{"id":48789,"date":"2025-03-18T09:06:51","date_gmt":"2025-03-18T09:06:51","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48789"},"modified":"2026-02-21T07:26:54","modified_gmt":"2026-02-21T07:26:54","slug":"aws-tutorials-aws-secrets-manager-securely-storing-and-managing-secrets","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/aws-tutorials-aws-secrets-manager-securely-storing-and-managing-secrets\/","title":{"rendered":"AWS Tutorials: AWS Secrets Manager: Securely Storing and Managing Secrets"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"583\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-14-1024x583.png\" alt=\"\" class=\"wp-image-48791\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-14-1024x583.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-14-300x171.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-14-768x437.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-14-1536x875.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-14-2048x1166.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>AWS Secrets Manager <strong>simplifies and enhances security<\/strong> by <strong>storing, managing, and rotating<\/strong> sensitive secrets. It <strong>integrates seamlessly<\/strong> with AWS services and provides <strong>automated secret rotation<\/strong>, <strong>secure retrieval<\/strong>, and <strong>fine-grained access control<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>What is AWS Secrets Manager?<\/strong><\/h3>\n\n\n\n<p>AWS <strong>Secrets Manager<\/strong> is a fully managed service that <strong>securely stores, retrieves, rotates, and manages sensitive information<\/strong> like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Database credentials<\/strong><\/li>\n\n\n\n<li><strong>API keys<\/strong><\/li>\n\n\n\n<li><strong>OAuth tokens<\/strong><\/li>\n\n\n\n<li><strong>Encryption keys<\/strong><\/li>\n\n\n\n<li><strong>Other application secrets<\/strong><\/li>\n<\/ul>\n\n\n\n<p>It provides <strong>automated secret rotation<\/strong>, <strong>fine-grained access control<\/strong>, and <strong>seamless integration<\/strong> with AWS services.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Key Features of AWS Secrets Manager<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Secure Secret Storage<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secrets are stored <strong>encrypted<\/strong> using AWS <strong>KMS (Key Management Service)<\/strong>.<\/li>\n\n\n\n<li>Automatically <strong>rotates encryption keys<\/strong> periodically.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Automatic Secret Rotation<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Supports <strong>automatic rotation<\/strong> of secrets <strong>without service downtime<\/strong>.<\/li>\n\n\n\n<li>Works with <strong>RDS, PostgreSQL, MySQL, Aurora<\/strong>, and custom scripts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3\ufe0f\u20e3 Fine-Grained Access Control<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Uses <strong>AWS IAM policies<\/strong> and <strong>resource-based policies<\/strong> for controlled access.<\/li>\n\n\n\n<li>Supports integration with <strong>AWS Identity and Access Management (IAM)<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4\ufe0f\u20e3 Seamless AWS Service Integration<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Works with <strong>AWS Lambda, AWS RDS, DynamoDB, EC2, and ECS<\/strong>.<\/li>\n\n\n\n<li><strong>SDK &amp; API support<\/strong> for fetching secrets securely.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5\ufe0f\u20e3 Versioning and History<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Maintains multiple versions<\/strong> of a secret.<\/li>\n\n\n\n<li>Supports rollback to <strong>previous versions<\/strong> if needed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6\ufe0f\u20e3 Secure Access &amp; Retrieval<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Secrets can be retrieved using:\n<ul class=\"wp-block-list\">\n<li><strong>AWS SDK<\/strong><\/li>\n\n\n\n<li><strong>AWS CLI<\/strong><\/li>\n\n\n\n<li><strong>Terraform, CloudFormation<\/strong><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 How AWS Secrets Manager Works<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Create a Secret<\/strong>\n<ul class=\"wp-block-list\">\n<li>Store credentials, API keys, or other sensitive information.