Skip to main content
Skip table of contents

Privileged Access Management

Configuration items related to the deployment of PAM provider integration extensions.

Privileged access management (PAM) functionality in Keyfactor Command allows for configuration of third party or Keyfactor Command local PAM providers to secure certificate store and certificate authority credentials. For more information about the PAM functionality, visit the Command Reference Guide

Third-party PAM functionality is provided using custom PAM extensions. Keyfactor provides several PAM extensions on the publicly-facing Keyfactor GitHub.

Configuration Item

Description

Customer Requirements

CyberArk

A Keyfactor PAM Provider plugin supporting credential retrieval with a CyberArk Credential Provider. The Central Credential Provider (cloud-hosted) can be used, or the standard Credential Provider with installed SDK.

Configuring Parameters

Beyond Trust

The BeyondTrust Password Safe PAM Provider allows for the retrieval of stored account credentials from the Password Safe solution. A valid API registration in BeyondTrust is used to open a request and retrieve credentials for a given account on a system.

Initial Configuration of PAM Provider

Delinea

The Delinea Secret Server PAM Provider allows for the retrieval of stored account credentials from a Delinea Secret Server secret. A valid username, password and secret share settings are required.

Initial Configuation of PAM Provider

Keyfactor Command Versions Supported

Hashicorp Valut

The Hashicorp Vault PAM Provider allows for the retrieval of stored account credentials from a Hashicorp Vault Secret store. A valid token with access to the secrets in the Vault is used to retrieve secrets from a specific secret path in the Vault.

Initial Configuration of PAM Provider

Google Cloud Secret Manager

The Google Cloud Secret Manager PAM Provider allows for the use of a Secret Manager instance in Google Cloud to be used as a credential store for Keyfactor. Secret values can be retrieved and used in the Keyfactor Platform as passwords or other sensitive fields.

Initial Configuration of PAM Provider

1Password CLI

The 1Password CLI PAM Provider uses the 1Password CLI to communicate with 1Password in PowerShell. It does not support using the 1Password SDKs or 1Password Connect Server APIs. It does not require additional licensing for any services in 1Password besides basic level features. Communication with 1Password uses Service Account and associated Token. Service Account Tokens are tied to specific Vaults when they are created, and will need to be regenerated if additional Vault access needs to be added later.

Getting Started

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close