# Universal Secrets Sync Basics

### Overview

**Universal Secrets Sync** empowers enterprises to unify and automate their secrets management across cloud environments. Keeper Vault records can be synced to AWS Secrets Manager, Azure Key Vault and Google Secret Manager. Administrators can easily enable the feature, configure the sync policy and monitor activity—all within Keeper’s zero-knowledge security framework. This eliminates manual updates, reduces configuration drift, and gives Security/DevOps teams a single, trusted control plane for managing secrets at enterprise scale.

### Prerequisites

Prior to using USS, make sure to have the following:

* An active license of KeeperPAM
* A PAM Configuration for your target cloud infrastructure (AWS, Azure, GCP) where secrets will be synced to
* A Keeper Gateway and a Secrets Manager application associated with the PAM Configuration

### USS Enforcement Policies

On the Admin Console, enable “Can configure universal secrets sync settings” enforcement policy to allow a user to configure universal secrets sync:

<figure><img src="/files/j1UGhNIPkHYiaGxfxGV4" alt=""><figcaption></figcaption></figure>

### Installing the Keeper Gateway

The [Keeper Gateway](/keeperpam/privileged-access-manager/getting-started/gateways.md) is a service that is installed on the customer's network to enabled zero-trust access to target infrastructure. This service is installed on a Docker, Linux or Windows environment in each of the networks under management.

### PAM Cloud Configuration

To get started with Discovery, you need a [PAM Configuration](/keeperpam/privileged-access-manager/getting-started/pam-configuration.md) set up for your target cloud infrastructure. The PAM Configuration directs the USS process where to persist secrets. In general, the USS configuration process is:

* On a PAM Configuration, enable Universal Secrets Sync feature.
* Select one or more shared folders to link to the PAM Configuration. All the Keeper records from these shared folder/s will be synced.
* Specify a Sync Identity that Keeper Gateway can use to sync records to the cloud secrets storage. The Sync Identity should have read/write access to the secrets manager service in your cloud environment. If unspecified, the Gateway will use the access keys specified in the PAM Configuration.
* If you want to allow users to preview the secrets before they are synced to the cloud, check the Dry-run option. If unchecked, universal secrets sync will automatically sync Keeper record changes to the corresponding cloud secrets.&#x20;

### AWS Secrets Sync

AWS secrets sync makes use of whatever AWS Role Policies have been granted to the Keeper Gateway in order to persist secrets. The PAM Configuration filters against the provided region names to explicitly specify which regions are used for secret persistence.

Below is the PAM Configuration data required for a successful sync.

| Field             | Description                                                                                                                                                                                                                              | Notes                                                             |
| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- |
| AWS ID            | Identifier selected by user                                                                                                                                                                                                              | This is just used for reference.                                  |
| Access Key ID     | Access Key only when required                                                                                                                                                                                                            | If instance role is applied to the Gateway, this is not required. |
| Secret Access Key | Secret Key only when required                                                                                                                                                                                                            | If instance role is applied to the Gateway, this is not required. |
| Region Names      | A list of AWS region names separated by newlines. USS will only sync to the Secrets Manager in these regions.                                                                                                                            | <p>Example:<br><br>us-west-1<br>us-east-2</p>                     |
| Location          | One or more shared folders to link to the PAM Configuration. All the Keeper records in these shared folder/s will be synced.                                                                                                             |                                                                   |
| Sync Identity     | Optional role that if provided Keeper Gateway will use to sync records. The Sync Identity should have read/write access to AWS Secrets Manager. If unspecified, the Gateway will use the access keys specified in the PAM Configuration. | Example: `arn:aws:iam::396302558068:role/keeper-uss-sync-role`    |
| Dry run           | Check to allow users to preview the secrets before they are synced to the cloud. If unchecked, universal secrets sync will automatically sync Keeper record changes to the corresponding cloud secrets.                                  |                                                                   |

<figure><img src="/files/qxNFEjk3eWzoyDTUOstE" alt=""><figcaption><p>PAM Configuration for Universal Secrets Sync</p></figcaption></figure>

***

### Azure Secrets Sync

Azure sync makes use of whatever permissions have been granted to the role assigned to the Keeper Gateway in order to persist secrets in Azure Key Vault.&#x20;

Below is the PAM Configuration data required for a successful sync.

