Skip to main content
Question

Synced Accounts from Different Systems

  • April 1, 2026
  • 2 replies
  • 78 views
rhagerm
Forum|alt.badge.img

Greetings all

 I have a developer who is using AWS Secrets Manager for his code. However, he is passing the username and password from Active Directory over to the secret in AWS Secrets Manager and calling that JSON from Secrets Manager.

Ideally, yes, he should be calling it from BT and not AWS Secrets Manager but that would involve a lot of code rewrite for him on a production system.

We are looking at adding the secret in Secrets Manager as a synced account with the service account so that when we rotate the password on the service account, it would also rotate the password on the AWS Secrets Manager secret to the same password.

What he needs though, complicates it. He is storing this in his AWS secret

{"binddn":"cn=ldapauth_account,OU=Service,OU=Accounts,OU=company,DC=domain,DC=com","password":"abcabc"}

When BT rotates the password on the service account in AD, it writes the password to the secret in AWS wiping out everything so he ends up with something like newpassword instead of the whole line including the service account DN.

Anybody know of a way to work around this? He really needs the whole line and not just the password.

      2 replies

      J
      BeyondTrust Employee
      • jchandler
      • BeyondTrust Employee
      • April 21, 2026

      Hello ​@rhagerm 

      If you configure synced accounts, only the password is synchronized. When you are using an AD username and password and need that password embedded within a larger string, you can use a propagation action to update the AWS secret after each AD password change.

      Start by creating a script that accepts input parameters and updates your AWS secret using the required format. This script can use the AWS CLI to perform the secret update.

      Next, in Password Safe, create a custom propagation action that runs after an AD password change:
      https://docs.beyondtrust.com/bips/docs/ps-add-windows-components#create-custom-propagation-action-to-run-a-script

      Propagation actions can pass parameters to your script, for example:

      • Managed account name: %u
      • Managed account password: %p

      After every password change, the script will run automatically and update the AWS secret with the new password embedded in your custom string, such as:
      !--scriptorstartfragment-->

      {

        "binddn": "cn=ldapauth_account,OU=Service,OU=Accounts,OU=company,DC=domain,DC=com",

        "password": "abcabc"

      }

       

      If you have any questions on this please let me know.!--scriptorendfragment-->

       

      Regards,

      John

        rhagerm
        Forum|alt.badge.img
        • rhagerm
        • Author
        • Veteran
        • May 4, 2026

        Thanks John

        I’ll give this a shot

        ~Ron

        Badge Earners

        • BCA: Privileged Remote Access
          SanSadhas earned the badge BCA: Privileged Remote Access
        • BCA: Endpoint Privilege Management - Linux
          SanSadhas earned the badge BCA: Endpoint Privilege Management - Linux
        • BCA: Privileged Remote Access
          J Barleyhas earned the badge BCA: Privileged Remote Access
        • BCIE: Password Safe
          Upendrahas earned the badge BCIE: Password Safe
        • BCA: Endpoint Privilege Management - Windows
          Upendrahas earned the badge BCA: Endpoint Privilege Management - Windows
        Show all badges
        Terms & ConditionsAccessibility statement