Lowering AWS Secrets Manager Costs

I’ve seen people consider switching to Hashicorp’s Vault when they’re already using AWS Secrets Manager because of the perceived costs.

It’s expensive to migrate your secret store entirely, so reducing Secrets Manager costs is often easier and faster.

First, you need to understand where the bulk of the Secrets Manager costs come from – storage.

On us-east-1, a single secret costs $0.40 to store. It costs an additional $0.40 for every region where you replicate the secret.

Most people don’t realize that while a single secret costs $0.40, it can contain key-value pairs.

For instance, you might have database credentials that look like this:

{
    "username": "",
    "password": "",
    "host": "",
    "database": "",
    "port": 5432
}

This is one distinct secret, even though it contains 5 key-value pairs and costs $0.40.

Also, you can use your consolidated secret if you need an ARN but only want a specific key secret. For example, if I was using App Runner and wanted to pull just the host from the credentials. I recently wrote instructions on how to do that here.

Consolidate your secrets to one per application or service to quickly reduce AWS Secrets Manager costs without a costly migration.