Create sync policy - tutorial

This topic includes a step-by-step tutorial for creating a sync policy using Secrets Hub REST APIs.

Step 1: Sign in to ISPSS

Sign in to ISPSS with a user that is a member of the Secrets Hub role.

For details, see API Authentication for CyberArk Identity Security Platform Shared Services.

Step 2: Get the source secret store ID

Get the source secret store ID for the source secret store (PAM Self-Hosted or Privilege Cloud) that is defined for your CyberArk tenant.

API call

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-stores?behavior=SECRETS_SOURCE

Response example

{ 

    "secretStores": [ 

        { 

            "id": "store-50e75527-5813-497b-aaab-8cc5a296188e", 

            "type": "PAM_SELF_HOSTED", 

            "behaviors": [ 

                "SECRETS_SOURCE" 

            ], 

            "createdAt": "2023-08-07T09:12:24.645000", 

            "createdBy": "user@cyberark.cloud", 

            "data": { 

                "url": "https://MyPAMHostname.com/passwordvault", 

                "userName": "SecretsHub", 

                "connectorId": "ManagementAgent_26cbd0fd-e62b-42b1-b826-4379ca848aa6" 

            }, 

            "name": "MySourceName", 

            "updatedAt": "2023-08-30T10:55:11.517000", 

            "updatedBy": " user@cyberark.cloud " 

        } 

    ] 

}

Save the secret store ID (highlighted in the example), also referred to as the source ID, for the next step.

Step 3: Get secret store

Identify the secret store to which you want to sync the secrets.

Get a list of the secret store that are defined in Secrets Hub and identify the relevant store according to the details.

Use the following properties to identify the relevant secret store:

  • AWS Secrets Manager: Account ID and region.

  • Azure Key Vault: vault URL.

API call 

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-stores?behavior=SECRETS_TARGET

Response

{ 

  "secretStores": [ 

    { 

      "id": "store-40dd8670-6d1a-4b44-9da7-4803d5112de3", 

      "type": "AWS_ASM", 

      "behaviors": [ 

        "SECRETS_TARGET" 

      ], 

      "createdAt": "2023-07-20T12:26:52.579Z", 

      "createdBy": "user@cyberark.cloud", 

      "data": { 

        "accountAlias": "secretsmanager", 

        "accountId": "accountId", 

        "regionId": "us-east-1", 

        "roleName": "roleName" 

      }, 

      "description": "target example", 

      "name": "prod_gemini_asm", 

      "updatedAt": "2023-07-20T12:26:52.579Z", 

      "updatedBy": "user@cyberark.cloud" 

    },  

{ 

    "id": "store-bce60568-f380-49e4-9eb5-e7f86b1b54d6", 

   "type": "AZURE_AKV",  

   "behaviors": [  

      "SECRETS_TARGET" 

      ], 

   "createdAt": "2023-08-14T11:57:42.413000", 

   "createdBy": " user@cyberark.cloud, 

   "data": { 

   "appClientDirectoryId": "f0a94287-3c32-47c4-a282-5ef7a72aef89", 

   "azureVaultUrl": "https://MyVault.vault.azure.net", 

   "appClientId": "f0a94287-3c32-47c4-a282-5ef7a72aef89", 

   "connectionConfig": { 

       "connectionType": "PRIVATE", 
       "connection": "PRIVATE", 

       } 

   }, 

   "description": "none", 

   "name": "MyVault, 

   "updatedAt": "2023-08-14T11:57:42.413000", 

   "updatedBy": " user@cyberark.cloud” 

 }, 

] 

}

Save the secret store ID (highlighted in the example) for the next step.

Step 4: Create the sync policy

Create the policy with the parameters that you've saved:

  • Source secret store ID

  • Secret store ID

And with the name of the Safe in the source you want to sync to the target. The secrets filter representing this Safe is created as part of the policy.

