PowerShell Module

Manage OnePAM resources, SSH sessions, and database connections directly from PowerShell 7+.

Overview

The OnePAM PowerShell module is a cross-platform client that mirrors the features of the OnePAM CLI. It lets you authenticate via OAuth2 device-code flow, manage resources and sessions, open interactive SSH/SCP connections, and run database queries — all from a PowerShell prompt.

Interactive SSH

Full terminal sessions and remote command execution.

SCP Transfers

Upload and download files with recursive directory support.

Database Access

Interactive REPL and programmatic queries for PostgreSQL, MySQL, MSSQL, MongoDB, and Elasticsearch.

Resource Management

Create, update, enable, disable, and delete resources.

Requirements

  • PowerShell 7.0 or later (cross-platform — Windows, macOS, Linux)
  • No external module dependencies
  • Shares configuration and tokens with the OnePAM CLI (~/.onepam/)

Installation

From the PowerShell Gallery (recommended)
Install-Module -Name OnePAM -Scope CurrentUser

To update to the latest version:

Update-Module -Name OnePAM
From Source
git clone https://github.com/onepamcom/onepam-powershell-module.git
Import-Module ./onepam-powershell-module/OnePAM/OnePAM.psd1

Or copy to a PSModulePath location for auto-loading:

Copy-Item -Recurse ./onepam-powershell-module/OnePAM "$HOME/.local/share/powershell/Modules/OnePAM"
Import-Module OnePAM
Auto-load on startup
Add-Content $PROFILE 'Import-Module OnePAM'

Authentication

The module uses the same OAuth2 Device Code flow as the CLI. Running Connect-OnePAM displays a one-time code and opens your browser for authorization. Tokens are stored in ~/.onepam/token.json and refreshed automatically. 

# Log in (opens browser for authorization)
Connect-OnePAM

# Check authentication status
Get-OnePAMAuthStatus

# Log out and revoke tokens
Disconnect-OnePAM
If you're already authenticated with the OnePAM CLI, the PowerShell module uses the same session automatically.

SSH Sessions

# Interactive SSH session
Enter-OnePAMSSH -Resource "my-server"

# SSH as a specific user
Enter-OnePAMSSH -Resource "root@my-server"

# Execute a remote command
Enter-OnePAMSSH -Resource "my-server" -Command "uname -a"

SCP / File Transfer

# Upload a file
Copy-OnePAMFile -Source "myfile.txt" -Destination "my-server:/tmp/"

# Download a file
Copy-OnePAMFile -Source "my-server:/var/log/app.log" -Destination "./"

# Recursive directory copy
Copy-OnePAMFile -Source "./config/" -Destination "my-server:/etc/app/" -Recursive

Database Access

Interactive REPL
# Start interactive SQL session
Connect-OnePAMDatabase -Resource "prod-postgres"

# Inside the REPL:
#   \dt              List tables
#   \d <table>       Describe table
#   \databases       List databases
#   \h               Help
#   \q               Quit
Programmatic Queries
# Run a query and get PowerShell objects
$users = Invoke-OnePAMQuery -Resource "prod-db" -Query "SELECT * FROM users LIMIT 10"

# Pipeline-friendly output
Invoke-OnePAMQuery -Resource "prod-db" -Query "SELECT name, email FROM users" | Format-Table

# Export to CSV
Invoke-OnePAMQuery -Resource "analytics" -Query "SELECT * FROM events" | Export-Csv events.csv

Resource Management

# List all resources
Get-OnePAMResource

# Filter by type
Get-OnePAMResource -Type ssh
Get-OnePAMResource -Type database

# Create a new resource
New-OnePAMResource -Name "staging-db" -Type database -TargetHost "db.staging" -Port 5432 -AgentId "agent-uuid"

# Update a resource
Set-OnePAMResource -Id "resource-uuid" -Name "new-name" -Port 5433

# Enable / Disable
Enable-OnePAMResource -Id "resource-uuid"
Disable-OnePAMResource -Id "resource-uuid"

# Delete
Remove-OnePAMResource -Id "resource-uuid" -Force

Configuration

# View current config
Get-OnePAMConfig

# Point to a different OnePAM instance
Set-OnePAMConfig -Key api_base -Value "https://my-onepam.example.com"

# Set default organization
Set-OnePAMConfig -Key org_uuid -Value "12345678-1234-1234-1234-123456789abc"

Configuration is stored in ~/.onepam/config.json and shared with the OnePAM CLI.

CLI Compatibility

Every CLI command has a corresponding PowerShell cmdlet. Configuration and authentication are shared.

CLI Command PowerShell Cmdlet
op loginConnect-OnePAM
op logoutDisconnect-OnePAM
op statusGet-OnePAMAuthStatus
op config showGet-OnePAMConfig
op config setSet-OnePAMConfig
op lsGet-OnePAMResource
op ssh <resource>Enter-OnePAMSSH
op scpCopy-OnePAMFile
op db connectConnect-OnePAMDatabase
op sessions listGet-OnePAMSession
op resources createNew-OnePAMResource
op resources updateSet-OnePAMResource
op resources deleteRemove-OnePAMResource