What's new

New Secrets Hub versions are released and announced on a varying cadence. Occasionally, new versions that include only performance, stability and bug fixes, and do not require customer actions, are released without an announcement.

March 3, 2024

Discover and view Azure secrets using Secrets Hub

As part of providing the security team with a simple, centralized way to view secrets that reside in Azure Key Vault, we are happy to announce that secret visibility is now available for Azure secrets!

Scan your Azure secret stores and see their secrets on our Secrets page. Use the Secrets Hub insights and filters to gain insight on the security posture of your cloud platform. For example, external secrets that originate in Azure and are not managed in CyberArk PAM.

Check out the Azure dashboard for additional perspective on your Azure secrets.

To view the Azure dashboard, make sure to add the following information to your Azure target secret store:

  • Resource group

  • Subscription name

  • Subscription ID

Azure dashboard

The Secrets Hub discovery and visibility REST APIs are currently in Beta.

To learn more about Secrets Hub discovery and visibility, see View and filter secrets

February 25, 2024

AWS dashboard enhancements

We've updated and improved the AWS dashboard. We invite you to check it out!

To learn more, see View and filter secrets.

Additional info for Azure secret store

When creating or editing an Azure secret store, you can now provide subscription and resource group information. This information can be useful for finding Azure Key Vaults that belong to the same subscription or resource group.

Available in both API and UI.

To learn more, see Add secret store details.

Secrets Hub default tags in AWS

The sync process includes tagging the secret in AWS Secrets Manager with the CyberArk PAM Safe and account names.

If your CyberArk PAM Safe or account name includes a special character that is not supported by AWS, the invalid character is replaced with a hyphen '-' in the tag value.

For example, 'My Account (21)' will be replaced with 'My Account -21-' for the tag 'CyberArk Account'.

To learn more, see the CyberArk Technical Community article.

February 4, 2024

Sync only password as plain text

Until now, by default, Secrets Hub would sync a set of secret properties, based on the type of CyberArk account. From now on, Secrets Hub supports creating a sync policy that syncs only the password as plain text.

This is useful for keys, certificates, or existing secrets with matching value structure of password-only.

To learn more, see Which secret properties are updated during a sync?

January 21, 2024

Automatic secret store scans

From now, Secrets Hub automatically scans all your AWS secret stores every 24 hours.

To learn more, see Automatic scans.

January 7, 2024

Documentation enhancements - new tutorials

We've added new tutorials for automating common workflows:

December 31, 2023

New insight: external secrets

Our Secrets page now displays the number of external secrets. External secrets are secrets that are not sourced by CyberArk PAM, but rather by external secret stores such as AWS Secrets Manager.

external secrets on the Secrets page

To learn more about the benefits of this insight, see Insights.

December 24, 2023

Secrets Hub and PAM Self-Hosted High Availability support

The Connector Management service introduces a high availability configuration, by default, through the use of a single connector pool.

You can now use the default connector pool when configuring the Secrets Hub connection with PAM Self-Hosted.

Using a default connector pool in PAM Self-Hosted configurations is recommended for production.

To learn more, see Connect Secrets Hub to PAM Self-Hosted.

Customers with existing configurations to PAM Self-Hosted using a single connector, can switch to working with the default connector pool by editing their source secret store using our REST APIs. To learn more, see Switch for a single connector to a connector pool - tutorial.

Secrets Hub visibility dashboard for AWS secret stores

Secrets Hub now has a new dashboard that provides a summary of scanned AWS secrets and their insights, secret stores, and sync policies.

The dashboard maps the scanned secrets according to their AWS account and regions.

It also summarizes sync and scans failures, if they occur.

AWS dashboard

December 17, 2023

Connector Management Agent proxy support

The Connector Management Agent can be run on a Connector machine that is configured to connect to the internet through a proxy.

The proxy address can be either DNS or IP address and port.

Communication between Secrets Hub and the connector is outbound and, therefore, is done through a proxy (if configured). HTTP communication between the connector and components within the same network, such as communication with PAM Self-Hosted or Azure Key Vault, bypasses the proxy.

To learn more, see Connect Secrets Hub to PAM Self-Hosted.

Support syncing 10K secrets from Privilege Cloud

Secrets Hub now supports syncing up to 10K secrets from PAM to AWS or Azure targets.

December 3, 2023

Discover and view secrets using Secrets Hub

We're happy to announce that Secrets Hub now provides the security team with a simple, centralized way to view secrets that reside in different AWS secret stores.

Scan your AWS secret stores and see their secrets on our new Secrets page. Use the Secrets Hub insights and filters to gain insight on the security posture of your cloud platform. For example, analyze idle (unused) secrets to determine whether they're redundant.

To learn more about Secrets Hub discovery and visibility, see Discover, view, and filter secrets.

The Secrets Hub discovery and visibility REST APIs are currently in Beta.

