Parameter Store vs Secrets Manager
The handling of secrets in AWS is up there with tabs vs spaces and vim vs emacs in terms of technical debates. In one corner we have Amazon’s original secrets store System Manager Parameter Store. In the other is the new(er) challenger, Secrets Manager. Let’s see how they compare.
We won’t be looking at HashiCorp’s Vault in this comparison, because the focus of this post is to compare AWS’ managed service. This is one of those occasions where it is cheaper to accept some vendor lock in and avoid the hassle of managing a cluster of Consul nodes.
This comparison won’t cover every little detail. We will stick to the key differences between the two tools with the aim of helping you choose the best one for your use case.
Round 1: Key Value Store
At the heart of both services is a managed key value store. You send your sensitive data to Amazon and they store it until you need it. Each value is referenced via a unique key that you define.
Both services allow you to name your secrets using simple strings. Parameter
store allows keys to be any mix of
a-zA-Z0-9_.- up to 966 characters, while
secrets manager’s limit is 512 unicode characters.
Parameter store allows you to store your secrets in a hierarchy. By using a path
structure you build up the structure. So instead of simple names such as
DB_URI you can use something more complex like
/myapp/DB_URI. The Parameter
Store API allows you to fetch all the values in the hierarchy with a single
call. This is really handy when you have multiple values stored for an
Winner: Parameter Store for supporting hierarchical structures.
Round 2: Storage Limitations
Both services allow users to store any unicode string. Standard SSM Parameters are limited to 4Kb, while their advanced siblings can be up to 8Kb. Secrets manager allows values up to 64Kb. Depends on your data storage needs these limits may impact choice of service.
Both services retain 100 revisions of your secret. That can be handy if someone accidentally overwrites the wrong value.
Winner: Secrets Manager for higher value limits
Round 3: Encryption
Both parameter store and secrets manager store your secrets in an encrypted state using KMS encryption keys. This ensures your sensitive credentials are kept secure.
Unlike secrets manager, parameter store allows to decide if you want your values to be stored unencrypted. While this isn’t advisable for secrets it can useful for non sensitive information. If you hit a modified time stamp, check sum or other non sensitive value option, this can be useful. It reduces the number of KMS API calls and leads to faster response times. This makes it easier to use parameter store as your single solution for application configuration management.
Winner: Parameter Store for the extra flexibility
Round 4: Rotation
Rotating credentials can be a tedious task that can result in downtime. Amazon promotes the credentials rotation feature in Secrets Manager. This is mostly marketing hype. The feature is limited to databases and it is really just an easy way to deploy a Lambda function that does the rotation. There are similar Lambdas available to do this with Parameter Store.
Winner: Draw, we won’t reward over hyping features
Round 5: Cost
Parameter Store has two flavours of parameters, standard and advanced. Standard parameters don’t incur any monthly storage fees. Adding to the complexity there are two price tiers for interacting with the Parameter Store API, standard and high throughput. As you have already guessed you pay for the higher quotas. While standard is free, the high rate will cost you 0.05USD per 10000 interactions. The higher throughput is an account wide setting.
For advanced parameters you pay 0.05USD per parameter per month. You decide when creating a parameter if it will be an advanced. You pay 0.05USD per 10000 API interactions with advanced parameters. The one consolation is that you won’t pay extra for enabling high throughput when fetching advanced parameters.
With Secrets Manager you pay for everything. You will pay 0.40USD per secret per month, then 0.05USD per 10000 API interactions. The Secrets Manager API quotas are the highest of the 3 options.
On top of these costs, you will pay 0.03USD for 10000 KMS API requests. Even if you fetch multiple parameters in a single API call, you will pay to decrypt each one individually.
Winner: Parameter Store standard cos you can’t beat free.
There is no knock out winner in this contest. It is going to come down to a points decision. Our judges have awarded the win to Parameter Store.
While Secrets Manager can be a better fit for some use cases, often it is overkill. Unless you require the larger storage limits or very high throughput you’re wasting money on secrets manager.
If you can work within the constraints of the standard tier of Parameter Store it is a very cost effective tool for managing your secrets and other application configuration.
Our earlier blog post on AWS System Manager Parameter Store is a great introduction for new users.