AWS Secrets Manager
What is it?
AWS Secrets Manager securely stores and manages secrets like database passwords and API keys, and can rotate them automatically.
Explain like I'm 5
Why was it created?
Hardcoding secrets in code or config is dangerous. Secrets Manager was created to store them securely and rotate them without code changes.
Where is it used?
- Storing database credentials
- API keys and tokens
- Automatic credential rotation
- Keeping secrets out of code
Why should developers care?
Leaked credentials are a top cause of breaches, so safe secret handling is essential, and Secrets Manager is the standard AWS tool.
How does it work?
You store a secret in Secrets Manager, controlled by IAM permissions and encrypted at rest. Apps retrieve it at runtime via the API instead of embedding it. It can also rotate secrets (like database passwords) automatically on a schedule.
Real-world example
An app fetches its database password from Secrets Manager at startup; the password rotates automatically every 30 days with no code change.
Common use cases
- Centralized secret storage
- Automatic secret rotation
- Keeping credentials out of source control
- Controlled access via IAM
Advantages
- Encrypted, centralized secrets
- Automatic rotation
- Access controlled by IAM
- Audited access
Disadvantages
- Per-secret cost
- AWS-specific
- Adds a runtime dependency
- Requires correct IAM setup
When should you use it?
Whenever apps need credentials or keys that must be stored and rotated securely.
When should you avoid it?
For non-secret config (use parameter stores) or when a simpler/cheaper option suffices.
Alternatives
Related terms
Interview questions
Beginner
- What does Secrets Manager store?
- Why not hardcode secrets?
Intermediate
- How does access control work for secrets?
- What is secret rotation?
Senior
- How do you rotate a database credential with zero downtime?
- Secrets Manager versus Parameter Store — when to use each?
Common misconceptions
- "Storing secrets in environment variables is just as safe" — Secrets Manager adds encryption, rotation, access control, and auditing.
- "It's only for passwords" — it stores any sensitive value, like API keys and tokens.
Fun facts
- It can automatically rotate supported database credentials on a schedule.
- Access is governed by IAM, so secrets follow least-privilege rules.
Timeline
- 2018 — AWS Secrets Manager launches
Learning resources
Quick summary
AWS Secrets Manager securely stores, controls access to, and automatically rotates secrets like passwords and API keys, keeping them out of code.
Cheat sheet
- Secure secret storage
- Automatic rotation
- IAM-controlled access
- Keep secrets out of code