Manage Safes and secrets in PAM

This topic describes how to configure Safes and secrets in PAM to enable Secrets Hub to sync them to the target secret store.

Overview

In CyberArk Privilege Cloud you can store secrets in Safes and manage their password rotation policies.

To enable Secrets Hub to sync secrets from PAM to a target secret store, you need to give Secrets Hub access to the relevant Safes and make sure that the Safe and CyberArk account names meet the requirements. For details on the possible naming conventions, see Customize the secret naming convention (optional).

The secrets filter in Secrets Hub represents the Safe that is synced to the target secret store.

Required permissions in Privilege Cloud

You need the following permissions to perform these tasks:

Task

Required permission

Add a Safe

Add Safe

Add an CyberArk account

Add Accounts

Add the SecretsHub user as a member of a Safe

Manage Safe Members

View a Safe

Manage Safe

Create a secret in Privilege Cloud

To create a secret in Privilege Cloud, you create a Safe, then add an account that contains secrets to the Safe.

Step 1: Create a Safe in Privilege Cloud

Create a Safe in Privilege Cloud for AWS Secrets Manager or Azure Key Vault secrets.

To create a Safe, see Create a new Safe.

Safe name requirements (when using the default secret naming convention):

  • AWS Secrets Manager: The Safe name can contain ASCII letters, numbers, and these characters: /_+=.@-

  • Azure Key Vault: The Safe name can contain ASCII letters, numbers, and these characters: -

Step 2: Grant the SecretsHub user permission to the Safe

The SecretsHub user facilitates the syncing of Privilege Cloud Safes that contain your secrets to your target secret store.

To sync a Safe to your target, the SecretsHub user must be added as a member of the Safe. Secrets Hub uses this user to retrieve the accounts from the Safe and sync them to the target secret store.

This section describes how to add the SecretsHub user as a member of the Safe, and which permissions to grant the user in the Safe.

To add the SecretsHub user as a Safe member

  1. In Privilege Cloud, select the Safe that Secrets Hub needs to sync to your target.

  2. Add the SecretsHub user to the list of Safe members, as described Add Safe members.

    If you are using Privilege Cloud on Shared Services, when you search for the SecretsHub user, make sure to select System component user from the Source list and User from Member type list.

    Grant the SecretsHub user following permissions in the Safe:

    Role

    Permissions

    Access

    • Retrieve accounts

    • List accounts

    Workflow

    Access Safe without confirmation

    Safe management and monitoring

    View Safe members

Step 3: Add an account to the Safe

Secrets are stored in Privilege Cloud accounts in Privilege Cloud Safes.

In Secrets Hub you define a sync policy to sync secrets from Privilege Cloud to your target.

Secrets Hub performs the sync on the Safe level, so when you add an account to a Safe that Secrets Hub is already syncing, the account is synced to your target during the next sync cycle.

To add an account to a Safe, see Add accounts . See the following account requirements:

  • The name you give to the account must be unique and meaningful so that it can be clearly identified.

  • When using the default secret naming convention, the account name can contain ASCII letters, numbers, and the following characters: /_+=.@!"

  • If the account name contains a space, the space is replaced with an underscore (_) in the secret name in AWS Secrets Manager .

  • The name you give to the account must be unique and meaningful so that it can be clearly identified.

  • When using the default secret naming convention, the account name can contain ASCII letters, numbers, and the following characters: -

  • If the account name contains a space, the space is replaced with an underscore (_) in the secret name in Azure Key Vault.

Safe and account limitations

This section describes limitations for Privilege Cloud Safes and accounts when working with Secrets Hub:

Area

Limitations

Safes

  • When a Safe is renamed in Privilege Cloud, sync policies that are configured to sync this Safe are not automatically updated with the new name. They continue to attempt to sync the original Safe, even though it no longer exists.

    To sync the secrets from the renamed Safe, create a new sync policy with the new Safe name. The secrets are synced to the target with the new name, <new Safe name>/<account name>.

  • When a Safe is renamed, the secret that was synced to AWS Secrets Manager with the original name (<original Safe name>/<account name>) is not deleted from AWS Secrets Manager .

  • When a Safe is deleted from Privilege Cloud, the sync policy stops working, but the secrets remain in AWS Secrets Manager .

When using the default secret naming convention:

  • The Safe name can contain ASCII letters, numbers, and the following characters: /_+=.@!"

Account

  • When a Privilege Cloud account is renamed, sync policies that are configured to sync the account's Safe regard the renamed account as a new account, and Secrets Hub syncs it to the target as <Safe name>/<new account name>.

    The original secret in the target, <Safe name>/<original account name> remains in the target.

  • A Safe is synced to Secrets Hub only when an update is detected in a password. If other details are updated, but the password is not updated, the Safe is not synced.

  • When an account is deleted from a Safe, the corresponding secret is not deleted from the target.

When using the default secret naming convention:

  • The Safe name can contain ASCII letters, numbers, and the following characters: /_+=.@!"

Area

Limitations

Safes

  • When a Safe is renamed in Privilege Cloud, sync policies that are configured to sync this Safe are not automatically updated with the new name. They continue to attempt to sync the original Safe, even though it no longer exists.

    To sync the secrets from the renamed Safe, create a new sync policy with the new Safe name. The secrets are synced to the target with the new name, <new Safe name>/<account name>.

  • When a Safe is renamed, the secret that was synced to Azure Key Vault with the original name (<original Safe name>/<account name>) is not deleted from Azure Key Vault.

  • When a Safe is deleted from Privilege Cloud, the sync policy stops working, but the secrets remain in Azure Key Vault.

When using the default secret naming convention:

  • The account name can contain ASCII letters, numbers, and the following characters: -

Account

  • When a Privilege Cloud account is renamed, sync policies that are configured to sync the account's Safe regard the renamed account as a new account, and Secrets Hub syncs it to the target as <Safe name>/<new account name>.

    The original secret in the target, <Safe name>/<original account name> remains in the target.

  • A Safe is synced to Secrets Hub only when an update is detected in a password. If other details are updated, but the password is not updated, the Safe is not synced.

  • When an account is deleted from a Safe, the corresponding secret is not deleted from the target.

When using the default secret naming convention:

  • The account name can contain ASCII letters, numbers, and the following characters: -

Set the SecretsHub service user password