Troubleshoot Secrets Hub

This topic describes issues that might arise when using Secrets Hub and suggested resolutions.

Sync policy failure

Problem: Sync policy is not syncing successfully, and is displaying one of the following statuses: , . What is the difference, and why is the sync failing?


The Policies > Status column displays:

  • when the sync fails

  • when the sync is only partially successful, that is, some secrets sync successfully to the target, while others don't sync.

For more details about the sync status and reasons for failure, click More options () at the end of the policy row and select Additional details. The additional details provide the reason for failure, as well as information about:

  • The last time that the policy ran a sync

  • When the last full sync occurred, that is, when the secrets were successfully updated on the target

  • When the next sync cycle is expected

Possible reasons for failure

Suggested resolutions

The sync policy might be incorrectly defined

  • Check that the details provided in the sync policy are correct

  • Make sure that the SecretsHub user is a member of the Safe you are syncing

Secret store might be incorrectly defined

Check details provided in the secret store are correct

Secret store might not be accessible

Check that Secrets Hub can connect to the target

Secret might not be tagged

Check that the secret in AWS Secrets Manager or Azure Key Vault is tagged with Sourced by CyberArk.

More than one account in Privilege Cloud is syncing to the secret

  1. Verify that only one account in Privilege Cloud is mapped to the existing secret in the target. If more than one account is mapped, remove the account that shouldn't be mapped to that secret in the target. Alternatively, change the other account name so that it won't be mapped to the same secret.

  2. Remove the Cyberark Secret ID tag from the secret in the target

  3. Do one of the following:

    • Wait for the sync to occur—check out the Next sync attempt value of the policy sync status

    • Trigger a sync by changing the password in Privilege Cloud

    • Disable enable the policy.

Missing permissions in AWS KMS

Grant permissions to the Secrets Hub user, as described in Grant Secrets Hub permissions when using custom encryption key.

The SecretsHub user's password was manually changed in Privilege Cloud.

Sync error message:

"Secrets Hub was unable to connect to Privilege Cloud with the SecretsHub service user credentials. Check the SecretsHub service user credentials."

Set the SecretsHub user password in Secrets Hub to match the password in Privilege Cloud, as described in Set the SecretsHub service user password

Successive failure

When a sync policy fails 2 times in succession (in a row), Secrets Hub increases the sync cycle to the number of failures divided by 2. For example, after 10 sync failures, the cycle is reduced to 5 minutes between syncs.

If the sync policy continues to fail, Secrets Hub increases the sync cycle accordingly, until a maximum of 60 minutes.

You can get more information about the failure reason in the Sync status description for that sync policy. For details, see Sync policy status.

To restore the default sync cycle time, you can disable and then enable the sync policy.

If you are unable to resolve the issue, contact your CyberArk representative.