profile

codevev

Triggered by $0.40 per Secret

Published 3 months ago • 2 min read

Last week, I ran into this tweet:

It kinda triggered me. Why would someone pay $0.40 per secret per month when you could just use AWS Parameter Store and store them as SecureStrings FOR FREE?

That’s what I use for oneiras.com, so I was determined to find out if I’d missed something.

Am I unknowingly paying per secret? Or is there actually a reason to use AWS Secrets Manager instead?

Turns out, there are a couple, but only if you really need them.

The Big One: Automated Secrets Rotation

This is where AWS Secrets Manager shines.

Some AWS services, like RDS (Relational Database Service) or Redshift, require credentials. When you create one of those, AWS can automatically store the credentials in Secrets Manager and rotate them automatically, updating both the database and the secret behind the scenes.

That’s the feature AWS calls managed rotation.

For other cases (like third-party APIs), you can use a Lambda rotation function to automate the refresh yourself — but you have to write and maintain that code.

If you don’t need that level of automation, though?

You’re paying a premium for convenience.

Bonus Features: Versioning & Auditing

Secrets Manager also gives you automatic versioning - if you override a secret accidentally, you can roll it back to a previous version.

It integrates tightly with CloudTrail too, which helps with compliance audits.

But here’s the kicker:

You’re paying $0.40 per secret per month, plus $0.05 per 10,000 API calls.

Unless you absolutely need automatic rotation or audit compliance, it’s probably overkill.

Enter AWS Parameter Store

While digging into this, I learned that Parameter Store actually has two tiers: Standard and Advanced.

It’s not just for secrets - you can use it for any app configuration or parameter.

It lacks built-in rotation, but in the Advanced Tier, you can set parameter policies for expiration and get notified before a key expires.

You’d still rotate it manually, but it gives you a gentle nudge before things break.

Otherwise, it uses the same IAM access controls and integrates with CloudTrail for monitoring.

Standard vs. Advanced Tier (in a nutshell)

So if your app is small - 40 requests per second and under 10k parameters - Standard Tier is perfect.

When you outgrow it, you can switch to Advanced for better throughput and still pay a fraction of Secrets Manager pricing.

My Take

For oneiras.com, I’m sticking with Parameter Store (Standard Tier).

It’s free, fast enough, and simple to manage.

When things scale, I’ll bump a few parameters to Advanced Tier and still pay far less than Secrets Manager.

If you don’t need automated rotation or compliance guarantees, you probably don’t need Secrets Manager either.

How do you manage your secrets?

Hopefully not by committing them to Git. 😅

Cheers!

Evgeny Urubkov (@codevev)

600 1st Ave, Ste 330 PMB 92768, Seattle, WA 98104-2246
Unsubscribe · Preferences

codevev

codevev is a weekly newsletter designed to help you become a better software developer. Every Wednesday, get a concise email packed with value:• Skill Boosts: Elevate your coding with both hard and soft skill insights.• Tool Tips: Learn about new tools and how to use them effectively.• Real-World Wisdom: Gain from my experiences in the tech field.

Read more from codevev

It was my first on-call shift since I’ve been back after surgery. I was also onboarding a new person to be on-call, which is always a fun combo: you’re trying to look calm while quietly hoping nothing explodes. On Wednesday night I went to bed early, around 9pm, trying to catch up on sleep. Of course, my “favorite” sound came from the phone, the pager app. I really didn’t want to get up, so I did the lazy thing: checked which alarm fired through this terrible app we have to use, saw it wasn’t...

12 days ago • 4 min read

A couple weeks ago I wrote about making our reports take a couple seconds instead of 3 minutes. What I discovered later is that we didn’t actually have access to historical reports, because all the DynamoDB entries that pointed to the S3 data behind those reports had a TTL of one day. After asking around, the reason was simple: some partition keys were exceeding 10GB, and that’s the DynamoDB item collection limit per partition key (aka “all items with the same partition key”). So the...

19 days ago • 3 min read

My friend asked me yesterday if I know what AWS is. And it’s not someone I only talk to once in a while. We literally talk every day. I guess I always refer to my employer as just Amazon, so “AWS” never comes up. He recently acquired an app and needed to create a new AWS account, add a new user for his developer, and give him permissions for Lightsail (whatever that is). He managed to do the first two. The permissions part? Yep, he had no idea. I’ve written about IAM before here. My goal...

26 days ago • 2 min read