What's new

New Secrets Hub versions are released and announced on a varying cadence. Occasionally, new versions that include only performance, stability and bug fixes, and do not require customer actions, are released without an announcement.

November 26, 2023

Secrets Hub connector creation change

Starting now, when you create a connector either for connecting Secrets Hub to PAM Self-Hosted or for connecting to an Azure target secret store, you can do it from the Connector Management service. This change helps to better enforce separation of duties and roles as well as simplify the flow for the relevant personas in your organization.

November 23, 2023

Register Secrets Hub in Azure AD - doc enhancements

We've added the following enhancements:

October 22, 2023

Connector upgrade

We recommend that all Secrets Hub customers using a connector (for either PAM Self-Hosted or for Azure Key Vault) to upgrade their connectors.

To learn more, see Connector upgrade.

Tutorial for automating AWS secret store creation

A step-by-step description for creating a AWS secret store using the Secrets Hub REST API.

To learn more, see Create an AWS target secret store - tutorial.

October 8, 2023

Secrets Hub data center in Australia

In addition to Virginia, Frankfurt, Canada, and Singapore, Secrets Hub is now also deployed in Australia.

For the full support matrix, see CyberArk ISPSS region support.

October 1, 2023

Secrets Hub data center in Canada

In addition to Virginia, Frankfurt, and Singapore, Secrets Hub is now also deployed in Canada.

For the full support matrix, see CyberArk ISPSS region support.

September 18, 2023

Tutorial for automating policy creation

The first in a series of tutorials for different automation workflows. A step-by-step description for creating a sync policy using the Secrets Hub REST API. For details, see Create sync policy - tutorial.

Simplified process for registering Secrets Hub in Azure AD

Until now you needed to run two separate scripts to register Secrets Hub in Azure AD. One for creating the Secrets Hub app and the other for granting the necessary permissions to Secrets Hub to sync secrets. Now you can do both steps by running a single script, either in silent or interactive mode. For details, see Register Secrets Hub in Azure AD

August 27, 2023

Increased target secret store and policy support

You can now define and use up to 1000 targets (in total) and up to 1000 policies.

AWS test connection error handling improvements

Test connection is available from the target secret store. When you test a connection Secrets Hub validates your configuration, such as permissions, to the target secret store. In AWS it's the IAM role.

When you run a test connection on a new or existing target, you will now recieve specific errors that will help you troubleshoot the problem.

Edit target secret store via API

In continuation to our API enhancements, you can now edit AWS Secrets Manager and Azure Key Vault targets in Secrets Hub via API.

August 20, 2023

Create secrets filter as part of creating policy API

In our July 30, 2023 release we provided the capability to delete a secrets filter automatically when running the delete policy API. In this release, we've added the same capability when creating a sync policy. Instead of running two separate APIs to create a sync policy and an associated secrets filter (Safe), you can now you can create both using only the create policy API.

To learn more, see Sync policy API.

REST APIs - filtering capabilities

We've added new filtering capabilities to the following REST APIs.



Filter options

Get target secret stores by type

Filter target secret store by AWS or Azure.

For example:

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-store?filter=type EQ AWS_ASM

Get target secret stores by AWS account ID

Filter only the AWS targets that are defined under the same AWS account ID.

For example:

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-store?filter=data.accountId EQ 123456789100

Get target secret stores by Azure Key Vault URL

Filter only the Microsoft Azure targets that are defined for a specific Azure Key Vault.

For example:

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-store?filter=data.azureVaultUrl EQ https://myVault.vault.azure.net/

Get target secret stores by Azure app registration ID

Filter only the Azure target secret stores with the same Azure app registration ID.

For example:

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-stores?filter=data.appClientId EQ MyAzureAppID

Get policies by Safe name

Filter the sync policies by the Safe name

For example: 

GET https://<sub domain>.secretshub.cyberark.cloud/api/policies?projection=EXTEND&filter=filter.safeName EQ MySafeName

Get policies by target secret store ID

Filter the sync policies that are syncing to a specific target secret store by its Secrets Hub ID.

For example:
GET https://<sub domain>.secretshub.cyberark.cloud/api/policies?filter=target.id EQ store-cfd25162-f8a9-4d94-8d36-f46c4b60d651

To learn more, see Developer.

New in our docs!

  • The best practices when suspending, activating, or deleting the Secrets Hub service from your CyberArk tenant.

    To learn more, see Tenant management best practices.

August 13, 2023

Use non-default encryption keys in AWS secrets

If you are using non-default encryption keys to encrypt your AWS secrets, provide Secrets Hub with the relevant permissions on this key. To learn more, see Grant Secrets Hub permissions when using custom encryption key.

You can use the Secrets Hub AWS Discovery script to generate a report that lists all the keys used by your secrets per region.