Documentation enhancements

Secrets Hub new discovery and visibility capabilities introduce a new workflow that is reflected throughout the Secrets Hub docs, whether it's support and scope, architecture, REST APIs, and of course, a dedicated section (mentioned above).
In addition, we've added the following enhancements:

  • Our home page diagram now reflects our discovery and visibility capabilities, as well as our sync capabilities.

  • quick start image map providing you with a high-level workflows description. For details, see Quick start.

  • We've simplified our worflow diagrams to describe them each separately; starting with onboarding, then scan and view secrets, and finally, sync secrets to a target secret store. You can find each workflow diagram in it's respective section in the docs.

  • We've restructured our docs to accommodate our new capabilities.

If you have any feedback or comments, click Contact the docs team in the online docs to send us an email.

November 26, 2023

Secrets Hub connector creation change

Starting now, when you create a connector either for connecting Secrets Hub to Privilege Cloud or for connecting to an Azure secret store, you can do it from the Connector Management service. This change helps to better enforce separation of duties and roles as well as simplify the flow for the relevant personas in your organization.

November 23, 2023

Register Secrets Hub in Azure AD - doc enhancements

We've added the following enhancements:

October 22, 2023

Connector upgrade

We recommend that all Secrets Hub customers using a connector (for either PAM Self-Hosted or for Azure Key Vault) to upgrade their connectors.

To learn more, see Connector upgrade.

Tutorial for automating AWS secret store creation

A step-by-step description for creating a AWS secret store using the Secrets Hub REST API.

To learn more, see Create an AWS secret store - tutorial.

October 8, 2023

Secrets Hub data center in Australia

In addition to Virginia, Frankfurt, Canada, and Singapore, Secrets Hub is now also deployed in Australia.

For the full support matrix, see CyberArk ISPSS region support.

October 1, 2023

Secrets Hub data center in Canada

In addition to Virginia, Frankfurt, and Singapore, Secrets Hub is now also deployed in Canada.

For the full support matrix, see CyberArk ISPSS region support.

September 18, 2023

Tutorial for automating policy creation

The first in a series of tutorials for different automation workflows. A step-by-step description for creating a sync policy using the Secrets Hub REST API. For details, see Create a sync policy - tutorial.

Simplified process for registering Secrets Hub in Azure AD

Until now you needed to run two separate scripts to register Secrets Hub in Azure AD. One for creating the Secrets Hub app and the other for granting the necessary permissions to Secrets Hub to sync secrets. Now you can do both steps by running a single script, either in silent or interactive mode. For details, see Register Secrets Hub in Azure AD

August 27, 2023

Increased secret store and policy support

You can now define and use up to 1000 targets (in total) and up to 1000 policies.

AWS test connection error handling improvements

Test connection is available from the secret store. When you test a connection Secrets Hub validates your configuration, such as permissions, to the secret store. In AWS it's the IAM role.

When you run a test connection on a new or existing target, you will now recieve specific errors that will help you troubleshoot the problem.

Edit secret store via API

In continuation to our API enhancements, you can now edit AWS Secrets Manager and Azure Key Vault targets in Secrets Hub via API.

August 20, 2023

Create secrets filter as part of creating policy API

In our July 30, 2023 release we provided the capability to delete a secrets filter automatically when running the delete policy API. In this release, we've added the same capability when creating a sync policy. Instead of running two separate APIs to create a sync policy and an associated secrets filter (Safe), you can now you can create both using only the create policy API.

To learn more, see Sync policy API.

REST APIs - filtering capabilities

We've added new filtering capabilities to the following REST APIs.



Filter options

Get target secret stores by type

Filter secret store by AWS or Azure.

For example:

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-store?filter=type EQ AWS_ASM

Get target secret stores by AWS account ID

Filter only the AWS targets that are defined under the same AWS account ID.

For example:

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-store?filter=data.accountId EQ 123456789100

Get target secret stores by Azure Key Vault URL

Filter only the Microsoft Azure targets that are defined for a specific Azure Key Vault.

For example:

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-store?filter=data.azureVaultUrl EQ https://myVault.vault.azure.net/

Get secret stores by Azure app registration ID

Filter only the Azure secret stores with the same Azure app registration ID.

For example:

GET https://<sub domain>.secretshub.cyberark.cloud/api/secret-stores?filter=data.appClientId EQ MyAzureAppID

Get policies by Safe name

Filter the sync policies by the Safe name

For example: 

GET https://<sub domain>.secretshub.cyberark.cloud/api/policies?projection=EXTEND&filter=filter.safeName EQ MySafeName

Get policies by target secret store ID

Filter the sync policies that are syncing to a specific secret store by its Secrets Hub ID.

For example:
GET https://<sub domain>.secretshub.cyberark.cloud/api/policies?filter=target.id EQ store-cfd25162-f8a9-4d94-8d36-f46c4b60d651

To learn more, see Developer.

New in our docs!

  • The best practices when suspending, activating, or deleting the Secrets Hub service from your CyberArk tenant.

    To learn more, see Tenant management best practices.

August 13, 2023

Use non-default encryption keys in AWS secrets

If you are using non-default encryption keys to encrypt your AWS secrets, provide Secrets Hub with the relevant permissions on this key. To learn more, see Grant Secrets Hub permissions when using custom encryption key.

