Manage sync policies

This section describes how to create sync policies.

Overview

A sync policy tells Secrets Hub which secrets to sync from the source secret store (PAM) to the target secret store (AWS Secrets Manager or Azure Key Vault).

When you create a sync policy, you define the secrets filter (Safe) , which represents the secrets to be synced, and the target secret store to which the secrets are synced.

Sync polices are active by default once created, but can be disabled or deleted as necessary.

Create a sync policy

To create a sync policy

  1. Prerequisite: Make sure a target secret store has already been added for your target. For details, see Add an AWS target secret store.

  2. From the Secrets Hub left navigation, go to Policies.

  3. On the Sync policies page, click Create sync policy.

  4. In the wizard, select the secrets filter (Safe) that should be synced to AWS Secrets Manager or Azure Key Vault and click Next.

  5. Select the target secret store to sync the secrets to.

  6. Enter a name for the policy, and a description.

    By default, all sync policies are tagged with the default Secrets Hub tags:

    • In AWS Secrets ManagerSourced by CyberArk

    • In Azure Key VaultSourced by CyberArk: True

    • CyberArk PAM: Privilege Cloud

    • CyberArk Safe: <Safe name in Privilege Cloud>

    • CyberArk Account: <Account name in Privilege Cloud>

    • CyberArk Secret ID (For internal use only; do not manage or use it to grant permissions on secrets in your target)

    These tags indicate that the source of the secret is CyberArk PAM . You can use these tags for filtering, automation, or delegation flows.

  7. Click Done.

All the accounts in the Safe are synced to the target secret store.

Disable a sync policy

This section describes how to disable a sync policy. When you disable a sync policy, secrets from the Safe defined in the sync policy stop syncing to the target secret store.

To disable a sync policy:

  1. In Secrets Hub, go to Policies.

  2. In the row of the policy you want to disable, click More options () at the end of the row, and select Disable. It might take a few minutes for the policy to become disabled.

  • If a sync is currently in progress, Secrets Hub completes the sync before disabling the policy. Once disabled, the row turns gray.

  • You can see the details of the last sync status under More options > Additional details.

  • Synced secrets remain in the target secret store and the default tags continue to appear for each secret with no change.

Enable a sync policy

By default, sync policies are enabled upon creation. If a policy was disabled, you can re-enable it as follows:

  1. In Secrets Hub, go to Policies.

  2. In the row of the policy you want to enable, click More options () at the end of the row, and select Enable.

    If, in the next sync cycle, Secrets Hub detects changes in the secrets since the last sync, the secrets are synced and the status is updated accordingly.

Delete a sync policy

Only disabled sync policies can be deleted.

If you are using the REST API to delete the sync policy, make sure to delete the secrets filter after you delete the sync policy.

  1. In Secrets Hub, go to Policies.

  2. In the row of the policy you want to delete, click More options () at the end of the row, and select Delete.

Sync policy status

On the Policies page, the Status column shows you the status of the sync policy. For more information, click More options () at the end of the policy row, and select Additional details.

Status

Description

Secrets are syncing to the target for the first time

Secrets synced successfully

Sync to target failed

If the reason for the failure is known, the details appear in the Additional details.

For more information, see Troubleshoot Secrets Hub.

Partial success. Some of the secrets synced successfully, but some could not be synced.

Sync policy is disabled