> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/universal-secrets-sync.md).

# Universal Secrets Sync

<figure><img src="/files/uvxWby98iGiCHBJ0tjzQ" alt=""><figcaption></figcaption></figure>

### What is Universal Secrets Sync? <a href="#pdf-page-dqtjnnk6pra4mfdizdco-what-is-keeper-discovery" id="pdf-page-dqtjnnk6pra4mfdizdco-what-is-keeper-discovery"></a>

Universal Secrets Sync ("USS") automatically pushes secrets from the Keeper Vault to cloud provider secret stores — AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager. With USS, the Keeper Vault becomes the single source of truth for all cloud secrets. When a record changes in Keeper, the updated secret reaches every configured cloud provider without manual intervention.

<figure><img src="/files/CnxIPlhHAKBI9kYbKsQn" alt=""><figcaption><p>Universal Secrets Sync</p></figcaption></figure>

{% hint style="success" %}
**At a glance**

* **Supported providers -** AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager
* **Automatic sync** - Trigger sync automatically whenever a record's content changes in the Keeper Vault
* **Dry-run mode** - Preview secrets that would be created or updated before committing to the operation
* **Multi-folder sync** - Sync secrets from multiple Keeper folders
* **Multi-region** - AWS syncs across all configured regions in a single operation
* **Zero credentials on the wire** — the Keeper Gateway authenticates to cloud providers; no secrets transit Keeper's cloud infrastructure
* **Managed through** — Keeper Vault UI or Keeper Commander CLI
  {% endhint %}

### **Why Universal Secrets Sync?**

Secrets sprawl is one of the most common causes of security incidents in cloud environments. Teams create secrets in AWS Secrets Manager for one workload, duplicate them in Azure Key Vault for another, and manually copy them into GCP for a third. When a password rotates in Keeper, the cloud copies stay stale. Pipelines fail. Engineers create service accounts with long-lived static credentials as workarounds. Drift accumulates.

USS eliminates this pattern. Keeper becomes the place where a secret is created and rotated exactly once. Every cloud provider receives the update automatically — no scripts, no pipelines, no manual copy-paste.

### **Developer Access Pattern**

Universal Secrets Sync gives developers the right access path for each use case. Cloud-native applications that demand high throughput and low latency continue reading directly from AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager using familiar native SDKs and IAM controls — ideal for services performing hundreds of thousands or millions of retrievals per day. For CI/CD pipelines, scripts, internal tools, and services running outside the cloud, developers retrieve secrets directly from Keeper Secrets Manager via the KSM SDK or CLI, with full zero-knowledge protection end to end. The result is a single source of truth with two complementary access patterns — fast, native retrieval where scale matters, and direct KSM access where reach and zero-knowledge control matter most.

### **How It Works**

The Keeper Gateway, deployed inside your network, receives sync jobs from Keeper and authenticates directly to your cloud provider using the configured Sync Identity. Secret values are decrypted inside the Gateway and written to the cloud provider — they never transit Keeper's infrastructure. When the sync completes, the result is logged in the Keeper audit log.

<figure><img src="/files/zaCcpw6kwWfenPRK74fb" alt=""><figcaption></figcaption></figure>

### **Supported Cloud Providers**

|                                 | AWS Secrets Manager | Azure Key Vault           | GCP Secret Manager |
| ------------------------------- | ------------------- | ------------------------- | ------------------ |
| Auto-creates secret store       | No                  | Yes                       | No                 |
| Multi-region support            | Yes                 | No                        | No                 |
| Sync Identity type              | IAM Role ARN        | Managed Identity UUID     | Service Account    |
| Gateway must run on cloud infra | No                  | Only for Managed Identity | No                 |
| Metadata / tags                 | Yes                 | Yes                       | Yes                |

### **Key Features**

#### **Automatic Sync**

When dry-run is disabled, USS fires automatically whenever a Keeper record in a linked shared folder is created or updated. No manual action is required. The Gateway processes the change and pushes it to the cloud provider in the background.