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Retrieve the Secret<\/strong>\n<ul class=\"wp-block-list\">\n<li>Applications fetch secrets securely using <strong>AWS SDK or CLI<\/strong>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Rotate Secrets Automatically<\/strong>\n<ul class=\"wp-block-list\">\n<li>Secrets are <strong>automatically rotated<\/strong> without affecting applications.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Control Access with IAM Policies<\/strong>\n<ul class=\"wp-block-list\">\n<li>Use IAM roles and policies to grant access only to authorized resources.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 AWS Secrets Manager vs Parameter Store vs KMS<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>AWS Secrets Manager<\/th><th>AWS SSM Parameter Store<\/th><th>AWS KMS (Key Management)<\/th><\/tr><\/thead><tbody><tr><td><strong>Secret Storage<\/strong><\/td><td>\u2705 Yes<\/td><td>\u2705 Yes<\/td><td>\u274c No<\/td><\/tr><tr><td><strong>Automatic Rotation<\/strong><\/td><td>\u2705 Yes<\/td><td>\u274c No<\/td><td>\u274c No<\/td><\/tr><tr><td><strong>Encryption<\/strong><\/td><td>\u2705 Yes (KMS)<\/td><td>\u2705 Yes (KMS)<\/td><td>\u2705 Yes<\/td><\/tr><tr><td><strong>Access via IAM<\/strong><\/td><td>\u2705 Yes<\/td><td>\u2705 Yes<\/td><td>\u2705 Yes<\/td><\/tr><tr><td><strong>Integration<\/strong><\/td><td>\u2705 Yes (Lambda, RDS, etc.)<\/td><td>\u2705 Yes<\/td><td>\u2705 Yes<\/td><\/tr><tr><td><strong>Versioning<\/strong><\/td><td>\u2705 Yes<\/td><td>\u2705 Yes<\/td><td>\u274c No<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 How to Use AWS Secrets Manager<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1\ufe0f\u20e3 Creating a Secret Using AWS CLI<\/strong><\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">aws secretsmanager create-secret \n  --name MySecret \n  --secret-string <span class=\"hljs-string\">'{\"username\":\"admin\", \"password\":\"mypassword\"}'<\/span> \n  --region us-east<span class=\"hljs-number\">-1<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\"><strong>2\ufe0f\u20e3 Retrieving a Secret<\/strong><\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">aws secretsmanager <span class=\"hljs-keyword\">get<\/span>-secret-value --secret-id MySecret --region us-east-1\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\"><strong>3\ufe0f\u20e3 Updating a Secret<\/strong><\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">aws secretsmanager put-secret-value \n  --secret-id MySecret \n  --secret-string <span class=\"hljs-string\">'{\"username\":\"admin\", \"password\":\"newpassword\"}'<\/span> \n  --region us-east<span class=\"hljs-number\">-1<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\"><strong>4\ufe0f\u20e3 Deleting a Secret<\/strong><\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">aws secretsmanager <span class=\"hljs-keyword\">delete<\/span>-secret --secret-id MySecret --force-<span class=\"hljs-keyword\">delete<\/span>-without-recovery\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Using AWS Secrets Manager in Terraform<\/strong><\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">resource <span class=\"hljs-string\">\"aws_secretsmanager_secret\"<\/span> <span class=\"hljs-string\">\"example\"<\/span> {\n  name = <span class=\"hljs-string\">\"my-secret\"<\/span>\n}\n\nresource <span class=\"hljs-string\">\"aws_secretsmanager_secret_version\"<\/span> <span class=\"hljs-string\">\"example\"<\/span> {\n  secret_id     = aws_secretsmanager_secret.example.id\n  secret_string = jsonencode({username = <span class=\"hljs-string\">\"admin\"<\/span>, password = <span class=\"hljs-string\">\"mypassword\"<\/span>})\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Common Use Cases<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Storing and rotating database credentials<\/strong><br>\u2705 <strong>Managing API keys securely<\/strong><br>\u2705 <strong>Encrypting sensitive app configuration details<\/strong><br>\u2705 <strong>Managing OAuth tokens and service accounts<\/strong><br>\u2705 <strong>Rotating AWS access keys<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Secrets Manager using Kubernetes<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"938\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-15-1024x938.png\" alt=\"\" class=\"wp-image-48792\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-15-1024x938.