AWS Secrets Manager
Learn how AWS Secrets Manager stores, rotates, and retrieves credentials and API keys securely for applications and automation.
AWS Secrets Manager is the managed secret storage service in AWS for credentials, API keys, tokens, and connection strings that should not live in code. For DevOps teams, it matters because it centralises secret rotation and retrieval so applications can read fresh values securely through IAM-authorised calls. Instead of relying on one fragile manual configuration, you can design a repeatable service boundary that stays stable while the workload behind it changes.
Core ideas
The main ideas to understand are secrets can store database passwords, API tokens, or other structured values in JSON or text form; automatic rotation commonly uses Lambda to generate and store a new credential on a schedule; applications on EC2, Lambda, or containers should retrieve secrets through IAM roles instead of embedding static values; and Secrets Manager and Parameter Store overlap, but Secrets Manager is stronger when full rotation workflows matter. These details shape architecture decisions, but they also shape day-to-day operations. When a team chooses defaults without understanding how the service behaves under failure, scale, or security review, the platform often becomes harder to debug than the application itself.
| Capability | Secrets Manager | Parameter Store |
|---|---|---|
| Secret rotation | Built-in workflow support | More limited and manual |
| Typical use | Credentials and tokens | Config values and some secrets |
| Cost profile | Higher | Often lower for simple parameters |
From an operations perspective, the goal is to move secret lifecycle into AWS controls and away from manual copy and paste practices that create drift and exposure. The comparison below highlights the choices that usually matter first. It is often better to start with a simpler design and add sophistication only after metrics, incidents, or delivery requirements prove the change is necessary.
Practical commands
aws secretsmanager create-secret --name app/db --secret-string '{"username":"app","password":"ChangeMe123!"}'
aws secretsmanager get-secret-value --secret-id app/db --query SecretString --output text
Practical CLI checks make the service easier to support in real environments. Use the commands below to inspect the current state and confirm that automation matches intent. Before you promote a change, verify IAM read access, rotation success, and application cache behaviour so new secret values are actually consumed. A safe default is short-lived secrets and automatic rotation wherever the downstream system supports it. That discipline makes later troubleshooting, scaling, and security reviews far less painful.
Secret storage
Which AWS service is designed to store and rotate API keys or database passwords?
Rotation
What service is commonly used to automate secret rotation in Secrets Manager?