It looks like both AWS Secrets Manager and AWS System Manager Parameter Store are doing similar things, which is to store secrets. When do you choose one over the other?
2 Answers
Hi Krishamohan,
I think they both started out life to do different things but seem to have converged in use cases. Parameter Store is integrated with Secret Manager now so they do overlap. A potential scenario I can see is just the ability to segment access to certain things. Let’s say we give our DevOps engineers access to Parameter Store to keep all sorts of environment variables that need to be referenced.
But maybe we keep our Secret Manager restricted to just our Security Team. They store and rotate passwords for RDS instances there. So, you could create a pretty nice segregation of duties there without having to share the DBA credentials with the DevOps engineers. Similarly, the Security Team could be walled off from access to the RDS instances.
–Scott
Just curious, I’m seeing a distinction between the two services as being cost related. Secrets Manager costs per secret per month, while parameter store provides up to 10,000 standard parameters at no additional cost. This would seem to be a reason to choose one over the other correct?
With SSM Parameter Store You can automate tasks. i.e if Parameter value is changed, You can run SSM automation document that propagate this new value on specified resources.
Secrets lifecycle – Secrets Manager (not application config)
Parameter Store can do both.