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-15-300x275.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-15-768x704.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-15.png 1110w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"517\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-16-1024x517.png\" alt=\"\" class=\"wp-image-48793\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-16-1024x517.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-16-300x151.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-16-768x387.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-16-1536x775.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-16-2048x1033.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Secret Types in AWS Secrets Manager<\/strong><\/h2>\n\n\n\n<p>AWS Secrets Manager supports storing <strong>various types of secrets<\/strong> based on use cases such as <strong>database credentials, API keys, OAuth tokens, encryption keys, and custom application secrets<\/strong>. Below are the most common secret types:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Summary Table: AWS Secrets Manager Secret Types<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"405\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-13-1024x405.png\" alt=\"\" class=\"wp-image-48790\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-13-1024x405.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-13-300x119.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-13-768x304.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-13-1536x607.png 1536w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-13-2048x810.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Secret Type<\/th><th>Use Case<\/th><\/tr><\/thead><tbody><tr><td><strong>AWS RDS Credentials<\/strong><\/td><td>Store database usernames and passwords securely.<\/td><\/tr><tr><td><strong>API Keys &amp; Tokens<\/strong><\/td><td>Store API authentication tokens securely.<\/td><\/tr><tr><td><strong>SSH Keys<\/strong><\/td><td>Store private SSH keys for authentication.<\/td><\/tr><tr><td><strong>Encryption Keys &amp; Certs<\/strong><\/td><td>Store SSL certificates and encryption keys securely.<\/td><\/tr><tr><td><strong>JSON Configuration<\/strong><\/td><td>Store app configurations like database connection details.<\/td><\/tr><tr><td><strong>AWS IAM Access Keys<\/strong><\/td><td>Store AWS access keys securely (though IAM roles are preferred).<\/td><\/tr><tr><td><strong>Kubernetes Secrets<\/strong><\/td><td>Store Kubernetes API authentication tokens securely.<\/td><\/tr><tr><td><strong>Custom Application Secrets<\/strong><\/td><td>Store other sensitive app secrets.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 1. AWS RDS Database Credentials<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use Case:<\/strong> Store <strong>RDS credentials<\/strong> securely and allow <strong>automatic rotation<\/strong>.<\/li>\n\n\n\n<li><strong>Supported Databases:<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Amazon RDS:<\/strong> MySQL, PostgreSQL, MariaDB, Oracle, SQL Server<\/li>\n\n\n\n<li><strong>Amazon Aurora<\/strong> (MySQL &amp; PostgreSQL)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Example JSON Format:<\/strong> <code>{ \"username\": \"admin\", \"password\": \"mypassword\" }<\/code><\/li>\n\n\n\n<li><strong>Terraform Example:<\/strong> <code>resource \"aws_secretsmanager_secret\" \"db_secret\" { name = \"my-db-secret\" } resource \"aws_secretsmanager_secret_version\" \"db_secret_version\" { secret_id = aws_secretsmanager_secret.db_secret.id secret_string = jsonencode({username = \"admin\", password = \"mypassword\"}) }<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 2. API Keys &amp; Tokens<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use Case:<\/strong> Store <strong>third-party API keys, OAuth tokens, and application credentials<\/strong> securely.