HashiCorp Vault vs AWS Secrets Manager: Secrets Compared
Both manage secrets. Vault is the swiss-army knife; Secrets Manager is the kitchen knife. Pick by what you actually need to slice.
Vault strengths
Vault: dynamic secrets, transit encryption, PKI engine, multi-cloud. Operationally substantial.
Best when you genuinely need its breadth or you operate beyond AWS.
Secrets Manager strengths
- Secrets Manager: managed; AWS-integrated; simple to use; rotation built in for major databases.
- Best when you live in AWS and want one less thing to operate.
Cost and operational overhead
Vault: cluster + storage + ops engineer time. Realistic baseline: $1k-$5k/mo TCO including engineering.
Secrets Manager: $0.40 per secret per month + $0.05 per 10k API calls. At modest scale: $200-1,000/mo.
Self-hosted Vault breaks even around 5,000+ secrets at high API volume.
Lock-in tradeoff
Vault is portable; you can run it on any cloud. Secrets Manager locks you to AWS.
For most single-cloud teams, the lock-in is acceptable. For multi-cloud or hybrid, Vault wins.
Antipatterns
- Vault for 50 secrets. Operational overhead exceeds value.
- Secrets Manager without rotation. Defeats half the value.
- Both, with overlap. Confusing source of truth.
What to do this week
Three moves. (1) Trial the candidate tool against one workload for two weeks. (2) Compare against your current using the four criteria above. (3) Plan the migration only if the trial shows real wins, not theoretical ones.