Secrets Management With AWS Secrets Manager and HashiCorp Vault: What a DevOps Engineer Implements in 2026

Component 1: Central Secrets Store (AWS Secrets Manager or Vault)

A DevOps engineer creates the central secrets store and migrates all existing credentials into it. For AWS Secrets Manager: each secret is created with a descriptive name (prod/database/postgres, prod/stripe/api-key), tagged with the owning service and environment, and assigned an IAM resource policy defining which service roles can read it.

For Vault: the secret engine (KV v2 for static secrets, database engine for dynamic credentials) is configured, secrets are organised by path (secret/prod/database, secret/prod/stripe), and access policies are defined per application.

Component 2: Application Integration (SDK or Sidecar)

Applications read secrets from the central store at startup rather than from environment variables. For AWS Secrets Manager: the AWS SDK call (GetSecretValue) is integrated into the application's configuration loading code. The application IAM role has GetSecretValue permission on the specific secret ARN.

For Vault with Kubernetes: the Vault Agent Sidecar Injector runs as a sidecar container in each pod and writes secrets to a shared volume. The application reads secrets from the filesystem path rather than calling the Vault API directly. This approach requires no Vault SDK changes to the application code.

Component 3: External Secrets Operator (for Kubernetes)

The External Secrets Operator (ESO) is a Kubernetes controller that reads secrets from AWS Secrets Manager or Vault and creates Kubernetes Secrets automatically. A DevOps engineer installs ESO via Helm, configures a SecretStore resource pointing to the secrets backend, and creates ExternalSecret resources that define which external secrets map to which Kubernetes Secrets.

Benefit: the application continues to read secrets from Kubernetes Secrets (standard pattern, no code changes), but the values are sourced from the managed secrets store and kept in sync. ESO replaces manually managed Kubernetes Secrets entirely.

Component 4: Automatic Rotation Configuration

Secrets that do not rotate are permanently compromised once leaked. A DevOps engineer configures automatic rotation for all credentials that support it.

For AWS Secrets Manager: RDS database passwords are rotated on a configurable schedule (every 30, 60, or 90 days). AWS Secrets Manager calls the rotation Lambda function, which creates a new password in the database, updates the secret, and verifies the new credential works. Applications reading the secret via the SDK automatically get the new value on the next read.

For Vault dynamic secrets: the database secret engine generates a new database user with a short TTL (e.g. 1 hour) on each request. When the TTL expires, Vault revokes the credential. No rotation is needed because each credential is short-lived by design.

Component 5: Secrets Scanning in CI/CD Pipeline

Even with a central secrets store, developers sometimes accidentally commit credentials to source code. A DevOps engineer integrates secrets scanning into the CI/CD pipeline: GitGuardian or TruffleHog scans every commit and pull request for credential patterns (AWS access key format, private key headers, database connection strings). Detected credentials fail the pipeline and alert the security team.

Pre-commit hooks (using detect-secrets or gitleaks) add a client-side check that catches credentials before they reach the remote repository. This is the last line of defence against accidental credential exposure.

Decision factor

AWS Secrets Manager

HashiCorp Vault

Cloud strategy

AWS-only deployments

Multi-cloud or hybrid

Kubernetes secrets (Pods)

IRSA + AWS SDK or ESO

Vault Agent Sidecar or ESO

Database credential rotation

Built-in Lambda rotation for RDS

Dynamic secrets (short-lived, auto-revoked)

PKI / TLS certificate management

ACM (separate service)

Vault PKI secret engine (built-in)

SSH access management

Not supported

Vault SSH secret engine

Audit logging

CloudTrail for API calls

Vault audit log (every secret access)

Setup complexity

Low (AWS console + Terraform)

Medium to high (Vault cluster + policies)

Monthly cost

$0.40/secret/month

HCP Vault or self-hosted (DevOps time)

SOC 2 / ISO 27001 evidence

CloudTrail + Secrets Manager console

Vault audit log + policy export

Right for most SaaS

Yes (1-20 services, AWS-native)

Yes (multi-cloud, Kubernetes, complex auth)

Region / model

In-house DevOps

Eastern Europe agency

Acquaint Softtech ($22/hr)

UK

GBP 80,000-110,000/yr

GBP 60-80/hr

$22/hour | $3,200/month

Germany / DACH

EUR 90,000-120,000/yr

EUR 70-90/hr

$22/hour | $3,200/month

Netherlands / Benelux

EUR 85,000-115,000/yr

EUR 65-85/hr

$22/hour | $3,200/month

France / Southern EU

EUR 70,000-100,000/yr

EUR 55-75/hr

$22/hour | $3,200/month

US

$130,000-180,000/yr

$80-110/hr

$22/hour | $3,200/month

Secrets management scope

Cost at $22/hour

What is delivered

AWS Secrets Manager setup (5-15 secrets)

2 to 3 days: $352 to $528

SecretStore creation, IAM policies, application SDK integration, ESO for Kubernetes

AWS Secrets Manager + RDS rotation

3 to 4 days: $528 to $704

Full setup + automatic RDS password rotation Lambda, rotation schedule, verification

HashiCorp Vault on EKS (HCP or self-hosted)

4 to 7 days: $704 to $1,232

Vault setup, secret engines, AppRole/Kubernetes auth, policies, Vault Agent Sidecar

External Secrets Operator for Kubernetes

1 to 2 days: $176 to $352

ESO installed, SecretStore configured, ExternalSecret resources per service

Secrets scanning in CI/CD (GitGuardian + pre-commit)

1 to 2 days: $176 to $352

GitGuardian integration, pre-commit hooks, historical repo scan, findings remediation

Full secrets management stack (all 5 components)

8 to 14 days: $1,408 to $2,464

Complete: central store, app integration, ESO, rotation, scanning

Monthly retainer (secrets + DevSecOps)

$3,200/month

Ongoing: secret rotation monitoring, new service onboarding, rotation failures, audits