description": "The access key used to authenticate to Akeyless using `access_key` authentication.",
"DataType": 2,
"InstanceLevel": false
},
{
"Name": "AuthType",
"DisplayName": "Auth Type",
"Description": "The auth type used to authenticate to the Akeyless platform. Supported types are `access_key`.",
"DataType": 1,
"InstanceLevel": false
},
{
"Name": "SecretName",
"DisplayName": "Secret Name",
"Description": "The full name (path) of the secret in Akeyless that contains the credential to retrieve.",
"DataType": 1,
"InstanceLevel": true
},
{
"Name": "SecretType",
"DisplayName": "Secret Type",
"Description": "The type of secret stored in Akeyless. Supported types are `static_kv,static_text,static_json`.",
"DataType": 1,
"InstanceLevel": true
},
{
"Name": "StaticSecretFieldName",
"DisplayName": "Static Secret Field Name",
"Description": "The field name within a static secret to retrieve the credential from. Required for `static_kv` and optional for `static_json` secret types.",
"DataType": 1,
"InstanceLevel": true
}
]
}-
On the server that hosts Keyfactor Command, download and unzip the latest release of the Akeyless PAM Provider from the Releases page.
-
Copy the assemblies to the appropriate directories on the Keyfactor Command server:
Keyfactor Command 11+
-
Copy the unzipped assemblies to each of the following directories:
C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\Extensions\akeyless-pamC:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\Extensions\akeyless-pamC:\Program Files\Keyfactor\Keyfactor Platform\KeyfactorAPI\Extensions\akeyless-pam
Keyfactor Command 10
-
Copy the assemblies to each of the following directories:
C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\bin\akeyless-pamC:\Program Files\Keyfactor\Keyfactor Platform\KeyfactorAPI\bin\akeyless-pamC:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\bin\akeyless-pamC:\Program Files\Keyfactor\Keyfactor Platform\Service\akeyless-pam
-
Open a text editor on the Keyfactor Command server as an administrator and open the
web.configfile located in theWebAgentServicesdirectory. -
In the
web.configfile, locate the<container> </container>section and add the following registration:<container> ... <!--The following are PAM Provider registrations. Uncomment them to use them in the Keyfactor Product:--> <!--Add the following line exactly to register the PAM Provider--> <register type="IPAMProvider" mapTo="Keyfactor.Extensions.Pam.Akeyless, Keyfactor.Command.PAMProviders" name="Akeyless" /> </container>
-
Repeat steps 2 and 3 for each of the directories listed in step 1. The configuration files are located in the following paths by default:
C:\Program Files\Keyfactor\Keyfactor Platform\WebAgentServices\web.configC:\Program Files\Keyfactor\Keyfactor Platform\KeyfactorAPI\web.configC:\Program Files\Keyfactor\Keyfactor Platform\WebConsole\web.configC:\Program Files\Keyfactor\Keyfactor Platform\Service\CMSTimerService.exe.config
-
-
Restart the Keyfactor Command services (
iisreset).
-
Install the Akeyless PAM Provider assemblies.
-
Using kfutil: On the server that that hosts the Universal Orchestrator, run the following command:
# Windows Server kfutil orchestrator extension -e akeyless-pam@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" # Linux kfutil orchestrator extension -e akeyless-pam@latest --out "/opt/keyfactor/orchestrator/extensions"
-
Manually: Download the latest release of the Akeyless PAM Provider from the Releases page. Extract the contents of the archive to:
- Windows Server:
C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions\akeyless-pam - Linux:
/opt/keyfactor/orchestrator/extensions/akeyless-pam
- Windows Server:
-
-
Included in the release is a
manifest.jsonfile that contains the following object:{ "Keyfactor:PAMProviders:Akeyless-:InitializationInfo": { "Url": "https://api.akeyless.io", "AuthType": "access_key", "AccessId": "<ACCESS_ID>", "AccessKey": "<ACCESS_KEY>" } }Populate the fields in this object with credentials and configuration data collected in the requirements section.
