AWS Secrets Manager vs HashiCorp Vault

AWS Secrets Manager and HashiCorp Vault both manage secrets, but they occupy different levels of capability. Secrets Manager is a managed AWS service for storing and rotating secrets. Vault is a comprehensive secrets management platform with dynamic secrets, encryption as a service, and multi-cloud support.

Core Differences

AWS Secrets Manager — Simple and Managed

Secrets Manager stores key-value secrets in AWS, encrypted with KMS. It can automatically rotate secrets for RDS, Redshift, and DocumentDB using Lambda functions. Access is controlled via IAM policies. There is nothing to deploy, patch, or scale — AWS handles everything.

For AWS-native applications, this simplicity is powerful. Your Lambda function, ECS task, or EC2 instance retrieves secrets via the AWS SDK with IAM authentication.

HashiCorp Vault — Comprehensive Platform

Vault is a secrets management platform. Beyond static key-value storage, it generates dynamic secrets on demand — database credentials that exist for a single session, AWS IAM credentials with automatic expiration, SSH certificates, PKI certificates, and more. The Transit secrets engine provides encryption as a service without exposing keys.

Vault's security model includes multiple auth methods, fine-grained policies, namespaces for multi-tenancy, and comprehensive audit logging.

Dynamic Secrets

Vault's dynamic secrets are its most differentiating feature. Instead of storing a database password that many services share, Vault generates unique credentials per request with automatic revocation. If a credential leaks, it expires quickly and can be traced to a specific service.

Secrets Manager's rotation is periodic (minimum 4 hours). Vault's dynamic secrets are generated per request and live for minutes or hours.

Operational Reality

The trade-off is operational burden. Self-hosted Vault requires unsealing (decryption of the master key), HA configuration, storage backend management, and version upgrades. This is a significant investment. HCP Vault (managed) reduces this but adds cost.

Secrets Manager has zero operational overhead. For teams without a dedicated platform engineering function, this matters.

In system design interviews, secrets management architecture shows security awareness. See also: security patterns, infrastructure costs, and system architecture.