<\/li>\n\n\n\n<li><strong>Example JSON Format:<\/strong> <code>{ \"api_key\": \"1234567890abcdef\", \"api_secret\": \"abcdef1234567890\" }<\/code><\/li>\n\n\n\n<li><strong>AWS CLI Example:<\/strong> <code>aws secretsmanager create-secret --name MyAPIKey  --secret-string '{\"api_key\":\"1234567890abcdef\",\"api_secret\":\"abcdef1234567890\"}'<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 3. SSH Keys &amp; Private Keys<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use Case:<\/strong> Store <strong>SSH private keys<\/strong> used for server authentication.<\/li>\n\n\n\n<li><strong>Example JSON Format:<\/strong> <code>{ \"private_key\": \"-----BEGIN RSA PRIVATE KEY-----nMIIEpQIBAAKCAQE...n-----END RSA PRIVATE KEY-----\" }<\/code><\/li>\n\n\n\n<li><strong>Retrieving the Secret in CLI:<\/strong> <code>aws secretsmanager get-secret-value --secret-id MySSHKey<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 4. Encryption Keys &amp; Certificates<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use Case:<\/strong> Store <strong>SSL\/TLS certificates<\/strong> or <strong>encryption keys<\/strong> securely.<\/li>\n\n\n\n<li><strong>Example JSON Format:<\/strong> <code>{ \"certificate\": \"-----BEGIN CERTIFICATE-----nMIIBIjANBgkqh...n-----END CERTIFICATE-----\", \"private_key\": \"-----BEGIN PRIVATE KEY-----nMIIEvQIBADANBg...n-----END PRIVATE KEY-----\" }<\/code><\/li>\n\n\n\n<li><strong>Terraform Example:<\/strong> <code>resource \"aws_secretsmanager_secret\" \"ssl_secret\" { name = \"my-ssl-cert\" } resource \"aws_secretsmanager_secret_version\" \"ssl_secret_version\" { secret_id = aws_secretsmanager_secret.ssl_secret.id secret_string = jsonencode({certificate = \"CERT_HERE\", private_key = \"KEY_HERE\"}) }<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 5. JSON Configuration Data<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use Case:<\/strong> Store application config settings like <strong>database connection details<\/strong>, <strong>email server settings<\/strong>, etc.<\/li>\n\n\n\n<li><strong>Example JSON Format:<\/strong> <code>{ \"db_host\": \"mydb.example.com\", \"db_port\": 3306, \"email_server\": \"smtp.example.com\" }<\/code><\/li>\n\n\n\n<li><strong>AWS CLI Example:<\/strong> <code>aws secretsmanager create-secret --name MyAppConfig  --secret-string '{\"db_host\":\"mydb.example.com\",\"db_port\":3306,\"email_server\":\"smtp.example.com\"}'<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 6. AWS IAM Access Keys<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use Case:<\/strong> Store <strong>AWS IAM user access keys<\/strong> securely.<\/li>\n\n\n\n<li><strong>Example JSON Format:<\/strong> <code>{ \"aws_access_key_id\": \"AKIAXXXEXAMPLE\", \"aws_secret_access_key\": \"wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY\" }<\/code><\/li>\n\n\n\n<li><strong>Best Practice:<\/strong> Rotate IAM keys <strong>automatically<\/strong> and grant access via IAM roles instead.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 7. Kubernetes Secrets<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use Case:<\/strong> Store Kubernetes cluster <strong>API tokens<\/strong> securely for authentication.<\/li>\n\n\n\n<li><strong>Example JSON Format:<\/strong> <code>{ \"kube_api_server\": \"https:\/\/k8s.example.com\", \"kube_token\": \"eyJhbGciOiJSUzI1Ni...\" }<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 8. Custom Application Secrets<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use Case:<\/strong> Store <strong>any sensitive data<\/strong> used by applications (e.g., session tokens, encryption keys, auth tokens).