-
Restart the Universal Orchestrator service.
-
In the Keyfactor Command Portal, hover over the ⚙️ (settings) icon in the top right corner of the screen and select Priviledged Access Management.
-
Select the Add button to create a new PAM provider. Click the dropdown for Provider Type and select Akeyless.
Important
If you're running Keyfactor Command 11+, make sure Remote Provider is unchecked.
- Populate the fields with the necessary information collected in the requirements section:
| Initialization parameter | Display Name | Description |
|---|---|---|
| Url | Akeyless URL | The URL to the Akeyless instance. Defaults to: https://api.akeyless.io |
| AccessId | Access ID | The access key ID used to authenticate to Akeyless using access_key authentication. |
| AccessKey | Access Key | The access key used to authenticate to Akeyless using access_key authentication. |
| AuthType | Auth Type | The auth type used to authenticate to the Akeyless platform. Supported types are access_key. |
- Click Save. The PAM provider is now available for use in Keyfactor Command.
Now, when defining Certificate Stores (Locations->Certificate Stores), Akeyless will be available as a PAM provider option. When defining new Certificate Stores, the secret parameter form will display tabs for Load From Keyfactor Secrets or Load From PAM Provider.
Select the Load From PAM Provider tab, choose the Akeyless provider from the list of Providers, and populate the fields with the necessary information from the table below:
| Instance parameter | Display Name | Description |
|---|---|---|
| SecretName | Secret Name | The full name (path) of the secret in Akeyless that contains the credential to retrieve. |
| SecretType | Secret Type | The type of secret stored in Akeyless. Supported types are static_kv,static_text,static_json. |
| StaticSecretFieldName | Static Secret Field Name | The field name within a static secret to retrieve the credential from. Required for static_kv and optional for static_json secret types. |
Keyfactor Command 11+
In Command 11 and greater, before using the Akeyless PAM type, you must define a Remote PAM Provider in the Command portal.
-
In the Keyfactor Command Portal, hover over the ⚙️ (settings) icon in the top right corner of the screen and select Priviledged Access Management.
-
Select the Add button to create a new PAM provider.
-
Make sure that
Remote Provideris checked. -
Click the dropdown for Provider Type and select Akeyless.
-
Give the provider a unique name.
-
Click "Save".
When defining Certificate Stores (Locations->Certificate Stores), Akeyless can be used as a PAM provider. When defining a new Certificate Store, the secret parameter form will display tabs for Load From Keyfactor Secrets or Load From PAM Provider.
Select the Load From PAM Provider tab, choose the Akeyless provider from the list of Providers, and populate the fields with the necessary information from the table below:
| Instance parameter | Display Name | Description |
|---|---|---|
| SecretName | Secret Name | The full name (path) of the secret in Akeyless that contains the credential to retrieve. |
| SecretType | Secret Type | The type of secret stored in Akeyless. Supported types are static_kv,static_text,static_json. |
| StaticSecretFieldName | Static Secret Field Name | The field name within a static secret to retrieve the credential from. Required for static_kv and optional for static_json secret types. |
Keyfactor Command 10
When defining Certificate Stores (Locations->Certificate Stores), Akeyless can be used as a PAM provider.
When entering Secret fields, select the Load From Keyfactor Secrets tab, and populate the Secret Value field with the following JSON object:
{"SecretName": "The full name (path) of the secret in Akeyless that contains the credential to retrieve.","SecretType": "The type of secret stored in Akeyless. Supported types are `static_kv,static_text,static_json`.","StaticSecretFieldName": "The field name within a static secret to retrieve the credential from. Required for `static_kv` and optional for `static_json` secret types."}
We recommend creating this JSON object in a text editor, and copying it into the Secret Value field.
Note
Additional information on Akeyless can be found in the supplemental documentation.
Apache License 2.0, see LICENSE
See all Keyfactor PAM Provider extensions.