docs: include PAM type parameters in store guides

Author: spbsoluble

docs/use-cases/Certificate Store Operations/Store Types/README.md

@@ -1,7 +1,7 @@
 <!-- Generated by tools/storetypedocs. -->
 # Store Type Bulk Create And Update Guides
 
-These docs are generated from `cmd/store_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type.
+These docs are generated from `cmd/store_types.json` and `cmd/pam_types.json` and describe the CSV columns used by `kfutil stores import csv` for each embedded certificate store type.
 
 Regenerate after store type metadata changes:
 
@@ -11,6 +11,22 @@ make store-type-docs
 
 Use `kfutil stores import generate-template` against a live Command environment when you need a template that reflects deployed customizations.
 
+## PAM Provider Parameter Columns
+
+PAM-backed secret columns vary by PAM provider type. Provider-level parameters are configured on the PAM provider. Store CSV rows use the instance-level parameter names with the secret column prefix, for example `Properties.ServerPassword.Parameters.SecretId` or `Password.Parameters.SecretId`.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## Store Types
 
 | Store Type | Name | Store Password | Secret/PAM Columns |

docs/use-cases/Certificate Store Operations/Store Types/akamai.md

@@ -140,14 +140,28 @@ Properties.client_token
 Properties.client_secret
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.access_token.Provider,Properties.access_token.Parameters.<ParameterName>
 Properties.client_token.Provider,Properties.client_token.Parameters.<ParameterName>
 Properties.client_secret.Provider,Properties.client_secret.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)

docs/use-cases/Certificate Store Operations/Store Types/appgwbin.md

@@ -99,14 +99,28 @@ Properties.ServerPassword
 Properties.ClientCertificate
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.<ParameterName>
 Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.<ParameterName>
 Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)

docs/use-cases/Certificate Store Operations/Store Types/aruba.md

@@ -106,13 +106,27 @@ Properties.FileServerUsername
 Properties.FileServerPassword
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.FileServerUsername.Provider,Properties.FileServerUsername.Parameters.<ParameterName>
 Properties.FileServerPassword.Provider,Properties.FileServerPassword.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)

docs/use-cases/Certificate Store Operations/Store Types/aws-acm-v3.md

@@ -115,7 +115,7 @@ Properties.IAMUserAccessKey
 Properties.IAMUserAccessSecret
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.OAuthClientId.Provider,Properties.OAuthClientId.Parameters.<ParameterName>
@@ -124,6 +124,20 @@ Properties.IAMUserAccessKey.Provider,Properties.IAMUserAccessKey.Parameters.<Par
 Properties.IAMUserAccessSecret.Provider,Properties.IAMUserAccessSecret.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)

docs/use-cases/Certificate Store Operations/Store Types/aws-acm.md

@@ -114,13 +114,27 @@ Properties.ServerUsername
 Properties.ServerPassword
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.<ParameterName>
 Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)

docs/use-cases/Certificate Store Operations/Store Types/axisipcamera.md

@@ -104,13 +104,27 @@ Properties.ServerUsername
 Properties.ServerPassword
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.<ParameterName>
 Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)

docs/use-cases/Certificate Store Operations/Store Types/azureapp.md

@@ -99,14 +99,28 @@ Properties.ServerPassword
 Properties.ClientCertificate
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.<ParameterName>
 Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.<ParameterName>
 Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)

docs/use-cases/Certificate Store Operations/Store Types/azureapp2.md

@@ -100,7 +100,7 @@ Properties.ClientCertificate
 Properties.ClientCertificatePassword
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.<ParameterName>
@@ -109,6 +109,20 @@ Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.<P
 Properties.ClientCertificatePassword.Provider,Properties.ClientCertificatePassword.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)

docs/use-cases/Certificate Store Operations/Store Types/azureappgw.md

@@ -99,14 +99,28 @@ Properties.ServerPassword
 Properties.ClientCertificate
 ```
 
-PAM-backed property secrets use provider and parameter columns:
+PAM-backed property secrets use a provider column and provider-type-specific parameter columns. `Provider` identifies the configured PAM provider. `Parameters.*` must match the instance-level parameters for that provider type.
 
 ```csv
 Properties.ServerUsername.Provider,Properties.ServerUsername.Parameters.<ParameterName>
 Properties.ServerPassword.Provider,Properties.ServerPassword.Parameters.<ParameterName>
 Properties.ClientCertificate.Provider,Properties.ClientCertificate.Parameters.<ParameterName>
 ```
 
+Use the PAM parameter names in the table below, or check the provider type in Command if your environment uses custom PAM types.
+
+| PAM type | Provider-level parameters | Store CSV instance parameters |
+| --- | --- | --- |
+| `1Password-CLI` | Vault, Token | Item, Field |
+| `Azure-KeyVault` | KeyVaultUri, AuthorityHost | SecretId |
+| `Azure-KeyVault-ServicePrincipal` | KeyVaultUri, AuthorityHost, TenantId, ClientId, ClientSecret | SecretId |
+| `BeyondTrust-PasswordSafe` | Host, APIKey, Username, ClientCertificate | SystemId, AccountId |
+| `CyberArk-CentralCredentialProvider` | AppId, Host, Site | Safe, Folder, Object |
+| `CyberArk-SdkCredentialProvider` | AppId | Safe, Folder, Object |
+| `Delinea-SecretServer` | Host, Username, Password, ClientId, ClientSecret, GrantType | SecretId, SecretFieldName |
+| `GCP-SecretManager` | projectId | secretId |
+| `Hashicorp-Vault` | Host, Token, Path | Secret, Key |
+
 ## References
 
 - [Bulk Certificate Store Creation](../bulk-certificate-store-creation.md)