Vault vs Secrets Manager: Production Secrets at Scale

Managing secrets at scale is a silent killer of DevOps velocity. Choose wrong, and you're either wrestling with operational overhead or locking yourself into a vendor ecosystem. HashiCorp Vault and AWS Secrets Manager are the two dominant players—but they solve different problems in different ways.

The Core Difference

AWS Secrets Manager is a managed service. You define a secret, AWS handles encryption, rotation, and audit trails. It integrates natively with AWS services and costs pennies per secret per month.

HashiCorp Vault is software you run yourself. It's a secrets engine, authentication hub, and encryption-as-a-service platform rolled into one. You manage the infrastructure, but you own the entire system.

That distinction determines everything downstream.

Operational Complexity and Control

AWS Secrets Manager: Less to Maintain

With Secrets Manager, deployment is straightforward:

bashCopy
aws secretsmanager create-secret \
  --name prod/database/password \
  --secret-string file://secret.json \
  --region us-east-1

Rotation happens automatically. Audit trails flow into CloudTrail. You patch nothing. It scales without you thinking about it.

The trade-off: you inherit AWS's design decisions. If you need custom rotation logic or cross-account federation outside AWS's model, you're limited.

HashiCorp Vault: Flexibility Over Convenience

Vault requires you to run it somewhere—Kubernetes, VM, whatever. You provision the infrastructure, manage HA (usually with Consul), and handle upgrades. But you get radical flexibility.

Vault can store secrets, generate dynamic credentials on-the-fly, act as an OIDC provider, and manage encryption keys. Here's a practical example—generating ephemeral database credentials:

hclCopy
path "database/creds/app-read" {
  capabilities = ["read"]
}

pythonCopy
import hvac

client = hvac.Client(url='https://vault.example.com')
response = client.secrets.database.read_dynamic_credentials(
    path='database/creds/app-read'
)
username = response['data']['username']
password = response['data']['password']
print(f"Connect as {username} (expires in 1 hour)")

These credentials expire automatically. Your app never stores a permanent password. That's powerful—and Secrets Manager can't do it natively.

Cost and Scale Implications

AWS Secrets Manager charges per secret and per API call (with a free tier). At 10,000 secrets with moderate rotation, expect $50–200/month. Predictable and small.

Vault's cost is infrastructure: a 3-node HA cluster on modest compute runs $200–500/month in AWS or on-prem. But you pay once regardless of secret count. At 50,000 secrets, Vault becomes cheaper. More importantly, one Vault cluster can serve your entire organization across clouds—AWS, GCP, on-premise, wherever.

Multi-Cloud and Ecosystem Lock-in

Secrets Manager is AWS-only (technically). Yes, you can call it from anywhere with AWS credentials, but it's architecturally bound to the AWS ecosystem.

Vault runs anywhere and works with any platform. We've seen clients at LavaPi run a single Vault cluster for teams using AWS, Kubernetes, Terraform, and legacy on-prem systems simultaneously. That integration is hard to overstate.

When to Choose Each

Pick Secrets Manager if:

• You're all-in on AWS
• Your team is small and operational burden matters more than flexibility
• You need fast time-to-value with minimal setup

Pick Vault if:

• You operate across multiple clouds or on-premise infrastructure
• You need dynamic credential generation
• You have security teams with specific audit and compliance requirements
• You're managing 20,000+ secrets

The Bottom Line

There's no universally correct answer. Secrets Manager is a hammer; Vault is a toolbox. For teams running entirely on AWS with straightforward secrets, Secrets Manager wins on simplicity. For organizations with hybrid infrastructure or complex credential needs, Vault's flexibility justifies the operational cost. The mistake is treating them as equivalent—they're not. Evaluate your architecture, your team's capacity, and your secret complexity. Pick accordingly.