<\/li>\n\n\n\n<li><strong>Example JSON Format:<\/strong> <code>{ \"app_secret\": \"super_secure_value\", \"app_id\": \"my-app\" }<\/code><\/li>\n\n\n\n<li><strong>Retrieving the Secret in Python (Boto3 SDK):<\/strong> <code>import boto3 client = boto3.client('secretsmanager') response = client.get_secret_value(SecretId='my-app-secret') print(response['SecretString'])<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\ude80 Best Practices for Managing Secrets in AWS Secrets Manager<\/strong><\/h2>\n\n\n\n<p>\u2705 <strong>Use IAM policies<\/strong> to control access to secrets securely.<br>\u2705 <strong>Enable automatic rotation<\/strong> for secrets like database credentials.<br>\u2705 <strong>Encrypt all secrets using AWS KMS<\/strong> (enabled by default).<br>\u2705 <strong>Audit secret usage<\/strong> via AWS CloudTrail logs.<br>\u2705 <strong>Avoid hardcoding secrets<\/strong> in application code\u2014retrieve them dynamically using AWS SDK.<\/p>\n\n\n\n<p>Would you like a <strong>step-by-step guide on implementing AWS Secrets Manager in an application<\/strong>? \ud83d\ude80<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Comparison: AWS Secrets Manager vs. AWS SSM Parameter Store vs. AWS KMS<\/strong><\/h3>\n\n\n\n<p>AWS provides <strong>three services<\/strong> for managing secrets and sensitive data: <strong>AWS Secrets Manager, AWS Systems Manager (SSM) Parameter Store, and AWS Key Management Service (KMS)<\/strong>. Each service has <strong>different features, use cases, and pricing models<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong> AWS Secrets Manager vs. AWS SSM Parameter Store vs. AWS KMS<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"782\" src=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-17-1024x782.png\" alt=\"\" class=\"wp-image-48794\" srcset=\"https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-17-1024x782.png 1024w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-17-300x229.png 300w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-17-768x587.png 768w, https:\/\/www.devopsschool.com\/blog\/wp-content\/uploads\/2025\/03\/image-17.png 1394w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Feature<\/strong><\/th><th><strong>AWS Secrets Manager<\/strong><\/th><th><strong>AWS SSM Parameter Store<\/strong><\/th><th><strong>AWS KMS (Key Management Service)<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>Purpose<\/strong><\/td><td>Securely store, manage, and rotate secrets like passwords, API keys, and DB credentials.<\/td><td>Store plaintext or encrypted configuration values &amp; secrets.<\/td><td>Manage and encrypt\/decrypt encryption keys.<\/td><\/tr><tr><td><strong>Secret Types<\/strong><\/td><td>API keys, database credentials, passwords, OAuth tokens, and certificates.<\/td><td>Any text-based parameter (config settings, secrets, database URLs).<\/td><td>Encryption keys for <strong>data, S3, EBS, databases<\/strong>.<\/td><\/tr><tr><td><strong>Secret Encryption<\/strong><\/td><td>Encrypted using <strong>AWS KMS (AES-256)<\/strong> by default.<\/td><td>Can be encrypted using <strong>AWS KMS<\/strong> (optional).<\/td><td>Uses <strong>AWS KMS<\/strong> for encryption key storage.<\/td><\/tr><tr><td><strong>Automated Secret Rotation<\/strong><\/td><td>\u2705 <strong>Yes<\/strong> (for RDS, Aurora, MySQL, PostgreSQL, etc.)<\/td><td>\u274c <strong>No<\/strong> (manual rotation required).<\/td><td>\u274c <strong>No<\/strong> (manages encryption keys, not secrets).<\/td><\/tr><tr><td><strong>API Access<\/strong><\/td><td>AWS SDK, CLI, IAM policies, and Lambda integration.<\/td><td>AWS SDK, CLI, IAM policies.<\/td><td>AWS SDK, CLI, IAM, integrated into <strong>S3, RDS, EBS, DynamoDB<\/strong>.<\/td><\/tr><tr><td><strong>IAM Access Control<\/strong><\/td><td><strong>Fine-grained access<\/strong> via IAM roles.<\/td><td><strong>Fine-grained access<\/strong> via IAM roles.<\/td><td><strong>Highly restrictive access<\/strong> via IAM policies.<\/td><\/tr><tr><td><strong>Versioning<\/strong><\/td><td>\u2705 <strong>Yes<\/strong> (Secret versioning is supported).<\/td><td>\u2705 <strong>Yes<\/strong> (Parameter versioning is supported).<\/td><td>\u274c <strong>No<\/strong> (Only key rotation, no versioning).<\/td><\/tr><tr><td><strong>Multi-Region Support<\/strong><\/td><td>\u2705 <strong>Yes<\/strong> (Automatic replication across AWS regions).