Overview

AWS Secrets Manager is a service offered by Amazon Web Services that facilitates the management and protection of sensitive information used by applications, services, and IT resources. Launched in 2017, it provides a centralized mechanism for storing credentials such as database passwords, API keys, and OAuth tokens, rather than embedding them directly in code or configuration files. This approach helps to mitigate security risks associated with hardcoded secrets and improves an organization's security posture by reducing the attack surface for credential theft.

The service is designed for organizations that need to maintain strict control over access to sensitive data and comply with regulatory requirements. It features automatic secret rotation, which allows administrators to configure Secrets Manager to automatically rotate credentials for supported databases and services. This automation helps ensure that secrets are regularly updated without manual intervention, reducing the operational overhead and enhancing security by limiting the lifespan of any single secret. Integration with other AWS services, such as AWS Identity and Access Management (IAM), AWS CloudTrail, and AWS Lambda, enables fine-grained access control, auditing of secret usage, and custom rotation strategies.

AWS Secrets Manager is particularly beneficial for applications running within the AWS ecosystem, offering native integration and consistent operational patterns. Developers can retrieve secrets programmatically using the AWS SDKs, ensuring that applications always access the latest version of a secret. The service supports various secret types, including generic text secrets and specific credential types for Amazon RDS databases, Amazon Redshift, and other services. Its event-driven architecture allows for custom workflows, such as notifying security teams when a secret is accessed or rotated. This centralized secrets management approach aligns with best practices for cloud security, as advocated by industry experts for reducing security vulnerabilities related to credential management, as discussed on platforms like Martin Fowler's blog regarding security risks.

Key features

  • Secure Secret Storage: Encrypts secrets at rest using AWS Key Management Service (KMS) and decrypts them only when needed by authorized applications or users.
  • Automatic Secret Rotation: Configures scheduled rotation for database credentials (e.g., Amazon RDS, Amazon Redshift) and other service credentials, reducing the risk of long-lived secrets.
  • Centralized Management: Provides a single dashboard to manage all application secrets, simplifying auditing and compliance efforts.
  • Fine-Grained Access Control: Integrates with AWS IAM to define granular permissions on who can access, modify, or rotate specific secrets, based on roles and policies.
  • Audit Trails: Logs all secret access attempts and rotation events to AWS CloudTrail, providing an auditable history for security analysis and compliance reporting.
  • Programmatic Access: Allows applications to retrieve secrets dynamically at runtime via AWS SDKs, eliminating the need to hardcode credentials.
  • Integration with AWS Services: Natively integrates with Amazon RDS, Amazon Redshift, AWS Lambda (for custom rotation logic), and AWS Certificate Manager (ACM) Private CA.
  • Cost Optimization: Enables secrets to be retrieved only when needed, potentially reducing exposure and simplifying credential management compared to self-managed solutions.

Pricing

AWS Secrets Manager pricing is based on the number of secrets stored and the number of API calls made to retrieve or manage those secrets. There is a free tier available for new users.

AWS Secrets Manager Pricing (as of 2026-05-06)
Service Component Pricing Model Cost
Secrets Stored Per secret per month $0.50 per secret
API Calls Per 10,00 0 API calls $0.05 per 10,000 API calls
Free Tier Initial 30 days Up to 5 secrets free
AWS Secrets Manager Official Pricing Page

Common integrations

Alternatives

  • Azure Key Vault: Microsoft Azure's service for managing cryptographic keys, secrets, and certificates, offering similar features in the Azure ecosystem.
  • Google Secret Manager: Google Cloud's service for storing, managing, and accessing secrets like API keys, passwords, and certificates, providing native integration with GCP services.
  • HashiCorp Vault: An open-source and commercial tool offering advanced secrets management, encryption as a service, and identity-based access across multiple cloud and on-premises environments.

Getting started

To get started with AWS Secrets Manager using the AWS SDK for Python (Boto3), you can store and retrieve a simple secret. First, ensure you have the Boto3 library installed and your AWS credentials configured.


import boto3
from botocore.exceptions import ClientError

def create_and_retrieve_secret(secret_name, secret_value, region_name="us-east-1"):
    client = boto3.client('secretsmanager', region_name=region_name)

    try:
        # Store a new secret
        response = client.create_secret(
            Name=secret_name,
            SecretString=secret_value
        )
        print(f"Secret '{secret_name}' created successfully. ARN: {response['ARN']}")

        # Retrieve the secret
        get_secret_value_response = client.get_secret_value(SecretId=secret_name)
        if 'SecretString' in get_secret_value_response:
            retrieved_secret = get_secret_value_response['SecretString']
            print(f"Retrieved secret '{secret_name}': {retrieved_secret}")
        else:
            # Handle binary secrets if needed
            print("Retrieved binary secret (not shown)")

    except ClientError as e:
        if e.response['Error']['Code'] == 'ResourceExistsException':
            print(f"Secret '{secret_name}' already exists. Attempting to retrieve.")
            get_secret_value_response = client.get_secret_value(SecretId=secret_name)
            if 'SecretString' in get_secret_value_response:
                retrieved_secret = get_secret_value_response['SecretString']
                print(f"Retrieved existing secret '{secret_name}': {retrieved_secret}")
            else:
                print("Retrieved existing binary secret (not shown)")
        elif e.response['Error']['Code'] == 'DecryptionFailureException':
            print("Secrets Manager can't decrypt the protected secret text using the provided KMS key.")
        elif e.response['Error']['Code'] == 'InternalServiceError':
            print("An error occurred on the server side.")
        elif e.response['Error']['Code'] == 'InvalidParameterException':
            print("You provided an invalid value for a parameter.")
        elif e.response['Error']['Code'] == 'InvalidRequestException':
            print("You provided a parameter value that is not valid for the current state of the resource.")
        elif e.response['Error']['Code'] == 'ResourceNotFoundException':
            print("We can't find the resource that you asked for.")
        else:
            print(f"An unexpected error occurred: {e}")

# Example usage:
if __name__ == "__main__":
    my_secret_name = "myTestSecret/dev/credentials"
    my_secret_string = "{\"username\":\"dbuser\",\"password\":\"dbpass123!\"}"
    create_and_retrieve_secret(my_secret_name, my_secret_string)

This Python script first attempts to create a secret with a specified name and value. If the secret already exists, it proceeds to retrieve it. Error handling is included to catch common issues like resource existence or decryption failures. For production environments, it is recommended to use specific IAM roles and policies to grant only the necessary permissions to create or retrieve secrets, as outlined in the AWS Secrets Manager access control documentation. After testing, remember to delete any test secrets created to avoid incurring charges.