> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/secrets-manager/secrets-manager-command-line-interface/sync-command.md). # Sync Command {% hint style="success" %} Synchronization is one way only, using Keeper as a source of truth *(read only)* and updates only the remote key-value pairs in the external secrets manager. {% endhint %} ## `sync` command **Description:** Import and synchronize secrets from the Keeper Vault with external secrets management systems `ksm sync --credentials --type [aws|azure|gcp|json] [--dry-run] [--preserve-missing] --map ...` {% hint style="info" %} Requires a Secrets Manager profile that has been initialized with:\ `ksm profile init `\ \ `See` the [Profile Documentation](/keeperpam/secrets-manager/secrets-manager-command-line-interface/profile-command.md) for more information {% endhint %} {% hint style="info" %} **Sync dependencies:** Each non-JSON target requires Python packages that are not installed with the CLI by default. Install the packages for the target you sync to: * **AWS** (`--type aws`) — `pip3 install 'keeper-secrets-manager-cli[aws]'` * **Azure** (`--type azure`) — `pip3 install azure-identity azure-keyvault-secrets` * **GCP** (`--type gcp`) — `pip3 install --upgrade google-cloud-secret-manager google-auth` The `--type json` option does not require any extra dependencies. {% endhint %} parameters: * `-t, --type` Type of the target key/value storage. Available types are: * `aws` - AWS Secrets Manager * `azure`- Azure Key Vault * `gcp` - GCP Secret Manager * `json` - lists all pending sync operations including both source and destination values * `-m, --map ` Map destination key names to values using [notation ](/keeperpam/secrets-manager/about/keeper-notation.md)URI * `-c, --credentials ` UID of Keeper record with credentials to access destination key/value storage. The specified record must be shared with the Keeper Secrets Manager Application
optional parameters: * `-n, --dry-run` Perform a trial run with no changes made. * `-p, --preserve-missing` Preserve destination value when source value is deleted. #### AWS-Specific Options * `-r`, `--record ` Sync individual records by title or UID. Can be specified multiple times. * `-f`, `--folder ` Sync all records from specified folder(s) - non-recursive. * `-fr`, `--folder-recursive ` Sync all records from specified folder(s) and all subfolders recursively. * `-rj`, `--raw-json` Store full raw JSON in KMS secret (same format as `secret get --json`). See the [AWS Secrets Manager Sync](/keeperpam/secrets-manager/integrations/aws-secrets-manager.md) documentation for detailed examples. ### Automation with Crontab You can automate secret synchronization using cron jobs. #### Example 1: Simple Daily Sync Sync once per day at 2 AM: ```bash # Edit crontab crontab -e # Add this line to sync Production folder daily at 2:00 AM 0 2 * * * /usr/local/bin/ksm sync -t aws -c --folder-recursive "Production" >> /var/log/ksm-sync.log 2>&1 ``` #### Example 2: Complex Multi-Sync Script For multiple sync operations with different mappings, create a shell script: **Create `/home/user/scripts/ksm-sync-all.sh`:** ```bash #!/usr/bin/env bash # Configuration CRED_UID="" # Sync with multiple custom mappings ksm sync -t aws -c "$CRED_UID" \ --map "legacy-db-password" "keeper:///field/password" \ --map "api_key" "keeper:///custom_field/api_key" \ --map "db_host" "keeper:///custom_field/hostname" \ >> /var/log/ksm-sync.log 2>&1 # Split into multiple sync commands if the list is too long ksm sync -t aws -c "$CRED_UID" \ --map "db_password" "keeper:///field/password" \ --map "db_login" "keeper:///custom_field/login" \ >> /var/log/ksm-sync.log 2>&1 ``` **Make the script executable:** ```bash chmod +x /home/user/scripts/ksm-sync-all.sh ``` **Add to crontab to run every 6 hours:** ```bash # Edit crontab crontab -e # Add this line to run the sync script every 6 hours 0 */6 * * * /home/user/scripts/ksm-sync-all.sh ``` ## Sync Types Select an external provider below to learn more about the integration. {% content-ref url="/pages/34KiaAqCCWYeFK8n8tHW" %} [AWS Secrets Manager Sync](/keeperpam/secrets-manager/integrations/aws-secrets-manager.md) {% endcontent-ref %} {% content-ref url="/pages/8LqKdN1gExiCxJhy1YW3" %} [Azure Key Vault Sync](/keeperpam/secrets-manager/integrations/azure-key-vault.md) {% endcontent-ref %} {% content-ref url="/pages/bGhfkhAMwUdjtvng2lhQ" %} [Google Cloud Secret Manager Sync](/keeperpam/secrets-manager/integrations/gcp-secret-manager.md) {% endcontent-ref %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/secrets-manager/secrets-manager-command-line-interface/sync-command.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.