<figure><img src="/files/A3VV3hFRBmCBY22zMTOg" alt=""><figcaption></figcaption></figure>

#### **Dry-Run Mode**

When dry-run is enabled, the application and folder views display the last sync timestamp and whether the overall sync succeeded or failed. Select **Push Updates** to preview the secrets that would be created or updated in the cloud provider. Review the list and click **Sync Now** to confirm, or close the dialog to cancel without making any changes.

<figure><img src="/files/3wHthU7k05VfuyVTUOCe" alt=""><figcaption><p>Dry-Run Mode</p></figcaption></figure>

<figure><img src="/files/FRDhXdrZt5gtb93N9WHx" alt=""><figcaption><p>Dry-Run Mode - Sync Confirmation</p></figcaption></figure>

#### **Multi-Folder Sync**

A single PAM Configuration can pull from multiple Keeper shared folders. Every record in every linked folder is eligible for sync. This allows a team to organize secrets by environment (prod, staging, dev) in separate folders while syncing all of them to the same cloud destination.

#### **Sync Identity**

The Sync Identity field lets administrators specify a dedicated IAM role, managed identity, or service account for the Gateway to assume during sync operations. Using a Sync Identity with least-privilege access to the secrets store — separate from the broader PAM Configuration credentials — is the recommended security posture.

#### **Error Recovery**

If a sync encounters a missing secret, a permissions error, or a transient cloud API failure, USS logs the error against the affected record. Failed records are retried on the next sync cycle. Administrators can view sync errors in the Keeper Vault and in ARAM event reporting.

#### Metadata Tags

Keeper will automatically assign metadata tags to all managed secrets in the cloud provider. This information includes the Record Type, Record UID and Record Title for auditing purposes.

<figure><img src="/files/mxebPoeMidc4x58n1it4" alt=""><figcaption><p>Example of AWS Secret with Tags</p></figcaption></figure>

### **Security Model**

USS inherits Keeper's zero-knowledge architecture. Secret values are decrypted inside the customer's Gateway and written directly to the cloud provider. They are never decrypted on Keeper's servers and never stored in Keeper's cloud infrastructure during transit.

| Threat                             | How USS neutralizes it                                                                            |
| ---------------------------------- | ------------------------------------------------------------------------------------------------- |
| Secrets visible to Keeper's cloud  | Gateway decrypts and writes locally — Keeper's cloud never sees plaintext                         |
| Stale cloud secrets after rotation | Automatic sync ensures cloud stores update within seconds of a Vault change                       |
| Overprivileged sync credentials    | Sync Identity supports least-privilege IAM role / managed identity scoped to secrets manager only |
| Audit gap                          | Every sync operation is logged; ARAM captures create / update events per secret                   |

### **Getting Started**

#### **Prerequisites**

* An active KeeperPAM license
* A Keeper Gateway installed and registered — [Gateway setup guide](/keeperpam/privileged-access-manager/getting-started/gateways.md)
* A KSM Application associated with the Gateway
* A PAM Configuration for your target cloud environment (AWS, Azure, or GCP)
* The "Can configure universal secrets sync settings" enforcement policy enabled in the Admin Console

#### **Setup Checklist**

1. Create a folder in the Vault and add the records to sync
2. Open the PAM Configuration for your cloud environment and enable Universal Secrets Sync
3. Select the folder(s) to link and configure the Sync Identity
4. Choose automatic or dry-run mode
5. Verify the sync

#### **Detailed Setup Guides**

* [Universal Secrets Sync Basics](/keeperpam/privileged-access-manager/universal-secrets-sync/setup.md) - Prerequisites and PAM Configuration setup
* [Universal Secrets Sync Migration Guide](/keeperpam/privileged-access-manager/universal-secrets-sync/migration.md) - Import existing cloud secrets and configure USS in one workflow
* [Universal Secrets Sync using Commander](/keeperpam/privileged-access-manager/universal-secrets-sync/commander-guide.md) - CLI reference and dry-run workflow
* [Universal Secrets Sync using the Vault](/keeperpam/privileged-access-manager/universal-secrets-sync/vault-guide.md) - Step by step Vault UI walkthrough


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/universal-secrets-sync.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
