Vault vs AWS Secrets Manager

Secrets.

Overview

HashiCorp Vault and AWS Secrets Manager solve overlapping problems with different philosophies. Vault is a multi-cloud, feature-rich secrets and identity platform you operate; Secrets Manager is a managed AWS service tightly integrated with the rest of AWS. The choice depends on cloud gravity, feature requirements, and how much operational surface you want to own.

• Vault. Multi-cloud, dynamic credentials for many backends, transit encryption, PKI, transform engine, identity broker. Self-hosted (or HCP) with real operational footprint.
• AWS Secrets Manager. Managed AWS-native, deep IAM integration, automatic RDS rotation, simple per-secret pricing. AWS-only by design.
• Operational fit. Vault wins for multi-cloud, complex secret types, and dynamic-credential workloads; Secrets Manager wins inside AWS where managed simplicity matters.
• Per-org decision and exit cost. Vault config is portable across clouds; Secrets Manager bakes you into AWS APIs.

The approach

Match the platform to your cloud surface, your secret-rotation requirements, and your platform-team capacity. Both work; the wrong one wastes engineering hours every week.

• Cloud-surface check. Single-cloud AWS workloads lean Secrets Manager; multi-cloud or hybrid leans Vault.
• Dynamic-credentials need. If you want short-lived database, AWS, or Kubernetes credentials issued on demand, Vault handles that natively across more backends.
• Operational footprint. Vault as self-hosted is real ops work; HCP Vault removes most of it; Secrets Manager removes all of it.
• Document the choice and the exit ramp. Capture rationale and how secrets would migrate if pricing or product changed.

Why this compounds

The right secrets platform keeps paying back: rotation becomes routine, applications get short-lived credentials, audit becomes a query, and the surface for credential leaks shrinks.

• Operational fit. Matching platform to cloud surface and rotation needs prevents weekly friction.
• Security posture. Short-lived dynamic credentials shrink leak blast radius; the right platform makes them practical.
• Engineering culture. Standardised secrets surface across services removes the per-team password spreadsheet.
• Decision trail for the next renewal. The trial data becomes the renewal scorecard, not a cold start.