# Sync Command

{% hint style="success" %}
Synchronization is one way only, using Keeper as a source of truth *(read only)* and updates only the remote key-value pairs in the external secrets manager.
{% endhint %}

## `sync` command

**Description:** Import and synchronize secrets from the Keeper Vault with external secrets management systems

`ksm sync --credentials <UID> --type [aws|azure|gcp|json] [--dry-run] [--preserve-missing] --map <KEY NOTATION>...`

{% hint style="info" %}
Requires a Secrets Manager profile that has been initialized with:\
`ksm profile init <TOKEN>`\
\
`See` the [Profile Documentation](/en/keeperpam/secrets-manager/secrets-manager-command-line-interface/profile-command.md) for more information
{% endhint %}

{% hint style="info" %}
**AWS Sync Prerequisite:** Syncing to AWS (`--type aws`) requires the `[aws]` extra:

`pip3 install keeper-secrets-manager-cli[aws]`&#x20;

The `--type json` option does not require any extra dependencies.
{% endhint %}

parameters:

* `-t, --type` Type of the target key/value storage. Available types are:
  * `aws` - AWS Secrets Manager
  * `azure`- Azure Key Vault
  * `gcp` - GCP Secret Manager
  * `json` - lists all pending sync operations including both source and destination values
* `-m, --map <KEY NOTATION>` Map destination key names to values using [notation ](/en/keeperpam/secrets-manager/about/keeper-notation.md)URI
* `-c, --credentials <uid>` UID of Keeper record with credentials to access destination key/value storage. The specified record must be shared with the Keeper Secrets Manager Application<br>

optional parameters:

* `-n, --dry-run` Perform a trial run with no changes made.
* `-p, --preserve-missing` Preserve destination value when source value is deleted.

#### AWS-Specific Options <a href="#aws-specific-options" id="aws-specific-options"></a>

* `-r`, `--record <RECORD>`  Sync individual records by title or UID. Can be specified multiple times.
* `-f`, `--folder <FOLDER>`  Sync all records from specified folder(s) - non-recursive.
* `-fr`, `--folder-recursive <FOLDER>`  Sync all records from specified folder(s) and all subfolders recursively.
* `-rj`, `--raw-json`  Store full raw JSON in KMS secret (same format as `secret get <UID> --json`).

See the [AWS Secrets Manager Sync](/en/keeperpam/secrets-manager/integrations/aws-secrets-manager.md) documentation for detailed examples.

### Automation with Crontab <a href="#automation-with-crontab" id="automation-with-crontab"></a>

You can automate secret synchronization using cron jobs.

#### Example 1: Simple Daily Sync <a href="#example-1-simple-daily-sync-one-liner" id="example-1-simple-daily-sync-one-liner"></a>

Sync once per day at 2 AM:

```bash
# Edit crontab
crontab -e
# Add this line to sync Production folder daily at 2:00 AM
0 2 * * * /usr/local/bin/ksm sync -t aws -c <CRED_UID> --folder-recursive "Production" >> /var/log/ksm-sync.log 2>&1
```

#### Example 2: Complex Multi-Sync Script <a href="#example-2-complex-multi-sync-script" id="example-2-complex-multi-sync-script"></a>

For multiple sync operations with different mappings, create a shell script:

**Create `/home/user/scripts/ksm-sync-all.sh`:**

```bash
#!/usr/bin/env bash

# Configuration
CRED_UID="<YOUR_AWS_CRED_UID>"
# Sync with multiple custom mappings
ksm sync -t aws -c "$CRED_UID" \
    --map "legacy-db-password" "keeper://<UID>/field/password" \
    --map "api_key" "keeper://<UID>/custom_field/api_key" \
    --map "db_host" "keeper://<UID>/custom_field/hostname" \
    >> /var/log/ksm-sync.log 2>&1
# Split into multiple sync commands if the list is too long
ksm sync -t aws -c "$CRED_UID" \
    --map "db_password" "keeper://<UID>/field/password" \
    --map "db_login" "keeper://<UID>/custom_field/login" \
    >> /var/log/ksm-sync.log 2>&1

```

**Make the script executable:**

```bash
chmod +x /home/user/scripts/ksm-sync-all.sh
```

**Add to crontab to run every 6 hours:**

```bash
# Edit crontab
crontab -e
# Add this line to run the sync script every 6 hours
0 */6 * * * /home/user/scripts/ksm-sync-all.sh
```

## Sync Types

Select an external provider below to learn more about the integration.

{% content-ref url="/pages/34KiaAqCCWYeFK8n8tHW" %}
[AWS Secrets Manager Sync](/en/keeperpam/secrets-manager/integrations/aws-secrets-manager.md)
{% endcontent-ref %}

{% content-ref url="/pages/8LqKdN1gExiCxJhy1YW3" %}
[Azure Key Vault Sync](/en/keeperpam/secrets-manager/integrations/azure-key-vault.md)
{% endcontent-ref %}

{% content-ref url="/pages/bGhfkhAMwUdjtvng2lhQ" %}
[Google Cloud Secret Manager Sync](/en/keeperpam/secrets-manager/integrations/gcp-secret-manager.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/en/keeperpam/secrets-manager/secrets-manager-command-line-interface/sync-command.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.