New sync status - In progress

Until now there was no indication that a sync policy is in the process of being created or enabled. Starting now, you will see an In progress status in these cases. This status is used in both UI and API.

Edit PAM Self-Hosted connection details

We've added the capability to set the SecretsHub user password in the Secrets Hub Settings page for cases when the user's credentials were manually changed in PAM - Self-Hosted.

To learn more, see Set the SecretsHub service user password .

July 30, 2023

Sync policy API updates

  • Get sync policy status via API - Using the extended view of a policy, you can now get the policy's status and extra details (target, source, and synced Safe) about the policy.

    For example:

    GET https://<sub domain>.secretshub.cyberark.cloud/api/policies/{{policy ID}}?projection=EXTEND

  • Delete secrets filter as part of delete policy API- The Delete policy API now deletes the secrets filter linked to that policy automatically, without any additional action required from the user

For more information, see Sync policy API.

July 23, 2023

General Availability support for PAM Self-Hosted & Azure

  • Secrets Hub now supports CyberArk PAM Self-Hosted as a source secret store (General availability)

  • Secrets Hub now supports Azure Key Vault as a target secret store (General availability)

We do not support a proxy that serves as an intermediary communication control when using the connector.

July 16, 2023

Grant permissions using Terraform

You can now use Terraform to manage Secrets Hub permissions on AWS Secrets Manager target secret stores.

For details, see Configure AWS account roles using Terraform.

Upgrade connectors

If you are using PAM Self-Hosted or syncing secrets to Azure Key Vault targets using a connector, we recommend upgrading the connectors used by Secrets Hub. For details, see the Connector Management What's new.

July 2, 2023

Public REST APIs

You can now automate Secrets Hub flows and scenarios using the REST APIs as described in the Developer section.

These APIs enable you to programmatically manage and automate the life-cycle of Secrets Hub resources.

For example, you can use the Secret Store API to manage operations on secret stores (Privileged Access Manager - Self-Hosted/PAM - Self-Hosted), and the target secret stores being your defined targets.

Secrets Hub default tags changes

  • New tag: 'CyberArk Secret ID'

    From now on, secrets synced by Secrets Hub will be tagged CyberArk Secret ID. This is a new tag and is for internal use only—used by the Secrets Hub service. Do not manage or use it to grant permissions on secrets in your target.

  • Tag changes

    The Platform ID tag will no longer be added to Secrets Hub synced secrets. It is valid for new syncs only.

    We will not remove the tag if it was already synced to secrets in the target.

    This changed is relevant for both Azure and AWS syncs.

    The rest of the tags remain the same.

June 18, 2023

UI enhancements

  • If you are using Secrets Hub with PAM Self-Hosted, you can view the connector used to connect between them via the Secrets Hub Settings page.

  • You can now easily view all the targets that are linked to a specific connector.

Heads up!

Starting June 25th, platform ID tags will no longer be added to secrets managed by Secrets Hub. Other tags like CyberArk Account and CyberArk Safe will remain unchanged to help customers to understand the source of the secret in PAM. More information regarding these tags can be found in Manage sync policies.

The details:
  • This is relevant only for new syncs.

  • If a secret has already been tagged, Secrets Hub will not remove the tag, but it will also not maintain it. Meaning that if the platform changes in PAM it will not be updated in the tag's value in the AWS Secrets Manager or Azure Key Vault secret.

  • The rest of the tags remain unchanged.

June 11, 2023

Support for special characters in Microsoft Azure

Special characters (non-alphanumeric) in CyberArk account or Safe names are now replaced with a hyphen '-' to meet Azure Key Vault standards.

This applies only to the default naming convention (<CyberArk Safe>-<CyberArk Account>).

June 4, 2023

You can now delete sync targets from Secrets Hub.

To learn more, see .

May 28, 2023

Until now, Secrets Hub relied on a specific naming convention for AWS Secrets Manager secrets. In this release, we introduce the ability to sync secrets with a custom secret name.

This give you the flexibility to follow your own conventions and is useful when you already have secrets in AWS Secrets Manager that you want tot manage as-is, with minimal changes or disruptions to your workflow.

To learn more, see Customize the secret naming convention (optional).

May 21, 2023

  • CyberArk Secrets Hub is a SaaS solution that provides organizations that utilize cloud provider secret stores with all the advantages of CyberArk’s centralized secrets management solutions, without impacting developer workflows.

    Secrets Hub can sync from the following sources:

    • Privilege Cloud

    • PAM - Self-hosted (controlled availability)

    To the following targets:

    • AWS Secrets Manager

    • Azure Key Vault (controlled availability)

    To learn more, see Azure Key Vault (controlled availability) docs and PAM - Self-Hosted (controlled availability) docs.

  • In addition to our Virginia data center, Secrets Hub is now also supported in the following regions:

    • Frankfurt

    • Singapore