Secrets Hub architecture

This topic includes a high-level description and diagram of the Secrets Hub architecture.

Switch to a Secrets Hub - PAM - Self-Hosted configuration

Architecture diagram

The diagram above describes how secrets are scanned from AWS Secrets Manager and if configured, synchronized between Privilege Cloud and AWS Secrets Manager using Secrets Hub.

  • Secrets are stored in AWS Secrets Manager and consumed natively by developers and workloads from AWS Secrets Manager.

  • Secrets Hub scans AWS Secrets Manager and discovers the secret stores on each AWS Secrets Manager.

    • In Secrets Hub, secret stores are created to represent the AWS Secrets Manager accounts and regions that will be scanned.

    • A trust is created between Secrets Hub and the relevant AWS Secrets Manager targets with a user-created IAM role that provides Secrets Hub with the required permissions to list secrets located in AWS Secrets Manager.

  • If configured, Secrets Hub can serve as an intermediary and synchronizes secrets between Privilege Cloud and AWS:

    • In Secrets Hub, sync polices are created to define which secrets need to be synchronized to which AWS Secrets Managers.

    • Secrets Hub synchronizes the secrets continuously, while the Privilege Cloud CPM ensures the rotation of the secrets as defined in their password policy.

The diagram above describes how secrets are scanned from Azure Key Vault and if configured, synchronized between Privilege Cloud and Azure Key Vault using Secrets Hub.

  • Secrets are stored and managed in Privilege Cloud and are consumed by developers and workloads from Azure Key Vault.

  • Secrets Hub scans Azure Key Vaults and discovers the secret stores on each Key Vault.

  • Secrets Hub serves as an intermediary and synchronizes the secrets between Privilege Cloud and Azure Key Vault:

    • In Secrets Hub, sync targets and sync polices are created to define which secrets need to be synchronized.

    • If the Azure Key Vault is set to disable public access, a connector is required to provide Secrets Hub the access to the Azure Key Vault.

      • When the Azure Key Vault is blocked to accept request from public networks, Secrets Hub does not have the ability to manage secrets in the Azure Key Vault.

      • Outbound connection is established by the connector agent to the cloud by MQTT protocol. The connection is long-lived and once established we support a bi-directional communication over it.

      • Connection from the agent to Azure Key Vault is ad-hoc and created by the agent once a request is triggered from Secrets Hub.

      • If the Azure Key Vaults are in different subscriptions peering will be needed.

    • Once access is provided, Secrets Hub is able to manage the secrets in the Azure Key Vault using a user-created application registration that provides Secrets Hub with the required permissions to write secrets into Azure Key Vault.

    • Secrets Hub synchronizes the secrets continuously, while the Privilege Cloud CPM ensures the rotation of the secrets as defined in their password policy.

    • Connectors can support multiple Azure Key Vault under the same network.