AWS Secrets Manager vs. Parameter Store: Features, Cost & More

AWS Secrets Manager vs. Parameter Store: Features, Cost & More

Secrets Manager and SSM Parameter Store are two AWS services that help you manage secrets and store application configuration data securely in the cloud. AWS introduced SSM Parameter Store and Secrets Manager in 2017 and 2018, respectively.

Even though these services help with managing secrets, they work differently. Parameter Store is primarily for storing configuration data, environment variables, database connection strings, and other general parameters related to your applications. Secrets Manager is used for managing sensitive information like database credentials, SSH key pairs, SSL/TLS certificates, passwords, API keys, tokens, and similar secrets.

In this article, we compare these two services in terms of different factors like access control, secret rotation, integration, and service cost. We also look at their limitations and how integration with Doppler can help us improve the use of these secret management services.

Summary of differences between AWS Secrets Manager and Parameter Store

Let’s take a quick look at a comparison between AWS Secrets Manager and Parameter Store.

Differences between Secrets Manager and Parameter Store, explained

While both Secrets Manager and Parameter Store can be used to store secrets, there are some key differences between them.

Use cases

AWS Secrets Manager works well in the following use cases:

• Databases: AWS Secrets Manager can be used to store and manage credentials for databases like Amazon RDS, Amazon Redshift and DocumentDB. This helps prevent unauthorized access since Secrets Manager can automatically rotate long-lived credentials.
• API keys and tokens: Secrets Manager can be used to store API keys, tokens, and other sensitive authentication information required by applications to interact with third-party services. Automatic rotation of secrets allows you to maintain security without manual intervention.
• SSH key pair management: If your applications or servers require SSH access, Secrets Manager can automatically rotate the keys at specific intervals and enhance security.
• SSL/TLS certificates: Secrets Manager can be used to store the certificates and keys required for securing applications. It can also help facilitate certificate rotation.

These are the best use cases for AWS Parameter Store:

• Application configuration data: Parameter Store can store application configuration data, database connection strings, feature flags, and centralized configuration management in your application.
• Environment variables: Parameter Store can be used to store environment-specific variables such as API endpoints, Lambda function Amazon Reference Numbers (ARNs), IAM role ARNs, etc. This allows you to eliminate hard-coding these values inside application logic by letting you centrally manage these values from the Parameter Store console.
• Secrets: Parameter Store can store sensitive data using the SecureString parameter, but it is not specifically designed to store secrets.

Access control

AWS Secrets Manager and Parameter Store both support resource-level IAM policy creation to restrict access to secrets. This can be done by referencing their ARNs.

Here’s how this looks for an IAM policy for Secrets Manager:

And here’s how it appears for an IAM policy for Parameter Store:

Maximum size

AWS Secrets Manager supports parameters up to 10 KB in size, whereas in Parameter Store, standard parameters have a limit of 4 KB and advanced parameters can be as much as 8 KB.

Encryption

Both AWS Secrets Manager and Parameter Store are backed by the AWS Key Management System (KMS) for encryption. While Secrets Manager has encryption on by default, you can opt for it in Parameter Store using SecureString type parameters.

Cross-account access

AWS Secrets Manager supports built-in cross-account access using resource permissions, while Parameter Store does not.

Cross-region replication

AWS Secrets Manager supports built-in cross-region replication of secrets, while Parameter Store does not. You can, however, manually create the secrets in another region.

Secret rotation

Secrets Manager supports an automatic secrets rotation capability. The managed secrets rotation is limited to AWS services like RDS, DocumentDB, and Redshift clusters. The rotation can be done on a fixed schedule or on demand by using the console, AWS CLI, or AWS SDK.

Parameter Store does not support automatic secret rotation. However, you can manually update and maintain the values whenever required.

Random secret generation

Secret Manager allows the generation of unique strings as secrets during initial creation. This can come in handy while creating strong passwords.

Parameter Store does not have this feature. You will have to enter the parameter name and secret while creating it.

Audit

Secret Manager and Parameter Store do not have built-in audit and monitoring capabilities. However, at an additional cost, you can integrate Secret Manager and Parameter Store with other AWS services like CloudTrail and CloudWatch to keep track of these secrets.

Cost

For the first 10,000 API calls:

• Secrets Manager costs $0.40 per secret per month.
• Parameter Store does not charge for standard parameters but charges $0.05 per advanced parameter per month.

For the next 10,000 API interactions, $0.05 is charged for both.

Key Limitations

Here are some important limitations to keep in mind for these two products:

• The AWS Secrets Manager managed secret rotation capability is limited to AWS services like RDS, DocumentDB, and Redshift clusters only. For other secrets, users will have to design a custom lambda and assign appropriate permissions to carry out secret rotation, which can be cumbersome and error-prone.
• AWS Secrets Manager can be costly for small-scale applications.
• AWS Parameter Store does not have built-in secret rotation capability.
• Parameter Store does not provide cross-account access and cross-region replication.
• Parameter Store does not provide random password generation capability.
• Both secret management systems lack built-in auditing. They rely on other AWS services for auditing, which can increase costs.

Should you use AWS Secrets Manager or Parameter Store?

