# Universal Secrets Sync
### What is Universal Secrets Sync?
Universal Secrets Sync (USS) automatically pushes secrets from the Keeper Vault to cloud provider secret stores — AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager. With USS, the Keeper Vault becomes the single source of truth for all cloud secrets. When a record changes in Keeper, the updated secret reaches every configured cloud provider without manual intervention.
{% hint style="success" %}
**At a glance**
* **Supported providers -** AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager
* **Automatic sync** - Trigger sync automatically whenever a record's content changes in the Keeper Vault
* **Dry-run mode** - Preview secrets that would be created or updated before committing to the operation
* **Multi-folder sync** - Sync secrets from multiple Keeper folders
* **Multi-region** - AWS syncs across all configured regions in a single operation
* **Zero credentials on the wire** — the Keeper Gateway authenticates to cloud providers; no secrets transit Keeper's cloud infrastructure
* **Managed through** — Keeper Vault UI or Keeper Commander CLI
{% endhint %}
### Why Universal Secrets Sync?
Secrets sprawl is one of the most common causes of security incidents in cloud environments. Teams create secrets in AWS Secrets Manager for one workload, duplicate them in Azure Key Vault for another, and manually copy them into GCP for a third. When a password rotates in Keeper, the cloud copies stay stale. Pipelines fail. Engineers create service accounts with long-lived static credentials as workarounds. Drift accumulates.
USS eliminates this pattern. Keeper becomes the place where a secret is created and rotated exactly once. Every cloud provider receives the update automatically — no scripts, no pipelines, no manual copy-paste.
### How It Works
The Keeper Gateway, deployed inside your network, receives sync jobs from Keeper and authenticates directly to your cloud provider using the configured Sync Identity. Secret values are decrypted inside the Gateway and written to the cloud provider — they never transit Keeper's infrastructure. When the sync completes, the result is logged in the Keeper audit log.
### Supported Cloud Providers
| | AWS Secrets Manager | Azure Key Vault | GCP Secret Manager |
| ------------------------------- | ------------------- | ------------------------- | ------------------ |
| Auto-creates secret store | No | Yes | No |
| Multi-region support | Yes | No | No |
| Sync Identity type | IAM Role ARN | Managed Identity UUID | Service Account |
| Gateway must run on cloud infra | No | Only for Managed Identity | No |
| Metadata / tags | Yes | Yes | Yes |
### Key Features
**Automatic Sync**
When dry-run is disabled, USS fires automatically whenever a Keeper record in a linked shared folder is created or updated. No manual action is required. The Gateway processes the change and pushes it to the cloud provider in the background.
**Dry-Run Mode**
When dry-run is enabled, the application and folder views display the last sync timestamp and whether the overall sync succeeded or failed. Select **Push Updates** to preview the secrets that would be created or updated in the cloud provider. Review the list and click **Sync Now** to confirm, or close the dialog to cancel without making any changes.
**Multi-Folder Sync**
A single PAM Configuration can pull from multiple Keeper shared folders. Every record in every linked folder is eligible for sync. This allows a team to organize secrets by environment (prod, staging, dev) in separate folders while syncing all of them to the same cloud destination.
**Sync Identity**
The Sync Identity field lets administrators specify a dedicated IAM role, managed identity, or service account for the Gateway to assume during sync operations. Using a Sync Identity with least-privilege access to the secrets store — separate from the broader PAM Configuration credentials — is the recommended security posture.
**Error Recovery**
If a sync encounters a missing secret, a permissions error, or a transient cloud API failure, USS logs the error against the affected record. Failed records are retried on the next sync cycle. Administrators can view sync errors in the Keeper Vault and in ARAM event reporting.
### Security Model
USS inherits Keeper's zero-knowledge architecture. Secret values are decrypted inside the customer's Gateway and written directly to the cloud provider. They are never decrypted on Keeper's servers and never stored in Keeper's cloud infrastructure during transit.
| Threat | How USS neutralizes it |
| ---------------------------------- | ------------------------------------------------------------------------------------------------- |
| Secrets visible to Keeper's cloud | Gateway decrypts and writes locally — Keeper's cloud never sees plaintext |
| Stale cloud secrets after rotation | Automatic sync ensures cloud stores update within seconds of a Vault change |
| Overprivileged sync credentials | Sync Identity supports least-privilege IAM role / managed identity scoped to secrets manager only |
| Audit gap | Every sync operation is logged; ARAM captures create / update events per secret |
### Getting Started
#### **Prerequisites**
* An active KeeperPAM license
* A Keeper Gateway installed and registered — [Gateway setup guide](/keeperpam/privileged-access-manager/getting-started/gateways.md)
* A KSM Application associated with the Gateway
* A PAM Configuration for your target cloud environment (AWS, Azure, or GCP)
* The "Can configure universal secrets sync settings" enforcement policy enabled in the Admin Console
#### **Setup Checklist**
1. Create a folder in the Vault and add the records to sync
2. Open the PAM Configuration for your cloud environment and enable Universal Secrets Sync
3. Select the folder(s) to link and configure the Sync Identity
4. Choose automatic or dry-run mode
5. Verify the sync
#### Detailed Setup Guides
* [Universal Secrets Sync Basics](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-basics.md) - Prerequisites and PAM Configuration setup
* [Universal Secrets Sync Migration Guide](/keeperpam/privileged-access-manager/universal-secrets-sync/universal-secrets-sync-migration-guide.md) - Import existing cloud secrets and configure USS in one workflow
* [Universal Secrets Sync using Commander](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-using-commander.md) - CLI reference and dry-run workflow
* [Universal Secrets Sync using the Vault](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-using-the-vault.md) - Step by step Vault UI walkthrough
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/universal-secrets-sync.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.