<\/td><td>\u2705 <strong>Yes<\/strong> (Can store multi-region values).<\/td><td>\u2705 <strong>Yes<\/strong> (Can replicate keys across AWS regions).<\/td><\/tr><tr><td><strong>Logging &amp; Auditing<\/strong><\/td><td><strong>AWS CloudTrail<\/strong> logs secret access.<\/td><td><strong>AWS CloudTrail<\/strong> logs parameter access.<\/td><td><strong>AWS CloudTrail &amp; CloudWatch<\/strong> logs key usage.<\/td><\/tr><tr><td><strong>Pricing<\/strong><\/td><td><strong>$0.40 per secret per month<\/strong> + <strong>$0.05 per 10,000 API calls<\/strong>.<\/td><td><strong>Standard Parameters: Free<\/strong>; <strong>Advanced Parameters: $0.05 per parameter per month<\/strong>.<\/td><td><strong>$1 per key per month<\/strong> + <strong>$0.03 per 10,000 API calls<\/strong>.<\/td><\/tr><tr><td><strong>Best Use Case<\/strong><\/td><td><strong>Secrets rotation &amp; high security<\/strong> (RDS, API keys, passwords).<\/td><td><strong>Storing config settings &amp; parameters<\/strong> (without rotation).<\/td><td><strong>Encrypting sensitive data &amp; managing encryption keys<\/strong>.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 1. AWS Secrets Manager<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u2705 When to Use AWS Secrets Manager?<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need <strong>automatic secret rotation<\/strong> (for databases, API keys, etc.).<\/li>\n\n\n\n<li>You need <strong>fine-grained access control<\/strong> to manage who can access secrets.<\/li>\n\n\n\n<li>You require <strong>audit logs &amp; versioning<\/strong> to track secret changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\ud83d\ude80 Pros<\/strong><\/h3>\n\n\n\n<p>\u2714\ufe0f <strong>Automatic rotation of secrets<\/strong>.<br>\u2714\ufe0f <strong>Supports IAM-based access control<\/strong>.<br>\u2714\ufe0f <strong>Versioning &amp; rollback<\/strong>.<br>\u2714\ufe0f <strong>Integrated with AWS Lambda for rotation<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u26a0\ufe0f Cons<\/strong><\/h3>\n\n\n\n<p>\u274c <strong>More expensive<\/strong> ($0.40 per secret per month).<br>\u274c Requires additional <strong>API calls<\/strong> for fetching secrets ($0.05 per 10,000 calls).<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 2. AWS Systems Manager (SSM) Parameter Store<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u2705 When to Use AWS SSM Parameter Store?<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need <strong>free storage for configuration parameters<\/strong>.<\/li>\n\n\n\n<li>You want to <strong>store encrypted secrets<\/strong> with basic IAM control.<\/li>\n\n\n\n<li>You <strong>don\u2019t need automatic secret rotation<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\ud83d\ude80 Pros<\/strong><\/h3>\n\n\n\n<p>\u2714\ufe0f <strong>Free for Standard Parameters<\/strong>.<br>\u2714\ufe0f <strong>Can store non-sensitive &amp; encrypted data<\/strong>.<br>\u2714\ufe0f <strong>Integrated with AWS services (Lambda, EC2, ECS, etc.)<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u26a0\ufe0f Cons<\/strong><\/h3>\n\n\n\n<p>\u274c <strong>No automatic secret rotation<\/strong>.<br>\u274c <strong>Advanced Parameters ($0.05 per parameter per month)<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 3. AWS Key Management Service (KMS)<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u2705 When to Use AWS KMS?<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need to <strong>encrypt data at rest and in transit<\/strong>.<\/li>\n\n\n\n<li>You need <strong>secure key management<\/strong> for S3, RDS, EBS, DynamoDB, etc.<\/li>\n\n\n\n<li>You require <strong>fine-grained key access control<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\ud83d\ude80 Pros<\/strong><\/h3>\n\n\n\n<p>\u2714\ufe0f <strong>Fully managed encryption service<\/strong>.<br>\u2714\ufe0f <strong>Highly secure key storage<\/strong> with <strong>automatic key rotation<\/strong>.<br>\u2714\ufe0f <strong>Integrated with S3, RDS, Lambda, and DynamoDB<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>\u26a0\ufe0f Cons<\/strong><\/h3>\n\n\n\n<p>\u274c <strong>Cannot store application secrets<\/strong> (only encryption keys).