<table><thead><tr><th width="185">Field</th><th width="352">Description</th><th>Notes</th></tr></thead><tbody><tr><td>Azure ID</td><td>A unique id for your instance of Azure</td><td>Required, This is for the user's reference<br>Ex: <code>Azure-1</code></td></tr><tr><td>Client ID</td><td>The application/client id (UUID) of the Azure application</td><td>Required</td></tr><tr><td>Client Secret</td><td>The client credentials secret for the Azure application</td><td>Required</td></tr><tr><td>Subscription ID</td><td>The UUID of the subscription (i.e. Pay-As-You-GO).</td><td>Required</td></tr><tr><td>Tenant ID</td><td>The UUID of the Azure Active Directory</td><td>Required</td></tr><tr><td>Resource Groups</td><td>A list of resource groups to be checked. If left blank, all resource groups will be checked. Newlines should separate each resource group.</td><td></td></tr><tr><td>Location</td><td>One or more shared folders to link to the PAM Configuration. All the Keeper records in these shared folder/s will be synced.</td><td></td></tr><tr><td>Sync Identity</td><td>Optional identity that if provided Keeper Gateway will use to sync records. The Sync Identity should have read/write access to Azure Key Vault. If unspecified, the Gateway will use the credentials specified in the PAM Configuration. <strong>NOTE</strong>: The gateway must be running on Azure infrastructure (VM, AKS, Azure Functions, etc.) with the specified user-assigned managed identity assigned to it. This mechanism does not work for on-premises gateways.</td><td>Example: <code>a1b2c3d4-e5f6-7890-abcd-ef1234567890</code></td></tr><tr><td>Vault Name</td><td>Required name of the Key Vault to sync secrets to. This vault gets created on the first sync if it doesn’t exist already.</td><td>Example: <code>my-vault</code></td></tr><tr><td>Dry run</td><td>Check to allow users to preview the secrets before they are synced to the cloud. If unchecked, universal secrets sync will automatically sync Keeper record changes to the corresponding cloud secrets. </td><td></td></tr></tbody></table>

***

### Google Cloud Secrets Sync

GCP secrets sync makes use of whatever Google Role Policies have been granted to the Keeper Gateway in order to persist secrets.&#x20;

Below is the PAM Configuration data required for a successful sync:

<table><thead><tr><th width="195">Field</th><th>Description</th><th data-hidden></th></tr></thead><tbody><tr><td>Title</td><td>Configuration name, example: <code>GCP Workspace Configuration</code></td><td></td></tr><tr><td>Environment</td><td>Select: <code>Google Cloud</code></td><td></td></tr><tr><td>Gateway</td><td>Select the Gateway that is configured on the Keeper Secrets Manager application.</td><td></td></tr><tr><td>Application Folder</td><td>Select the Shared folder where the PAM Configuration will be stored. We recommend placing this in a shared folder with the PAM User records.</td><td></td></tr><tr><td>GCP ID</td><td>A unique ID for this instance of Google Cloud. This is only for your reference and can be anything, but its recommended to be kept short<br>Ex: <code>GCP-DepartmentName</code></td><td></td></tr><tr><td>Service Account Key</td><td>Copy the JSON text of the service account key of the Gateway</td><td></td></tr><tr><td>Location</td><td>One or more shared folders to link to the PAM Configuration. All the Keeper records in these shared folder/s will be synced.</td><td></td></tr><tr><td>Sync Identity</td><td>Optional role that if provided Keeper Gateway will use to sync records. The Sync Identity should have read/write access to Google Secrets Manager. If unspecified, the Gateway will use the credentials specified in the PAM Configuration.</td><td></td></tr><tr><td>Dry run</td><td>Check to allow users to preview the secrets before they are synced to the cloud. If unchecked, universal secrets sync will automatically sync Keeper record changes to the corresponding cloud secrets. </td><td></td></tr></tbody></table>

***

### Universal Secrets Sync Workflow

The basic workflow for running sync operations is the following:

* (optional) Perform a one-time import of existing secrets from [AWS](#aws-secrets-sync) and/or [Azure](#azure-secrets-sync) and/or [GCP](#google-cloud-secrets-sync) via Commander
* Set up a Keeper Gateway with associated permissions to manage secret resources
* Set up a PAM cloud configuration with the Gateway and the required USS config settings
* If "Dry run" is not selected, the sync jobs will execute automatically--workflow is done.
* Otherwise, manually execute the sync via the [Commander CLI](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-using-commander.md) or the [Vault UI](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-using-the-vault.md).

### Next Steps:

* [Universal Secrets Sync using Commander](https://app.gitbook.com/o/-LO5CAzoigGmCWBUbw9z/s/-MJXOXEifAmpyvNVL1to/~/edit/~/changes/2273/privileged-access-manager/discovery-1/discovery-using-commander)
* [Universal Secrets Sync using the Vault](https://app.gitbook.com/o/-LO5CAzoigGmCWBUbw9z/s/-MJXOXEifAmpyvNVL1to/~/edit/~/changes/2273/privileged-access-manager/discovery-1/discovery-using-the-vault)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-basics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.