Synchronize Safes and accounts from Privilege Cloud

Conjur Cloud secrets are most often synced from accounts in Privilege Cloud. In Privilege Cloud you can store secrets in Safes and manage their password rotation policies.

This topic assumes you are familiar with creating Safes and accounts in Privilege Cloud. If you are not, see the Privilege Cloud documentation for details.

Set up your Privilege Cloud accounts to work with Conjur Cloud

In order for accounts in Privilege Cloud to sync to Conjur Cloud, you need to associate the Safe that contains the accounts to Conjur Cloud. Syncs to Conjur Cloud are performed on a Safe level.

Step 1: Associate Privilege Cloud Safe with Conjur Cloud

Add the Conjur Sync user as a member of the Safe that contains or will contain the accounts you want to sync to Conjur Cloud.


For details on adding members to Safes, see your Privilege Cloud documentation.

  • If you do not see the Conjur Sync user in the list of available users, turn on Show system component users.

  • When you add the Conjur Sync user to the Safe, grant it the following permissions on the Safe:




    • Use accounts

    • Retrieve accounts

    • List accounts


    Access Safe without confirmation

Step 2: Add an account to your Safe

Privilege Cloud accounts contain the secrets that are synced to Conjur Cloud. When adding an account to a Safe associated with Conjur Cloud, take note of the following:

  • The account name is part of the secret name that is synced to Conjur Cloud. When naming the account, we recommend enabling Customize account name and giving the account a short and logical name. For more information, see Privilege Cloud Safe and account representation in Conjur Cloud.

  • When defining an address in the account properties, if you are specifying an IPv6 address, use the global format, for example: 1000:1000:1000:1000:1000:1000:1000:0055W.

  • Each time Privilege Cloud syncs with Conjur Cloud (every minute), corresponding secrets are created in Conjur Cloud. Hosts and users must be granted access to these secrets. For more information, see Grant permissions on secrets.

Privilege Cloud Safe and account representation in Conjur Cloud

Each Privilege Cloud account is represented in Conjur Cloud by one or more secrets where one secret is for the account password and the other secrets are for each account property.


For information aboutPrivilege Cloud account properties, see the Privilege Cloud documentation.

A path to a secret in Conjur Cloud is composed of the following elements:

data/vault/<safe-name>/<account-name>/<account property>


The name of the Safe in Privilege Cloud (lowercase).


The account name in the Safe (lowercase).


The account property that the secret represents (lowercase):

  • If the secret represents the password, the value is password
  • If the secret represents another account property (other than password), the value is the name of the property in lowercase, for example username or address

Let's say, for example, your Safe in Privilege Cloud is called myapp. The Safe1 Safe contains an account, dbaccount, which has a username property.

When the Safe syncs to Conjur Cloud, the following two secrets are created for the account in Conjur Cloud, with their values:

  • data/vault/Safe1/dbaccount/password
  • data/vault/Safe1/dbaccount/username

Renamed Safes and accounts

If you rename a Safe or account, when the Safe syncs to Conjur Cloud, new secrets are created using the new Safe/account name. Hosts and users must be granted access to these new secrets. For more information, see Grant permissions on secrets.


Secrets that correspond to the Safe/account before you renamed it are not deleted from Conjur Cloud.