You can use the Secrets Hub AWS Discovery script to generate a report that lists all the keys used by your secrets per region.

New sync status - In progress

Until now there was no indication that a sync policy is in the process of being created or enabled. Starting now, you will see an In progress status in these cases. This status is used in both UI and API.

Edit PAM Self-Hosted connection details

We've added the capability to set the SecretsHub user password in the Secrets Hub Settings page for cases when the user's credentials were manually changed in Privilege Cloud.

To learn more, see Set the SecretsHub service user password .

July 30, 2023

Sync policy API updates

  • Get sync policy status via API - Using the extended view of a policy, you can now get the policy's status and extra details (target, source, and synced Safe) about the policy.

    For example:

    GET https://<sub domain>.secretshub.cyberark.cloud/api/policies/{{policy ID}}?projection=EXTEND

  • Delete secrets filter as part of delete policy API- The Delete policy API now deletes the secrets filter linked to that policy automatically, without any additional action required from the user

For more information, see Sync policy API.

July 23, 2023

General Availability support for PAM Self-Hosted & Azure

  • Secrets Hub now supports CyberArk PAM Self-Hosted as a source secret store (General availability)

  • Secrets Hub now supports Azure Key Vault as a target secret store (General availability)

We do not support a proxy that serves as an intermediary communication control when using the connector.

July 16, 2023

Grant permissions using Terraform

You can now use Terraform to manage Secrets Hub permissions on AWS Secrets Manager secret stores.

For details, see Configure AWS account roles using Terraform.

Upgrade connectors

If you are using PAM Self-Hosted or syncing secrets to Azure Key Vault targets using a connector, we recommend upgrading the connectors used by Secrets Hub. For details, see the Connector Management What's new.

July 2, 2023

Public REST APIs

You can now automate Secrets Hub flows and scenarios using the REST APIs as described in the Developer section.

These APIs enable you to programmatically manage and automate the life-cycle of Secrets Hub resources.

For example, you can use the Secret Store API to manage operations on secret stores (Privilege Cloud/Privilege Cloud), and the secret stores being your defined targets.

Secrets Hub default tags changes

  • New tag: 'CyberArk Secret ID'

    From now on, secrets synced by Secrets Hub will be tagged CyberArk Secret ID. This is a new tag and is for internal use only—used by the Secrets Hub service. Do not manage or use it to grant permissions on secrets in your target.

  • Tag changes

    The Platform ID tag will no longer be added to Secrets Hub synced secrets. It is valid for new syncs only.

    We will not remove the tag if it was already synced to secrets in the target.

    This changed is relevant for both Azure and AWS syncs.

    The rest of the tags remain the same.

June 18, 2023

UI enhancements

  • If you are using Secrets Hub with PAM Self-Hosted, you can view the connector used to connect between them via the Secrets Hub Settings page.

  • You can now easily view all the targets that are linked to a specific connector.

Heads up!

Starting June 25th, platform ID tags will no longer be added to secrets managed by Secrets Hub. Other tags like CyberArk Account and CyberArk Safe will remain unchanged to help customers to understand the source of the secret in PAM. More information regarding these tags can be found in Manage sync policies.

The details:
  • This is relevant only for new syncs.

  • If a secret has already been tagged, Secrets Hub will not remove the tag, but it will also not maintain it. Meaning that if the platform changes in PAM it will not be updated in the tag's value in the AWS Secrets Manager or Azure Key Vault secret.

  • The rest of the tags remain unchanged.

June 11, 2023

Support for special characters in Microsoft Azure

Special characters (non-alphanumeric) in CyberArk account or Safe names are now replaced with a hyphen '-' to meet Azure Key Vault standards.

This applies only to the default naming convention (<CyberArk Safe>-<CyberArk Account>).

June 4, 2023

You can now delete sync targets from Secrets Hub.

To learn more, see .

May 28, 2023

Until now, Secrets Hub relied on a specific naming convention for AWS Secrets Manager secrets. In this release, we introduce the ability to sync secrets with a custom secret name.

This give you the flexibility to follow your own conventions and is useful when you already have secrets in AWS Secrets Manager that you want tot manage as-is, with minimal changes or disruptions to your workflow.

To learn more, see Customize the secret naming convention (optional).

May 21, 2023

  • CyberArk Secrets Hub is a SaaS solution that provides organizations that utilize cloud provider secret stores with all the advantages of CyberArk’s centralized secrets management solutions, without impacting developer workflows.

    Secrets Hub can sync from the following sources:

    • Privilege Cloud

    • PAM - Self-hosted (controlled availability)

    To the following targets:

    • AWS Secrets Manager

    • Azure Key Vault (controlled availability)

    To learn more, see Azure Key Vault (controlled availability) docs and Privilege Cloud (controlled availability) docs.

  • In addition to our Virginia data center, Secrets Hub is now also supported in the following regions:

    • Frankfurt

    • Singapore