Cost of secrets manager
I'd like to keep some secrets like API keys for external services in the secrets manager. I want them to be used by lambdas that are connected to API gateway routes. All seems reasonable, but the price for secrets manager really adds up. $0.40 per secret is maybe okay, I'd argue it should be more like $0.10. But the $0.05 per 10,000 really has the potential to add up. Think about how much more that costs than the lambda invocations themselves.
I'm wondering what are some alternatives for short-running, frequently-executed lambdas that need access to some securely-stored secret to access something outside of AWS. I'm also curious if anybody has any insight as to the price history of this service, and maybe some thoughts about why it's priced the way it is.
No specific problem here, I'm mostly just pondering. I really need to get some secrets OUT of secure env. variables because it makes it too much work to change them.
- Newest
- Most votes
- Most comments
You could use SSM Parameter store. Parameter store gives you the ability to store secrete strings: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
My organization uses this for some of the API keys we need to store. I don't have any data on the pricing history of Secrets Manager but as far as I know, from the past 4 years working with AWS, Secrets Manager has not changed their pricing model.
Relevant content
- asked 10 months ago
- asked 7 months ago
AWS OFFICIALUpdated 9 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
What are the arguments against using a SecureString in the parameter store instead of secrets manager? Is it just extra features (for example rotation)? Are there other implications?
They do the same thing with "air quotes." Secrets Manager has some extra features like rotation, as you stated. You could build your own logic to handle the features that secrets manager offers ( like rotation, my organization does this ) and use parameter store to save on costs.
I will check out SSM Parameter Store. I also wondered about just store snippets in S3 and use KMS to encrypt them. I contemplated storing secrets as encrypted blobs in dynamo then using KMS but the KMS pricing isn't that different than secrets store.
For lightly used secrets (less than 40 retrievals/second) SSM Parameter retrievals are free. I don't know if that limit is per-parameter but I don't think so - I think it's for the whole account. If you need more, the price goes up to the same $0.05 per 10,000 as the secret store. So price wise that's probably a wash. (Do I have this right?)