Sync Command

Synchronizes selected keys from Keeper Vault to an external secrets manager

Synchronization is one way only, using Keeper as a source of truth (read only) and updates only the remote key-value pairs in the external secrets manager.

`sync` command

Description: Import and synchronize secrets from the Keeper Vault with external secrets management systems

ksm sync --credentials <UID> --type [aws|azure|gcp|json] [--dry-run] [--preserve-missing] --map <KEY NOTATION>...

Requires a Secrets Manager profile that has been initialized with: ksm profile init <TOKEN> See the Profile Documentation for more information

parameters:

-t, --type Type of the target key/value storage. Available types are:
- aws - AWS Secrets Manager
- azure- Azure Key Vault
- gcp - GCP Secret Manager
- json - lists all pending sync operations including both source and destination values
-m, --map <KEY NOTATION> Map destination key names to values using notation URI
-c, --credentials <uid> UID of Keeper record with credentials to access destination key/value storage. The specified record must be shared with the Keeper Secrets Manager Application

optional parameters:

-n, --dry-run Perform a trial run with no changes made.
-p, --preserve-missing Preserve destination value when source value is deleted.

AWS-Specific Options

--record, -r <RECORD> Sync individual records by title or UID. Can be specified multiple times. --folder, -f <FOLDER> Sync all records from specified folder(s) - non-recursive. --folder-recursive, -fr <FODLER> Sync all records from specified folder(s) and all subfolders recursively. --raw-json, -rj Store full raw JSON in KMS secret (same format as secret get <UID> --json).

Automation with Crontab

You can automate secret synchronization using cron jobs.

Example 1: Simple Daily Sync

Sync once per day at 2 AM:

# Edit crontab
crontab -e
# Add this line to sync Production folder daily at 2:00 AM
0 2 * * * /usr/local/bin/ksm sync -t aws -c <CRED_UID> --folder-recursive "Production" >> /var/log/ksm-sync.log 2>&1

Example 2: Complex Multi-Sync Script

For multiple sync operations with different mappings, create a shell script:

Create /home/user/scripts/ksm-sync-all.sh:

#!/usr/bin/env bash

# Configuration
CRED_UID="<YOUR_AWS_CRED_UID>"
# Sync with multiple custom mappings
ksm sync -t aws -c "$CRED_UID" \
    --map "legacy-db-password" "keeper://<UID>/field/password" \
    --map "api_key" "keeper://<UID>/custom_field/api_key" \
    --map "db_host" "keeper://<UID>/custom_field/hostname" \
    >> /var/log/ksm-sync.log 2>&1
# Split into multiple sync commands if the list is too long
ksm sync -t aws -c "$CRED_UID" \
    --map "db_password" "keeper://<UID>/field/password" \
    --map "db_login" "keeper://<UID>/custom_field/login" \
    >> /var/log/ksm-sync.log 2>&1

Make the script executable:

chmod +x /home/user/scripts/ksm-sync-all.sh

Add to crontab to run every 6 hours:

# Edit crontab
crontab -e
# Add this line to run the sync script every 6 hours
0 */6 * * * /home/user/scripts/ksm-sync-all.sh

Sync Types

Select an external provider below to learn more about the integration.

AWS Secrets Manager Sync Azure Key Vault Sync Google Cloud Secret Manager Sync

PreviousFolder Command NextExec Command

Last updated 28 days ago

Was this helpful?