API call

POST https://<sub domain>.secretshub.cyberark.cloud/api/policies

Body example

{ 

    "name": "MyPolicy", 

    "description": "This policy is syncing secrets to us-east-1", 

    "source": { 

        "id": "store-50e75527-5813-497b-aaab-8cc5a296188e" 

    }, 

    "target": { 

        "id": "store-40dd8670-6d1a-4b44-9da7-4803d5112de3" 

    }, 

    "filter": { 

        "data": { 

            "safeName": "MySafe" 

        }, 

        "type": "PAM_SAFE" 

    } 

}

Response example

{ 

    "id": "policy-61efa3e9-1a67-4b34-97dc-8a2ff7570dfb", 

    "name": "MyPolicy", 

    "description": "This policy is syncing secrets to us-east-1", 

    "createdAt": "2023-09-12T14:26:05.383000", 

    "updatedAt": "2023-09-12T14:26:05.383000", 

    "createdBy": "user@cyberark.cloud", 

    "updatedBy": "user@cyberark.cloud", 

    "source": { 

        "id": "store-50e75527-5813-497b-aaab-8cc5a296188e" 

    }, 

    "target": { 

        "id": "store-2c22a932-67de-42f1-90ca-f98beedf2d22" 

    }, 

    "filter": { 

        "id": "filter-8e6513f7-1017-426c-9b0d-d7e27b08d768" 

    }, 

    "state": { 

        "current": "ENABLED" 

    } 

}

The sync process begins. It may take some time, depending on the number of secrets.

Step 5: Track the sync status

Track the sync status based on the policy details.

API call

GET https://<sub domain>.secretshub.cyberark.cloud/api/policies/<policy ID>?projection=EXTEND

Response example

{ 

    "id": "policy-61efa3e9-1a67-4b34-97dc-8a2ff7570dfb", 

    "name": "MyPolicy", 

    "description": "This policy is syncing secrets to us-east-1", 

    "source": { 

        "id": "store-50e75527-5813-497b-aaab-8cc5a296188e", 

         "type": "PAM_SELF_HOSTED", 

         "behaviors": [ 

              "SECRETS_SOURCE" 

            ], 

         "createdAt": "2023-08-07T09:12:24.645000", 

         "createdBy": "user@cyberark.cloud", 

         "data": { 

             "url": "https://MyPAMHostname.com/passwordvault", 

             "userName": "SecretsHub", 

             "connectorId": "ManagementAgent_26cbd0fd-e62b-42b1-b826-4379ca848aa6" 

          }, 

         "name": "MySourceName", 

         "updatedAt": "2023-08-30T10:55:11.517000", 

         "updatedBy": " user@cyberark.cloud " 

    }, 

    "target": { 

        "id": "store-40dd8670-6d1a-4b44-9da7-4803d5112de3", 

        "type": "AWS_ASM", 

        "behaviors": [ 

          "SECRETS_TARGET" 

        ], 

        "createdAt": "2023-07-20T12:26:52.579Z", 

        "createdBy": "user@cyberark.cloud", 

        "data": { 

          "accountAlias": "secretsmanager", 

          "accountId": "accountId", 

          "regionId": "us-east-1", 

          "roleName": "roleName" 

        }, 

        "description": "target example", 

        "name": "prod_gemini_asm", 

        "updatedAt": "2023-07-20T12:26:52.579Z", 

        "updatedBy": "user@cyberark.cloud" 

     }, 

    "filter": { 

        "id": "filter-8e6513f7-1017-426c-9b0d-d7e27b08d768", 

        "type": "PAM_SAFE", 

        "data": { 

            "safeName": "MySafe" 

        }, 

        "createdAt": "2023-08-28T11:24:05.586000", 

        "updatedAt": "2023-08-28T11:24:05.586000", 

        "createdBy": "user@cyberark.cloud", 

        "updatedBy": "user@cyberark.cloud" 

    }, 

    "status": { 

        "policyId": "policy-61efa3e9-1a67-4b34-97dc-8a2ff7570dfb", 

        "policyStatus": "SUCCESS", 

        "isRunning": false, 

        "lastRun": "2023-09-12T14:38:47.536059+00:00", 

        "error": "" 

    }, 

    "createdAt": "2023-09-12T14:26:05.383000+00:00", 

    "updatedAt": "2023-09-12T14:26:05.383000+00:00", 

    "createdBy": "user@cyberark.cloud", 

    "updatedBy": "user@cyberark.cloud", 

    "state": { 

        "current": "ENABLED", 

        "stateDetails": { 

            "status": "SUCCEEDED", 

            "fromState": "NONE", 

            "toState": "ENABLED" 

        } 

    } 

}

You can see the  current state of the policy is ENABLED and the status is SUCCEEDED, which means the sync has been successful.