profile

codevev

Triggered by $0.40 per Secret

Published about 2 months ago • 2 min read

Last week, I ran into this tweet:

It kinda triggered me. Why would someone pay $0.40 per secret per month when you could just use AWS Parameter Store and store them as SecureStrings FOR FREE?

That’s what I use for oneiras.com, so I was determined to find out if I’d missed something.

Am I unknowingly paying per secret? Or is there actually a reason to use AWS Secrets Manager instead?

Turns out, there are a couple, but only if you really need them.

The Big One: Automated Secrets Rotation

This is where AWS Secrets Manager shines.

Some AWS services, like RDS (Relational Database Service) or Redshift, require credentials. When you create one of those, AWS can automatically store the credentials in Secrets Manager and rotate them automatically, updating both the database and the secret behind the scenes.

That’s the feature AWS calls managed rotation.

For other cases (like third-party APIs), you can use a Lambda rotation function to automate the refresh yourself — but you have to write and maintain that code.

If you don’t need that level of automation, though?

You’re paying a premium for convenience.

Bonus Features: Versioning & Auditing

Secrets Manager also gives you automatic versioning - if you override a secret accidentally, you can roll it back to a previous version.

It integrates tightly with CloudTrail too, which helps with compliance audits.

But here’s the kicker:

You’re paying $0.40 per secret per month, plus $0.05 per 10,000 API calls.

Unless you absolutely need automatic rotation or audit compliance, it’s probably overkill.

Enter AWS Parameter Store

While digging into this, I learned that Parameter Store actually has two tiers: Standard and Advanced.

It’s not just for secrets - you can use it for any app configuration or parameter.

It lacks built-in rotation, but in the Advanced Tier, you can set parameter policies for expiration and get notified before a key expires.

You’d still rotate it manually, but it gives you a gentle nudge before things break.

Otherwise, it uses the same IAM access controls and integrates with CloudTrail for monitoring.

Standard vs. Advanced Tier (in a nutshell)

So if your app is small - 40 requests per second and under 10k parameters - Standard Tier is perfect.

When you outgrow it, you can switch to Advanced for better throughput and still pay a fraction of Secrets Manager pricing.

My Take

For oneiras.com, I’m sticking with Parameter Store (Standard Tier).

It’s free, fast enough, and simple to manage.

When things scale, I’ll bump a few parameters to Advanced Tier and still pay far less than Secrets Manager.

If you don’t need automated rotation or compliance guarantees, you probably don’t need Secrets Manager either.

How do you manage your secrets?

Hopefully not by committing them to Git. 😅

Cheers!

Evgeny Urubkov (@codevev)

600 1st Ave, Ste 330 PMB 92768, Seattle, WA 98104-2246
Unsubscribe · Preferences

codevev

codevev is a weekly newsletter designed to help you become a better software developer. Every Wednesday, get a concise email packed with value:• Skill Boosts: Elevate your coding with both hard and soft skill insights.• Tool Tips: Learn about new tools and how to use them effectively.• Real-World Wisdom: Gain from my experiences in the tech field.

Read more from codevev

Well, the global AWS outage happened just four days after I sent a newsletter about COEs and how “nobody gets blamed.” Great timing, right? I wish I could’ve been in the weekly global ops meeting to see the temperature in the room. That’s the one where teams present their recent issues and learnings. I can only imagine how lively that one must’ve been. Turns out the culprit was a DNS failure in the Amazon DynamoDB endpoint in the us-east-1 region. And while that sounds region-specific, it...

2 months ago • 1 min read

Someone pushes a new feature to prod the same day you go on-call. Hours later, your phone goes off - not a gentle buzz, but a full-blown siren that could wake up the entire neighborhood. You open the alert, and it’s for a feature you didn’t even touch. Maybe it’s unhandled NPEs, maybe something else. Doesn’t matter. You’re the one on-call, so it’s your problem now. When Things Break In those moments, it’s usually faster to just debug and fix it - even without full context. I’m pretty good at...

2 months ago • 2 min read

About eight years ago, when I was still a QA, Microsoft Azure “lost” our primary database. Without it, we were basically out of business - it was the main source of truth for, well, almost everything. I don’t remember exactly what the database held anymore, but I do remember the chaos that day. And the stress. A lot of it. Today, I saw a tweet about how the Korean government had all its data in a single location, with no backups. It reminded me: we all know this lesson, but we keep relearning...

3 months ago • 3 min read