AWS Secrets Manager and Parameter Store both store configuration data, but Secrets Manager is designed for sensitive credentials and offers automated rotation, while Parameter Store is more general-purpose and can store plain text or encrypted values without rotation.
Let’s see this in action. Imagine you have a web application that needs to connect to a PostgreSQL database. Your application code lives in an EC2 instance.
First, you’d store your database username and password.
AWS Secrets Manager:
You create a secret. Secrets Manager prompts you for the database type (e.g., PostgreSQL), the master username, and password. It then generates a unique ARN for this secret, like arn:aws:secretsmanager:us-east-1:123456789012:secret:my-db-credentials-ABCDEF.
Your application code, running on the EC2 instance, would use the AWS SDK to retrieve this secret:
import boto3
import json
client = boto3.client('secretsmanager')
response = client.get_secret_value(
SecretId='my-db-credentials-ABCDEF'
)
secret_string = response['SecretString']
secret_data = json.loads(secret_string)
db_username = secret_data['username']
db_password = secret_data['password']
print(f"Username: {db_username}")
# In a real app, you'd use this password to connect to the DB
The key here is SecretId. When you retrieve it, Secrets Manager returns a JSON string containing the username and password. It also handles the encryption of this secret at rest.
AWS Systems Manager Parameter Store:
You create a parameter. You can choose a String or SecureString type. For database credentials, you’d choose SecureString. You’d give it a name, like /myapp/database/credentials.
Then, you’d store the credentials, often as a JSON string:
{
"username": "my_db_user",
"password": "my_super_secret_password"
}
Your application code would retrieve this parameter:
import boto3
client = boto3.client('ssm')
response = client.get_parameter(
Name='/myapp/database/credentials',
WithDecryption=True # Important for SecureString
)
parameter_value = response['Parameter']['Value']
# This value is a JSON string
The primary difference in retrieval is the Name parameter for Parameter Store versus SecretId for Secrets Manager. Both return the value, but Secrets Manager is specifically built for secrets.
The problem Secrets Manager solves is managing the lifecycle of sensitive credentials. For instance, if your database password needs to change every 90 days, Secrets Manager can be configured to automatically rotate these credentials. It can even update the credentials in services like RDS or Redshift. Parameter Store, on the other hand, requires you to manually update the parameter value when it changes.
Internally, both services leverage AWS Key Management Service (KMS) for encryption. When you store a SecureString in Parameter Store or any secret in Secrets Manager, it’s encrypted using a KMS key. Secrets Manager provides a default AWS-managed KMS key for secrets if you don’t specify one, or you can use your own customer-managed key. Parameter Store also uses KMS for SecureString types.
The exact levers you control are the ARN/name of the secret/parameter, the KMS key used for encryption, and for Secrets Manager, the rotation period and the AWS services it can integrate with for automatic rotation. For Parameter Store, you can also set tiering (Standard or Advanced) which impacts cost and retrieval latency, with Advanced offering features like policy controls for parameter access.
A crucial distinction that often trips people up is how they handle versioning. Parameter Store has explicit versioning. When you update a parameter, a new version is created, and you can retrieve specific versions. Secrets Manager, by default, manages versions implicitly. When you update a secret, the new value becomes the current one, and older values are retained and accessible via their version IDs, but the primary retrieval mechanism points to the latest version unless you specify a VersionStage or VersionId. This implicit versioning in Secrets Manager is tied to its rotation capabilities, where each rotation creates a new version that can be promoted to become the current, usable secret.
While both can store sensitive data, the primary driver for choosing Secrets Manager is the need for automated credential rotation. If you just need to store a configuration value that isn’t a credential, or a credential that you will manually rotate, Parameter Store is generally simpler and more cost-effective.
The next thing you’ll likely explore is how to integrate these services with IAM policies to control precisely who or what can access your secrets and parameters.