Secrets Manager
Definition
AWS Secrets Manager is a service for managing, retrieving, and rotating database credentials, API keys, and other secrets securely and efficiently.
Use Cases
- Amazon: Protecting and rotating credentials used by internal services that access databases and third-party APIs — Uses AWS Secrets Manager to store secrets encrypted with AWS KMS, grants least-privilege access via IAM roles to applications, and automates rotation using built-in rotation templates and AWS Lambda where needed. (Reduced operational risk from long-lived credentials, improved security posture through regular rotation, and simplified secret distribution to services without embedding secrets in code or configuration files.)
- Netflix: Managing sensitive configuration such as API keys and service credentials for cloud-native microservices — Uses a centralized secrets approach on AWS, integrating secrets retrieval into service runtime and deployment workflows, with access controlled by IAM and secrets encrypted using KMS. Rotation is automated for eligible credentials to minimize manual handling. (Lower likelihood of credential leakage, faster and safer deployments, and improved auditability of secret access across many services.)
Provider Equivalents
- AWS: AWS Secrets Manager
- Azure: Azure Key Vault
- GCP: Google Cloud Secret Manager
- OCI: OCI Vault
Frequently Asked Questions
- What's the difference between AWS Secrets Manager and AWS Systems Manager Parameter Store?
- Both can store sensitive values, but Secrets Manager is purpose-built for managing secrets and commonly used for database credentials and API keys, including automated rotation workflows. Parameter Store is a general configuration and parameter service (including SecureString values) and is often used for app configuration; rotation is not a primary built-in feature in the same way and is typically handled by your own automation.
- When should I use AWS Secrets Manager?
- Use it when you need to store sensitive values (database passwords, API keys, OAuth client secrets), control access with IAM, audit access, and especially when you want automated rotation to reduce the risk of long-lived credentials. It’s a strong fit for production workloads where secrets must be updated regularly without redeploying apps or causing downtime.
- How much does AWS Secrets Manager cost?
- Pricing is based on the number of secrets stored and the number of API calls to retrieve/manage them, plus any additional costs for related services you use (for example, AWS KMS key usage and AWS Lambda invocations for rotation). Costs increase with more secrets, higher retrieval frequency, and more frequent rotation.
Category: security
Difficulty: intermediate
See Also