> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/privileged-access-manager/universal-secrets-sync/universal-secrets-sync-migration-guide.md).

# Universal Secrets Sync Migration Guide

### **Overview**

This guide covers how to migrate existing secrets from a cloud provider (AWS, Azure, or Google Cloud) into Keeper, then replicate them back to the cloud via Universal Secrets Sync. After completing this guide, Keeper becomes the source of truth and USS maintains the cloud provider copy automatically going forward.

### **Before you begin**

Complete the setup steps in [Universal Secrets Sync Basics](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-basics.md) before proceeding. You will need an active KeeperPAM license, a running Keeper Gateway, and a PAM Configuration for your target cloud environment.

### **Migration Steps**

#### Step 1 - Create a shared folder

Create a shared folder in the Vault. This folder will hold the secrets imported from the cloud provider and will be the sync source going forward.

#### Step 2 - Import existing secrets into Keeper

Perform a one-time import of existing secrets from your cloud provider into the shared folder via Keeper Commander:

* [Import from AWS Secrets Manager](/keeperpam/commander-cli/command-reference/import-and-export-commands/aws-secrets-manager-import.md)
* [Import from Azure Key Vault](/keeperpam/commander-cli/command-reference/import-and-export-commands/azure-key-vault-secrets-import.md)
* [Import from Google Secret Manager](/keeperpam/commander-cli/command-reference/import-and-export-commands/google-secrets-manager-import.md)

#### Step 3 - Review imported secrets

Review the imported records in the Keeper Vault and verify that all expected fields and values are present before proceeding.

#### Step 4 - Configure the Gateway

Set up a [Keeper Gateway](/keeperpam/privileged-access-manager/getting-started/gateways.md) with the permissions required to read and write to the target cloud secrets manager. The Gateway itself, or the associated Sync Identity role, must have read/write access to the cloud secrets manager service.

#### Step 5 - Link the folder to the KSM application

In the Vault, open the KSM Application associated with your Gateway and add the shared folder under **Folders & Records**. This grants the application access to the records that will be synced.

<figure><img src="/files/osuHxw180jALqty8Mk9c" alt=""><figcaption></figcaption></figure>

#### Step 6 - Configure USS on the PAM Configuration

Open the [PAM Configuration](/keeperpam/privileged-access-manager/getting-started/pam-configuration.md) for your target cloud environment and configure USS:

1. Scroll to the **Universal Secrets Sync** section and enable it
2. Under **Locations**, select the shared folder created in Step 1
3. Leave **Dry-run** unchecked so that sync jobs execute automatically
4. Save the configuration

#### Step 7 - Start the Gateway

If the [Keeper Gateway](/keeperpam/privileged-access-manager/getting-started/gateways.md) is not already running, start it now.

#### Step 8 - Verify the sync

Sync jobs will begin executing automatically. Migrated secrets will be tagged in the cloud provider to indicate they are now managed by Keeper:

| Cloud provider | Tag / label                                    |
| -------------- | ---------------------------------------------- |
| AWS            | `Key: Source` / `Value: KeeperSecretsManager`  |
| Azure          | `tags: {"Source": "KeeperSecretsManager"}`     |
| GCP            | `labels: {"source": "keeper_secrets_manager"}` |

Migration is complete. Keeper is now the source of truth. Any subsequent changes to records in the shared folder will be pushed to the cloud provider automatically via USS.

#### **Related Pages**

* [USS Overview](/keeperpam/privileged-access-manager/universal-secrets-sync.md#pdf-page-dqtjnnk6pra4mfdizdco-what-is-keeper-discovery) - Feature summary, architecture, and key capabilities
* [USS Basics](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-basics.md) - Prerequisites and PAM Configuration setup
* [Using Commander](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-using-commander.md) - CLI reference and dry-run workflow
* [Using the Vault](/keeperpam/privileged-access-manager/universal-secrets-sync/discovery-using-the-vault.md) - Step-by-step Vault UI walkthrough


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/privileged-access-manager/universal-secrets-sync/universal-secrets-sync-migration-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.