Sync Command

Synchronizes selected keys from Keeper Vault to an external secrets manager

Synchronization is one way only, using Keeper as a source of truth (read only) and updates only the remote key-value pairs in the external secrets manager.

`sync` command

Description: Import and synchronize secrets from the Keeper Vault with external secrets management systems

ksm sync --credentials <UID> --type [aws|azure|gcp|json] [--dry-run] [--preserve-missing] --map <KEY NOTATION>...

Requires a Secrets Manager profile that has been initialized with: ksm profile init <TOKEN> See the Profile Documentation for more information

parameters:

-t, --type Type of the target key/value storage. Available types are:
- aws - AWS Secrets Manager
- azure- Azure Key Vault
- gcp - GCP Secret Manager
- json - lists all pending sync operations including both source and destination values
-m, --map <KEY NOTATION> Map destination key names to values using notation URI
-c, --credentials <uid> UID of Keeper record with credentials to access destination key/value storage. The specified record must be shared with the Keeper Secrets Manager Application

optional parameters:

-n, --dry-run Perform a trial run with no changes made.
-p, --preserve-missing Preserve destination value when source value is deleted.

AWS-Specific Options

--record, -r <RECORD> Sync individual records by title or UID. Can be specified multiple times. --folder, -f <FOLDER> Sync all records from specified folder(s) - non-recursive. --folder-recursive, -fr <FODLER> Sync all records from specified folder(s) and all subfolders recursively. --raw-json, -rj Store full raw JSON in KMS secret (same format as secret get <UID> --json).

Automation with Crontab

You can automate secret synchronization using cron jobs.

Example 1: Simple Daily Sync

Sync once per day at 2 AM:

# Edit crontab
crontab -e
# Add this line to sync Production folder daily at 2:00 AM
0 2 * * * /usr/local/bin/ksm sync -t aws -c <CRED_UID> --folder-recursive "Production" >> /var/log/ksm-sync.log 2>&1

Example 2: Complex Multi-Sync Script

For multiple sync operations with different mappings, create a shell script:

Create /home/user/scripts/ksm-sync-all.sh:

#!/usr/bin/env bash

# Configuration
CRED_UID="<YOUR_AWS_CRED_UID>"
# Sync with multiple custom mappings
ksm sync -t aws -c "$CRED_UID" \
    --map "legacy-db-password" "keeper://<UID>/field/password" \
    --map "api_key" "keeper://<UID>/custom_field/api_key" \
    --map "db_host" "keeper://<UID>/custom_field/hostname" \
    >> /var/log/ksm-sync.log 2>&1
# Split into multiple sync commands if the list is too long
ksm sync -t aws -c "$CRED_UID" \
    --map "db_password" "keeper://<UID>/field/password" \
    --map "db_login" "keeper://<UID>/custom_field/login" \
    >> /var/log/ksm-sync.log 2>&1

Make the script executable:

chmod +x /home/user/scripts/ksm-sync-all.sh

Add to crontab to run every 6 hours:

# Edit crontab
crontab -e
# Add this line to run the sync script every 6 hours
0 */6 * * * /home/user/scripts/ksm-sync-all.sh

Sync Types

Select an external provider below to learn more about the integration.

https://github.com/Keeper-Security/gitbook-secrets-manager/blob/master/secrets-manager/integrations/aws-secrets-manager/README.md https://github.com/Keeper-Security/gitbook-secrets-manager/blob/master/secrets-manager/integrations/azure-key-vault/README.md https://github.com/Keeper-Security/gitbook-secrets-manager/blob/master/secrets-manager/integrations/gcp-secret-manager/README.md

PreviousFolder Command NextExec Command

Last updated 1 day ago

Was this helpful?

hashtagsync command

hashtagAWS-Specific Options

hashtagAutomation with Crontab

hashtagExample 1: Simple Daily Sync

hashtagExample 2: Complex Multi-Sync Script

hashtagSync Types

`sync` command

AWS-Specific Options

Automation with Crontab

Example 1: Simple Daily Sync

Example 2: Complex Multi-Sync Script

Sync Types