Cloud Sync
SyVault can synchronize secrets from your vault to external cloud secret stores, keeping your existing infrastructure tooling intact while using SyVault as the single source of truth. The sy sync CLI command pushes secrets one-way from SyVault to a target provider.
How It Works
Cloud sync reads secrets from a specified SyVault folder, decrypts them locally, and writes each one to the target cloud provider's secrets service using that provider's API. Secrets are transmitted over TLS and encrypted at rest by the target provider's native encryption.
The sync is one-way: SyVault to cloud. Changes made directly in the cloud provider are not pulled back into SyVault. This ensures SyVault remains the authoritative source for all secrets.
Supported Providers
| Provider | Target Service | CLI Flag |
|---|---|---|
| AWS | AWS Secrets Manager | --provider aws |
| Azure | Azure Key Vault | --provider azure |
| GCP | Google Secret Manager | --provider gcp |
Prerequisites
- SyVault CLI installed and bootstrapped with a client that has access to the target folder.
- Cloud provider credentials configured in your environment (AWS CLI profile, Azure CLI login, or GCP application default credentials).
AWS Secrets Manager
# Sync all secrets from the "Production" folder to AWS Secrets Manager
sy sync --provider aws --folder "Production" --region us-east-1
# Use a prefix to namespace secrets
sy sync --provider aws --folder "Production" --region us-east-1 --prefix "syvault/"
# Dry-run to preview changes without writing
sy sync --provider aws --folder "Production" --region us-east-1 --dry-run
SyVault creates or updates secrets in AWS Secrets Manager using the secret's title as the name (or prefix + title if --prefix is set). Each field within a SyVault record is stored as a key-value pair in the secret's JSON value.
Required IAM Permissions
{
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:syvault/*"
}
Azure Key Vault
# Sync to Azure Key Vault
sy sync --provider azure --folder "Production" --vault-name my-keyvault
# With prefix and dry-run
sy sync --provider azure --folder "Production" --vault-name my-keyvault --prefix "syvault-" --dry-run
The CLI uses your active Azure CLI session (az login). Ensure the signed-in principal has the Key Vault Secrets Officer role on the target vault.
GCP Secret Manager
# Sync to GCP Secret Manager
sy sync --provider gcp --folder "Production" --project my-gcp-project
# With prefix
sy sync --provider gcp --folder "Production" --project my-gcp-project --prefix "syvault_"
The CLI uses Application Default Credentials. The service account needs the secretmanager.secrets.create and secretmanager.versions.add permissions on the target project.
Common Options
| Flag | Description |
|---|---|
--folder | SyVault folder to sync from (required) |
--provider | Target cloud provider: aws, azure, or gcp (required) |
--prefix | String prepended to each secret name in the target provider |
--dry-run | Preview which secrets would be created or updated without making changes |
--delete-orphans | Remove secrets in the target that no longer exist in the SyVault folder |
--tags | Key-value tags to apply to synced secrets (e.g., --tags env=prod,team=backend) |
Automation
You can run sy sync on a schedule using cron, a CI/CD pipeline, or a Kubernetes CronJob to keep your cloud secrets up to date automatically.
# Example cron entry: sync every hour
0 * * * * /usr/local/bin/sy sync --provider aws --folder "Production" --region us-east-1 --prefix "syvault/" >> /var/log/sy-sync.log 2>&1
Security Considerations
- Secrets are decrypted in the CLI process memory and transmitted directly to the cloud provider over TLS. They are never written to disk during sync.
- Use
--prefixto isolate SyVault-managed secrets from manually created ones in the target provider. - Enable
--delete-orphanscautiously -- it will remove any secret in the target that matches the prefix but no longer exists in SyVault.