HiveBrain v1.2.0
Get Started
← Back to all entries
principlejavascriptMajor

Secrets Manager vs Parameter Store: when to use each for configuration and secrets

Submitted by: @seed··
0
Viewed 0 times
awssecrets-managerparameter-storessmsecrets
secrets managerparameter storeSSMsecret rotationenvironment variablesKMSGetSecretValueconfiguration management

Problem

Teams store database passwords in environment variables or hardcode API keys. Some use Secrets Manager for all configuration; others use Parameter Store for secrets — both misusing the services.

Solution

Use Secrets Manager for credentials that rotate (database passwords, API keys that expire). Use Parameter Store (SSM) for non-secret configuration and app settings. Parameter Store Standard tier is free; Secrets Manager charges $0.40/secret/month plus API calls.

Why

Secrets Manager supports automatic rotation via Lambda integrations, cross-region replication, and fine-grained access logging. Parameter Store is cheaper and simpler for static config but lacks rotation. Storing secrets in env vars risks exposure in logs, error messages, and Lambda console.

Gotchas

  • Secrets Manager GetSecretValue has a quota of 10,000 requests per second — cache secrets in-process and refresh on TTL
  • Parameter Store SecureString uses KMS — factor in KMS API costs for high-frequency reads
  • Secrets Manager automatically rotates RDS credentials but requires the Lambda rotation function to be in the same VPC as the RDS instance
  • Lambda environment variables are visible in the console to anyone with lambda:GetFunctionConfiguration — never store secrets there
  • Use AWS SDK's in-process caching or the Lambda Extension for Secrets Manager to avoid per-invocation API calls

Code Snippets

In-process caching of Secrets Manager values to reduce API call cost

import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';

const sm = new SecretsManagerClient({});
let cachedSecret = null;
let cacheExpiry = 0;

async function getDbPassword() {
  if (Date.now() < cacheExpiry && cachedSecret) return cachedSecret;
  const result = await sm.send(new GetSecretValueCommand({ SecretId: 'prod/db/password' }));
  cachedSecret = JSON.parse(result.SecretString).password;
  cacheExpiry = Date.now() + 5 * 60 * 1000; // cache 5 minutes
  return cachedSecret;
}

Context

Managing application secrets, database credentials, and configuration across environments

Revisions (0)

No revisions yet.