SecretSync

SecretSync (secretssync) is the operational package in the Extended Data ecosystem: a Go-based secret synchronization pipeline built for Vault-to-cloud workflows, multi-account AWS environments, dry-run diffs, and CI/CD-friendly execution.

---

Two-phase pipeline

Separate merge and sync phases make inheritance, aggregation, and dry-run inspection predictable at scale.

Cloud-aware discovery

AWS Organizations and Identity Center discovery help target large account fleets without hand-maintained account lists.

CI/CD ready

GitHub Action support, structured output modes, exit codes, and diff views make SecretSync suitable for automation-first workflows.

Python integration

The recommended Python entry point is through vendor-connectors[secrets], which exposes SecretSync operations to Python applications and agent tools. Runtime execution still depends on the secretsync CLI or native bindings.

---

Installation

Go Binary

go install github.com/jbcom/extended-data-library/packages/secretssync/cmd/secretsync@latest

Local Build

git clone https://github.com/jbcom/extended-data-library.git
cd extended-data-library/packages/secretssync
make build

Python via vendor-connectors

pip install vendor-connectors[secrets]

---

What It Does

• Synchronizes secrets between HashiCorp Vault and cloud secret stores.
• Supports two-phase merge and sync workflows for inheritance-heavy setups.
• Provides dry-run, diff, and exit-code modes for CI/CD pipelines.
• Exposes metrics and health endpoints for operational monitoring.
• Supports GitHub Action usage for repository-native automation.

Recommended Python usage

If you need SecretSync from Python, use vendor-connectors[secrets] instead of building directly against the Go bindings first. Keep the secretsync CLI installed, or build the native bindings, when you need to execute the pipeline from Python.

---

Quick Start

# Validate a pipeline configuration
secretsync validate --config pipeline.yaml

# Dry run with CI-friendly exit codes
secretsync pipeline --config pipeline.yaml --dry-run --exit-code

# Execute the full pipeline
secretsync pipeline --config pipeline.yaml

Example Configuration

vault:
  address: "https://vault.example.com"
  namespace: "admin"

aws:
  region: "us-east-1"
  execution_role_pattern: "arn:aws:iam::{account_id}:role/SecretsSync"

sources:
  api-keys:
    vault:
      path: "secret/api-keys"

targets:
  Staging:
    imports: [api-keys]
    account_id: "111111111111"

---

GitHub Actions

- name: Sync Secrets
  uses: jbcom/extended-data-library/packages/secretssync@secretssync-v2.0.2
  with:
    config: config.yaml
    dry-run: "false"
    output-format: "github"
  env:
    VAULT_ROLE_ID: ${{ secrets.VAULT_ROLE_ID }}
    VAULT_SECRET_ID: ${{ secrets.VAULT_SECRET_ID }}

This is the right path when you want repository-native secret promotion with dry-run annotations and CI/CD control-flow friendly exit codes.

---

Python Integration

from vendor_connectors.secrets import SecretsConnector

connector = SecretsConnector()
is_valid, message = connector.validate_config("pipeline.yaml")
result = connector.dry_run("pipeline.yaml")

if is_valid:
    print(result.secrets_processed)

SecretSync tools are also exposed to LangChain, CrewAI, and related frameworks through the vendor-connectors package surface.

---

Related Resources

Package Source Browse the Go package, examples, and deployment assets.

GitHub Action Guide See the full CI/CD integration details and workflow examples.

Package README Read the fuller SecretSync package documentation in the repo.