<br>\u274c <strong>Pricing based on key usage ($1 per key per month + API requests)<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Choosing the Right AWS Secret Management Service<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Use Case<\/strong><\/th><th><strong>Best AWS Service<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>Securely storing and rotating database credentials &amp; API keys<\/strong><\/td><td><strong>AWS Secrets Manager<\/strong><\/td><\/tr><tr><td><strong>Storing application configuration settings &amp; non-rotated secrets<\/strong><\/td><td><strong>AWS SSM Parameter Store<\/strong><\/td><\/tr><tr><td><strong>Encrypting sensitive data in S3, EBS, RDS, Lambda<\/strong><\/td><td><strong>AWS KMS<\/strong><\/td><\/tr><tr><td><strong>Low-cost, simple secret storage<\/strong><\/td><td><strong>AWS SSM Parameter Store (Standard)<\/strong><\/td><\/tr><tr><td><strong>Fine-grained access control &amp; audit logging<\/strong><\/td><td><strong>AWS Secrets Manager or KMS<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Pricing Comparison<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Service<\/strong><\/th><th><strong>Cost<\/strong><\/th><\/tr><\/thead><tbody><tr><td><strong>AWS Secrets Manager<\/strong><\/td><td><strong>$0.40 per secret per month<\/strong> + <strong>$0.05 per 10,000 API calls<\/strong><\/td><\/tr><tr><td><strong>AWS SSM Parameter Store (Standard)<\/strong><\/td><td><strong>Free<\/strong><\/td><\/tr><tr><td><strong>AWS SSM Parameter Store (Advanced)<\/strong><\/td><td><strong>$0.05 per parameter per month<\/strong><\/td><\/tr><tr><td><strong>AWS KMS<\/strong><\/td><td><strong>$1 per key per month<\/strong> + <strong>$0.03 per 10,000 API calls<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\ude80 Conclusion: Which One Should You Use?<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use AWS Secrets Manager<\/strong> \u2705 if you need <strong>automated secret rotation<\/strong>, <strong>fine-grained IAM access control<\/strong>, and <strong>audit logs<\/strong>.<\/li>\n\n\n\n<li><strong>Use AWS SSM Parameter Store<\/strong> \u2705 if you need a <strong>cost-effective way<\/strong> to store <strong>configuration parameters<\/strong> and <strong>static secrets<\/strong>.<\/li>\n\n\n\n<li><strong>Use AWS KMS<\/strong> \u2705 if you need to <strong>manage encryption keys for AWS services<\/strong> like <strong>S3, RDS, EBS, and DynamoDB<\/strong>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\ud83d\udd39 Final Thoughts<\/strong><\/h2>\n\n\n\n<p>\ud83d\udd39 <strong>AWS Secrets Manager is the most feature-rich option<\/strong> for <strong>highly sensitive secrets<\/strong> (but also the most expensive).<br>\ud83d\udd39 <strong>AWS SSM Parameter Store is ideal for simple secret storage<\/strong> (especially <strong>Standard Parameters<\/strong>, which are <strong>free<\/strong>).<br>\ud83d\udd39 <strong>AWS KMS is strictly for encryption keys<\/strong> and <strong>data protection<\/strong>, not for application secrets.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AWS Secrets Manager simplifies and enhances security by storing, managing, and rotating sensitive secrets. It integrates seamlessly with AWS services and provides automated secret rotation, secure retrieval, and fine-grained access control. What is AWS Secrets Manager? AWS Secrets Manager is a fully managed service that securely stores, retrieves, rotates, and manages sensitive information like: It&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48789","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48789","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48789"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48789\/revisions"}],"predecessor-version":[{"id":58925,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48789\/revisions\/58925"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48789"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48789"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48789"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}