AWS Secrets Manager
Has Demo
Securely store and retrieve sensitive configuration
💵 Cost Warning: Secrets Manager has NO Free Tier. Each secret costs $0.40/month + $0.05/10,000 API calls. Charges start immediately upon creation. Consider AWS Parameter Store (free tier) for non-rotating configuration values. See our Costs & Cleanup Guide for deletion steps.
What is Secrets Manager?
AWS Secrets Manager is a secure vault for storing sensitive data like database passwords, API keys, and tokens. Instead of hardcoding secrets in your code or environment variables, you retrieve them at runtime from Secrets Manager.
Never Hardcode Secrets
Secrets in code or .env files can be accidentally committed to Git, leaked in logs, or exposed in error messages. Secrets Manager provides encryption, access control, and audit logging.
Why Use Secrets Manager?
- Encryption: Secrets encrypted at rest with AWS KMS
- Access Control: IAM policies control who can read secrets
- Automatic Rotation: Rotate database passwords without app changes
- Audit Trail: CloudTrail logs every access
- Cross-Region Replication: For disaster recovery
Terminal
$aws secretsmanager create-secret \
--name my-app/production/database \
--secret-string '{"username":"admin","password":"super-secret-123"}'
{
"ARN": "arn:aws:secretsmanager:ap-southeast-1:123456789:secret:my-app/production/database-AbCdEf",
"Name": "my-app/production/database",
"VersionId": "a1b2c3d4-..."
}TypeScript
import {
SecretsManagerClient,
GetSecretValueCommand
} from "@aws-sdk/client-secrets-manager"
const client = new SecretsManagerClient({
region: process.env.AWS_REGION
})
// Cache the secret to avoid repeated API calls
let cachedSecret: Record<string, string> | null = null
export async function getSecret(secretName: string) {
if (cachedSecret) return cachedSecret
const command = new GetSecretValueCommand({
SecretId: secretName
})
const response = await client.send(command)
if (response.SecretString) {
cachedSecret = JSON.parse(response.SecretString)
return cachedSecret
}
throw new Error("Secret not found")
}
// Usage
const dbConfig = await getSecret("my-app/production/database")
const connectionString = `postgres://${dbConfig.username}:${dbConfig.password}@...`Caching
Always cache secrets to avoid hitting API rate limits and reduce latency. In serverless environments, cache in memory for the function lifetime.
Secrets Manager vs Parameter Store
| Feature | Secrets Manager | Parameter Store |
|---|---|---|
| Automatic Rotation | Yes, built-in | No |
| Cross-Region Replication | Yes | No |
| Pricing | $0.40/secret/month + API calls | Free for standard, $0.05/advanced |
| Best For | Database credentials, API keys | Configuration, feature flags |
Pricing
| Component | Cost |
|---|---|
| Per secret per month | $0.40 |
| Per 10,000 API calls | $0.05 |
Cost Tip
Store multiple related values in a single secret as JSON. One secret with username + password costs less than two separate secrets.