Manage Safes and secrets in PAM
This topic describes how to configure Safes and secrets in PAM to enable Secrets Hub to sync them to the target secret store.
Overview
In CyberArk Privilege Cloud you can store secrets in Safes and manage their password rotation policies.
To enable Secrets Hub to sync secrets from PAM to a target secret store, you need to give Secrets Hub access to the relevant Safes and make sure that the Safe and CyberArk account names meet the requirements. For details on the possible naming conventions, see Customize the secret naming convention (optional).
The secrets filter in Secrets Hub represents the Safe that is synced to the target secret store.
Required permissions in Privilege Cloud
You need the following permissions to perform these tasks:
Task |
Required permission |
---|---|
Add a Safe |
Add Safe |
Add an CyberArk account |
Add Accounts |
Add the SecretsHub user as a member of a Safe |
Manage Safe Members |
View a Safe |
Manage Safe |
Create a secret in Privilege Cloud
To create a secret in Privilege Cloud, you create a Safe, then add an account that contains secrets to the Safe.
Step 1: Create a Safe in Privilege Cloud
Create a Safe in Privilege Cloud for AWS Secrets Manager or Azure Key Vault secrets.
To create a Safe, see Create a new Safe.
Safe name requirements (when using the default secret naming convention):
-
AWS Secrets Manager: The Safe name can contain ASCII letters, numbers, and these characters: /_+=.@-
-
Azure Key Vault: The Safe name can contain ASCII letters, numbers, and these characters: -
Step 2: Grant the SecretsHub user permission to the Safe
The SecretsHub user facilitates the syncing of Privilege Cloud Safes that contain your secrets to your target secret store.
To sync a Safe to your target, the SecretsHub user must be added as a member of the Safe. Secrets Hub uses this user to retrieve the accounts from the Safe and sync them to the target secret store.
This section describes how to add the SecretsHub user as a member of the Safe, and which permissions to grant the user in the Safe.
-
In Privilege Cloud, select the Safe that Secrets Hub needs to sync to your target.
-
Add the SecretsHub user to the list of Safe members, as described Add Safe members.
If you are using Privilege Cloud on Shared Services, when you search for the SecretsHub user, make sure to select System component user from the Source list and User from Member type list.
Grant the SecretsHub user following permissions in the Safe:
Role
Access
-
Retrieve accounts
-
List accounts
Workflow
Access Safe without confirmation
Safe management and monitoring
View Safe members
-
Step 3: Add an account to the Safe
Secrets are stored in Privilege Cloud accounts in Privilege Cloud Safes.
In Secrets Hub you define a sync policy to sync secrets from Privilege Cloud to your target.
Secrets Hub performs the sync on the Safe level, so when you add an account to a Safe that Secrets Hub is already syncing, the account is synced to your target during the next sync cycle.
To add an account to a Safe, see Add accounts . See the following account requirements:
-
The name you give to the account must be unique and meaningful so that it can be clearly identified.
-
When using the default secret naming convention, the account name can contain ASCII letters, numbers, and the following characters: /_+=.@!"
-
If the account name contains a space, the space is replaced with an underscore (_) in the secret name in AWS Secrets Manager .
-
The name you give to the account must be unique and meaningful so that it can be clearly identified.
-
When using the default secret naming convention, the account name can contain ASCII letters, numbers, and the following characters: -
-
If the account name contains a space, the space is replaced with an underscore (_) in the secret name in Azure Key Vault.
Safe and account limitations
This section describes limitations for Privilege Cloud Safes and accounts when working with Secrets Hub:
Area |
Limitations |
---|---|
Safes |
When using the default secret naming convention:
|
Account |
When using the default secret naming convention:
|
Area |
Limitations |
---|---|
Safes |
When using the default secret naming convention:
|
Account |
When using the default secret naming convention:
|