Choosing the right solution for storing your secret comes down to the type of the secret you are working with. If you want to store sensitive, password-like secrets, you can go for Secrets Manager since it has features like the automatic generation of strings, rotation, and replication. If you want to store simple environment variables like credentials, you can go with Parameter Store.

Both of these services can be used more efficiently when you integrate them with Doppler. Doppler is a secret management platform that acts as the single source of truth for secrets across various platforms like AWS, Azure, GCP, GitHub, GitLab, and Kubernetes among others.

Combining AWS Secrets Manager or Parameter Store with Doppler provides an additional layer of resiliency and flexibility for workflows. Developers can directly push secrets to AWS services or consume them without any disruption to their workflows using Doppler, eliminating the need to toggle between AWS accounts and services. Doppler also provides efficient access logging for teams to make tracking the secrets straightforward.

Check out Doppler integration with Secrets Manager and Parameter Store if you want to learn more about their seamless integration with AWS services.

Getting started with Secrets Manager and Parameter Store

AWS supports the creation of Secrets Manager and Parameter Store via console, CLI, infrastructure as code (IaC), or using the AWS SDK. In this section, we look at how we can do this using the console and CLI. We will also go through how we can integrate both of these services with Doppler and improve the ease of access.

Secrets Manager

Using the console

1. To create Secrets Manager secrets using the console, go to the Secrets Manager service and click on Store a new secret.

2. Next, choose the type of secret you want to store and enter the values.

3. Choose the encryption key and click on Next:

4. Name your secret and add a description. It is recommended to name the secrets in a way that makes it easier for you to understand what the secret is used for. You can also add tags to it.

5. Add resource permissions if you want the secret to be accessible from another AWS account. Also choose cross-region replication configuration if you want to replicate the secret in another region.

6. Finally, set up automatic secret rotation, if you want, by choosing the schedule or using a cron expression.

7. Finally, click on Store to finish creating your secret.

Using the command line interface (CLI)

To create secrets using the CLI, follow this syntax:

1aws secretsmanager create-secret \
2    --name prod/listing/apikey \
3    --description "API key for stage environment DB listing API" \
4    --secret-string "{\"apikey\":\"asdadasdasd\"}"

Secrets Manager integration with Doppler

Now that we’ve created our secrets, let’s take a quick look at how we can integrate with Doppler.

First, navigate to the Doppler dashboard, then choose your project, and click on Integrations.

This will list all the possible integrations. Let’s choose Secrets Manager.

Doppler uses IAM role assumption on the backend to connect with AWS. Follow the tutorial here to learn how to establish a connection with AWS from Doppler.

Create an IAM role with the permissions listed in the tutorial, paste the role ARN in the integration console, and click Connect.

Next, choose the config that you want to sync and the AWS region and path where you want Doppler to store the secrets on your behalf.

Finally, click on Set Up Integration to finish the integration process. This will take you to the integrations page, where you can see the status of your connection.

That’s it! You’ve successfully integrated Secrets Manager with Doppler. The secrets you create in Doppler will now reflect in your AWS account.

Let’s verify this by creating a secret from Doppler. Click on Add First Secret.

Enter the secret key and value, then click Save.

This will automatically sync the secrets with AWS. Let’s verify this by going to Secrets Manager in the AWS console.

Parameter Store

Using the console

1. To create Parameter Store using the console, go to Systems Manager, choose Parameter Store, and click Create Parameter.

2. Next, name your parameter, give it a description, and choose the tier for your parameter and the type of secret.

3. Enter the value for your parameter and add tags, if any. Click on Create parameter to finish creating your parameter.

Using the command line interface (CLI)‍

To create secrets using CLI, follow this syntax:

1aws ssm put-parameter \
2    --name "/prod/listingapi/resourceid" \
3    --value "adasda" \
4    --type String \
5    --tags "Key=application, Value=sampleapp"

Parameter Store integration with Doppler

Since we already have Secrets Manager integrated with Doppler, we can click on Add Sync to integrate Parameter Store with Doppler. If you want to integrate Parameter Store with Doppler for the first time instead, navigate to the Doppler dashboard, choose your project, click on Integrations, and choose Parameter Store.

As we saw while integrating Secrets Manager with Doppler, IAM role assumption is used on the backend to connect with AWS. Create an IAM role following the tutorial here, paste the role ARN in the integration console, and click Connect.

Next, choose the config to sync, select the region, and enter the path under which you want Doppler to create secrets on your behalf. Click Set Up Integration to complete the process.

Doppler will now automatically sync the secrets you create in the Doppler dashboard with AWS.

Conclusion

This article gives a detailed comparison between Secrets Manager and Parameter Store for credential management. While both these services can be used for handling secrets, Secrets Manager offers automatic rotation and default encryption capabilities, though at an extra cost. Parameter Store does not offer these features but is still a good choice for small applications.

The article also highlights how integration with Doppler can improve these services. Doppler provides a centralized platform for secret management, reduces vulnerabilities, helps fine-tune access control, automates workflows with the Doppler CLI, and enables detailed audit logs.

If you’re interested in learning more about Doppler, check out their Team free trial for 14 days without a credit card or request a demo to try Doppler Enterprise.