Manage Safes and secrets in PAM

This topic describes how to configure Safes and secrets in PAM to enable Secrets Hub to sync them to the target secret store.

Overview

In CyberArk PAM - Self-Hosted you can store secrets in Safes and manage their password rotation policies.

To enable Secrets Hub to sync secrets from PAM to a target secret store, you need to give Secrets Hub access to the relevant Safes and make sure that the Safe and CyberArk account names meet the requirements. For details on the possible naming conventions, see Customize the secret naming convention (optional).

The secrets filter in Secrets Hub represents the Safe that is synced to the target secret store.

Required permissions in PAM - Self-Hosted

You need the following permissions to perform these tasks:

Task

Required permission

Add a Safe

Add Safe

Add an CyberArk account

Add Accounts

Add the SecretsHub user as a member of a Safe

Manage Safe Members

View a Safe

Manage Safe

Create a secret in PAM - Self-Hosted

To create a secret in PAM - Self-Hosted, you create a Safe, then add an account that contains secrets to the Safe.

Step 1: Create a Safe in PAM - Self-Hosted

Create a Safe in PAM - Self-Hosted for AWS Secrets Manager or Azure Key Vault secrets.

If your PVWA is behind a load balancer, it may take a minute for the new Safe to appear in the list of Safes.

To create a Safe, see Add a Safe.

Safe name requirements (when using the default secret naming convention):

  • AWS Secrets Manager: The Safe name can contain ASCII letters, numbers, and these characters: /_+=.@-

  • Azure Key Vault: The Safe name can contain ASCII letters, numbers, and these characters: -

Step 2: Grant the SecretsHub user permission to the Safe

The SecretsHub user facilitates the syncing of PAM - Self-Hosted Safes that contain your secrets to your target secret store.

To sync a Safe to your target, the SecretsHub user must be added as a member of the Safe. Secrets Hub uses this user to retrieve the accounts from the Safe and sync them to the target secret store.

This section describes how to add the SecretsHub user as a member of the Safe, and which permissions to grant the user in the Safe.

To add the SecretsHub user as a Safe member

  1. In PAM - Self-Hosted, select the Safe that Secrets Hub needs to sync to your target.

  2. Add the SecretsHub user to the list of Safe members, as described Add Safe members.

    If you are using PAM - Self-Hosted on Shared Services, when you search for the SecretsHub user, make sure to select System component user from the Source list and User from Member type list.

    Grant the SecretsHub user following permissions in the Safe:

    Role

    Permissions

    Access

    • Retrieve accounts

    • List accounts

    Workflow

    Access Safe without confirmation

    Safe management and monitoring

    View Safe members

Step 3: Add an account to the Safe

Secrets are stored in PAM - Self-Hosted accounts in PAM - Self-Hosted Safes.

In Secrets Hub you define a sync policy to sync secrets from PAM - Self-Hosted to your target.

Secrets Hub performs the sync on the Safe level, so when you add an account to a Safe that Secrets Hub is already syncing, the account is synced to your target during the next sync cycle.

To add an account to a Safe, see Add accounts. See the following account requirements:

  • The name you give to the account must be unique and meaningful so that it can be clearly identified.

  • When using the default secret naming convention, the account name can contain ASCII letters, numbers, and the following characters: /_+=.@!"

  • If the account name contains a space, the space is replaced with an underscore (_) in the secret name in AWS Secrets Manager .

  • The name you give to the account must be unique and meaningful so that it can be clearly identified.

  • When using the default secret naming convention, the account name can contain ASCII letters, numbers, and the following characters: -

  • If the account name contains a space, the space is replaced with an underscore (_) in the secret name in Azure Key Vault.

Safe and account limitations

This section describes limitations for PAM - Self-Hosted Safes and accounts when working with Secrets Hub:

Area

Limitations

Safes

  • When a Safe is renamed in PAM - Self-Hosted, sync policies that are configured to sync this Safe are not automatically updated with the new name. They continue to attempt to sync the original Safe, even though it no longer exists.

    To sync the secrets from the renamed Safe, create a new sync policy with the new Safe name. The secrets are synced to the target with the new name, <new Safe name>/<account name>.

  • When a Safe is renamed, the secret that was synced to AWS Secrets Manager with the original name (<original Safe name>/<account name>) is not deleted from AWS Secrets Manager .

  • When a Safe is deleted from PAM - Self-Hosted, the sync policy stops working, but the secrets remain in AWS Secrets Manager .

When using the default secret naming convention:

  • The Safe name can contain ASCII letters, numbers, and the following characters: /_+=.@!"

Account

  • When a PAM - Self-Hosted account is renamed, sync policies that are configured to sync the account's Safe regard the renamed account as a new account, and Secrets Hub syncs it to the target as <Safe name>/<new account name>.

    The original secret in the target, <Safe name>/<original account name> remains in the target.

  • A Safe is synced to Secrets Hub only when an update is detected in a password. If other details are updated, but the password is not updated, the Safe is not synced.

  • When an account is deleted from a Safe, the corresponding secret is not deleted from the target.

When using the default secret naming convention:

  • The Safe name can contain ASCII letters, numbers, and the following characters: /_+=.@!"

Area

Limitations

Safes

  • When a Safe is renamed in PAM - Self-Hosted, sync policies that are configured to sync this Safe are not automatically updated with the new name. They continue to attempt to sync the original Safe, even though it no longer exists.

    To sync the secrets from the renamed Safe, create a new sync policy with the new Safe name. The secrets are synced to the target with the new name, <new Safe name>/<account name>.

  • When a Safe is renamed, the secret that was synced to Azure Key Vault with the original name (<original Safe name>/<account name>) is not deleted from Azure Key Vault.

  • When a Safe is deleted from PAM - Self-Hosted, the sync policy stops working, but the secrets remain in Azure Key Vault.

When using the default secret naming convention:

  • The account name can contain ASCII letters, numbers, and the following characters: -

Account

  • When a PAM - Self-Hosted account is renamed, sync policies that are configured to sync the account's Safe regard the renamed account as a new account, and Secrets Hub syncs it to the target as <Safe name>/<new account name>.

    The original secret in the target, <Safe name>/<original account name> remains in the target.

  • A Safe is synced to Secrets Hub only when an update is detected in a password. If other details are updated, but the password is not updated, the Safe is not synced.

  • When an account is deleted from a Safe, the corresponding secret is not deleted from the target.

When using the default secret naming convention:

  • The account name can contain ASCII letters, numbers, and the following characters: -

Set the SecretsHub service user password