Secrets Manager and SSM Parameter Store are two AWS services that help you manage secrets and store application configuration data securely in the cloud. AWS introduced SSM Parameter Store and Secrets Manager in 2017 and 2018, respectively.
Even though these services help with managing secrets, they work differently. Parameter Store is primarily for storing configuration data, environment variables, database connection strings, and other general parameters related to your applications. Secrets Manager is used for managing sensitive information like database credentials, SSH key pairs, SSL/TLS certificates, passwords, API keys, tokens, and similar secrets.
In this article, we compare these two services in terms of different factors like access control, secret rotation, integration, and service cost. We also look at their limitations and how integration with Doppler can help us improve the use of these secret management services.
Let’s take a quick look at a comparison between AWS Secrets Manager and Parameter Store.
While both Secrets Manager and Parameter Store can be used to store secrets, there are some key differences between them.
These are the best use cases for AWS Parameter Store:
AWS Secrets Manager and Parameter Store both support resource-level IAM policy creation to restrict access to secrets. This can be done by referencing their ARNs.
Here’s how this looks for an IAM policy for Secrets Manager:
And here’s how it appears for an IAM policy for Parameter Store:
AWS Secrets Manager supports parameters up to 10 KB in size, whereas in Parameter Store, standard parameters have a limit of 4 KB and advanced parameters can be as much as 8 KB.
Both AWS Secrets Manager and Parameter Store are backed by the AWS Key Management System (KMS) for encryption. While Secrets Manager has encryption on by default, you can opt for it in Parameter Store using SecureString type parameters.
AWS Secrets Manager supports built-in cross-account access using resource permissions, while Parameter Store does not.
AWS Secrets Manager supports built-in cross-region replication of secrets, while Parameter Store does not. You can, however, manually create the secrets in another region.
Secrets Manager supports an automatic secrets rotation capability. The managed secrets rotation is limited to AWS services like RDS, DocumentDB, and Redshift clusters. The rotation can be done on a fixed schedule or on demand by using the console, AWS CLI, or AWS SDK.
Parameter Store does not support automatic secret rotation. However, you can manually update and maintain the values whenever required.
Secret Manager allows the generation of unique strings as secrets during initial creation. This can come in handy while creating strong passwords.
Parameter Store does not have this feature. You will have to enter the parameter name and secret while creating it.
Secret Manager and Parameter Store do not have built-in audit and monitoring capabilities. However, at an additional cost, you can integrate Secret Manager and Parameter Store with other AWS services like CloudTrail and CloudWatch to keep track of these secrets.
For the first 10,000 API calls:
For the next 10,000 API interactions, $0.05 is charged for both.
Here are some important limitations to keep in mind for these two products:
Choosing the right solution for storing your secret comes down to the type of the secret you are working with. If you want to store sensitive, password-like secrets, you can go for Secrets Manager since it has features like the automatic generation of strings, rotation, and replication. If you want to store simple environment variables like credentials, you can go with Parameter Store.
Both of these services can be used more efficiently when you integrate them with Doppler. Doppler is a secret management platform that acts as the single source of truth for secrets across various platforms like AWS, Azure, GCP, GitHub, GitLab, and Kubernetes among others.
Combining AWS Secrets Manager or Parameter Store with Doppler provides an additional layer of resiliency and flexibility for workflows. Developers can directly push secrets to AWS services or consume them without any disruption to their workflows using Doppler, eliminating the need to toggle between AWS accounts and services. Doppler also provides efficient access logging for teams to make tracking the secrets straightforward.
AWS supports the creation of Secrets Manager and Parameter Store via console, CLI, infrastructure as code (IaC), or using the AWS SDK. In this section, we look at how we can do this using the console and CLI. We will also go through how we can integrate both of these services with Doppler and improve the ease of access.
To create secrets using the CLI, follow this syntax:
Now that we’ve created our secrets, let’s take a quick look at how we can integrate with Doppler.
First, navigate to the Doppler dashboard, then choose your project, and click on Integrations.
This will list all the possible integrations. Let’s choose Secrets Manager.
Doppler uses IAM role assumption on the backend to connect with AWS. Follow the tutorial here to learn how to establish a connection with AWS from Doppler.
Create an IAM role with the permissions listed in the tutorial, paste the role ARN in the integration console, and click Connect.
Next, choose the config that you want to sync and the AWS region and path where you want Doppler to store the secrets on your behalf.
Finally, click on Set Up Integration to finish the integration process. This will take you to the integrations page, where you can see the status of your connection.
That’s it! You’ve successfully integrated Secrets Manager with Doppler. The secrets you create in Doppler will now reflect in your AWS account.
Let’s verify this by creating a secret from Doppler. Click on Add First Secret.
Enter the secret key and value, then click Save.
This will automatically sync the secrets with AWS. Let’s verify this by going to Secrets Manager in the AWS console.
To create secrets using CLI, follow this syntax:
Since we already have Secrets Manager integrated with Doppler, we can click on Add Sync to integrate Parameter Store with Doppler. If you want to integrate Parameter Store with Doppler for the first time instead, navigate to the Doppler dashboard, choose your project, click on Integrations, and choose Parameter Store.
As we saw while integrating Secrets Manager with Doppler, IAM role assumption is used on the backend to connect with AWS. Create an IAM role following the tutorial here, paste the role ARN in the integration console, and click Connect.
Next, choose the config to sync, select the region, and enter the path under which you want Doppler to create secrets on your behalf. Click Set Up Integration to complete the process.
Doppler will now automatically sync the secrets you create in the Doppler dashboard with AWS.
This article gives a detailed comparison between Secrets Manager and Parameter Store for credential management. While both these services can be used for handling secrets, Secrets Manager offers automatic rotation and default encryption capabilities, though at an extra cost. Parameter Store does not offer these features but is still a good choice for small applications.
The article also highlights how integration with Doppler can improve these services. Doppler provides a centralized platform for secret management, reduces vulnerabilities, helps fine-tune access control, automates workflows with the Doppler CLI, and enables detailed audit logs.
Learn how to properly select and implement a secure secret management automation solution for cloud computing.
Learn how to securely store, manage, and rotate sensitive information with AWS Secrets Manager and AWS Key Management Service (KMS).
Learn how AWS Secrets Manager and Parameter Store differ in terms of access control, secret rotation, integration, and cost.
Learn how to manage and protect sensitive information in the AWS cloud using the AWS CLI Secrets Manager commands.
Learn how to best manage secrets in Terraform with examples from AWS Secrets Manager, Parameter Store, and Hashicorp Vault.