Universal Secrets Sync

What is Universal Secrets Sync?

Universal Secrets Sync (USS) automatically pushes secrets from the Keeper Vault to cloud provider secret stores — AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager. With USS, the Keeper Vault becomes the single source of truth for all cloud secrets. When a record changes in Keeper, the updated secret reaches every configured cloud provider without manual intervention.

Why Universal Secrets Sync?

Secrets sprawl is one of the most common causes of security incidents in cloud environments. Teams create secrets in AWS Secrets Manager for one workload, duplicate them in Azure Key Vault for another, and manually copy them into GCP for a third. When a password rotates in Keeper, the cloud copies stay stale. Pipelines fail. Engineers create service accounts with long-lived static credentials as workarounds. Drift accumulates.

USS eliminates this pattern. Keeper becomes the place where a secret is created and rotated exactly once. Every cloud provider receives the update automatically — no scripts, no pipelines, no manual copy-paste.

Developer Access Pattern

Universal Secrets Sync gives developers the right access path for each use case. Cloud-native applications that demand high throughput and low latency continue reading directly from AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager using familiar native SDKs and IAM controls — ideal for services performing hundreds of thousands or millions of retrievals per day. For CI/CD pipelines, scripts, internal tools, and services running outside the cloud, developers retrieve secrets directly from Keeper Secrets Manager via the KSM SDK or CLI, with full zero-knowledge protection end to end. The result is a single source of truth with two complementary access patterns — fast, native retrieval where scale matters, and direct KSM access where reach and zero-knowledge control matter most.

How It Works

The Keeper Gateway, deployed inside your network, receives sync jobs from Keeper and authenticates directly to your cloud provider using the configured Sync Identity. Secret values are decrypted inside the Gateway and written to the cloud provider — they never transit Keeper's infrastructure. When the sync completes, the result is logged in the Keeper audit log.

Supported Cloud Providers

Key Features

Automatic Sync

When dry-run is disabled, USS fires automatically whenever a Keeper record in a linked shared folder is created or updated. No manual action is required. The Gateway processes the change and pushes it to the cloud provider in the background.

Dry-Run Mode

When dry-run is enabled, the application and folder views display the last sync timestamp and whether the overall sync succeeded or failed. Select Push Updates to preview the secrets that would be created or updated in the cloud provider. Review the list and click Sync Now to confirm, or close the dialog to cancel without making any changes.

Multi-Folder Sync

A single PAM Configuration can pull from multiple Keeper shared folders. Every record in every linked folder is eligible for sync. This allows a team to organize secrets by environment (prod, staging, dev) in separate folders while syncing all of them to the same cloud destination.

Sync Identity

The Sync Identity field lets administrators specify a dedicated IAM role, managed identity, or service account for the Gateway to assume during sync operations. Using a Sync Identity with least-privilege access to the secrets store — separate from the broader PAM Configuration credentials — is the recommended security posture.

Error Recovery

If a sync encounters a missing secret, a permissions error, or a transient cloud API failure, USS logs the error against the affected record. Failed records are retried on the next sync cycle. Administrators can view sync errors in the Keeper Vault and in ARAM event reporting.

Security Model

USS inherits Keeper's zero-knowledge architecture. Secret values are decrypted inside the customer's Gateway and written directly to the cloud provider. They are never decrypted on Keeper's servers and never stored in Keeper's cloud infrastructure during transit.

Getting Started

Prerequisites

• An active KeeperPAM license

• A Keeper Gateway installed and registered — Gateway setup guide

• A KSM Application associated with the Gateway

• A PAM Configuration for your target cloud environment (AWS, Azure, or GCP)

• The "Can configure universal secrets sync settings" enforcement policy enabled in the Admin Console

Setup Checklist

1. Create a folder in the Vault and add the records to sync

2. Open the PAM Configuration for your cloud environment and enable Universal Secrets Sync

3. Select the folder(s) to link and configure the Sync Identity

4. Choose automatic or dry-run mode

5. Verify the sync

Detailed Setup Guides

• Universal Secrets Sync Basics - Prerequisites and PAM Configuration setup

• Universal Secrets Sync Migration Guide - Import existing cloud secrets and configure USS in one workflow

• Universal Secrets Sync using Commander - CLI reference and dry-run workflow

• Universal Secrets Sync using the Vault - Step by step Vault UI walkthrough