# Universal Secrets Sync

<figure><img src="/files/uvxWby98iGiCHBJ0tjzQ" alt=""><figcaption></figcaption></figure>

## What is Keeper Universal Secrets Sync? <a href="#pdf-page-dqtjnnk6pra4mfdizdco-what-is-keeper-discovery" id="pdf-page-dqtjnnk6pra4mfdizdco-what-is-keeper-discovery"></a>

Universal Secrets Sync (USS) enables automatic synchronization of secrets from Keeper Secrets Manager folders to cloud provider secret management services. With USS activated, the Keeper Vault becomes the single source of truth for all cloud service provider secret stores. Secrets are automatically pushed from the Keeper Vault to the designated service provider wheneve. USS is part of the Zero-Trust KeeperPAM Platform and is managed through either the Keeper Vault UI or the Keeper Commander CLI.

#### Supported Cloud Providers:

* AWS Secrets Manager
* Azure Key Vault
* Google Cloud Secret Manager

#### Key Features <a href="#key-features" id="key-features"></a>

* **Multi-folder sync** - Sync secrets from multiple Keeper folders
* **Automatic sync** - Trigger sync automatically whenever a record's content changes in the Keeper Vault
* **Dry-run mode** - Preview secrets that would be created or updated before committing to the operation
* **Multi-region** - AWS syncs across all configured regions in a single operation
* **Auto-creation** - Azure Key Vaults are created vaults automatically if they do not exist
* **Metadata/Tags** - Secrets are tagged with content type and source for traceability
* **Error recovery** - Gracefully handles missing secrets and permission issues during sync

#### How It Works

The Keeper Gateway, deployed inside your network, authenticates to the target cloud provider using the configured credentials. On each sync — automatic or manual — the Gateway reads secrets from the designated Keeper Secrets Manager folders and pushes them to the cloud provider. The Keeper Vault is never modified by the sync operation; data flows in one direction only, from Keeper outward.

#### Next Steps

* [Universal Secrets Sync Basics](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-basics.md) - Core concepts and prerequisites
* [Universal Secrets Sync using Commander](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-using-commander.md) - CLI reference and examples
* [Universal Secrets Sync using the Vault](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-using-the-vault.md) - Step by step Vault UI walkthrough


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/universal-secrets-sync.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.