2

https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Secrets Manager enables you to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code. Also, you can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise.

Using AWS Secret Manager you can inject your secrets inside the code without hardcoding them, retrieving them in your code through some APIs, and that can be accessed without a password by anyone that has an access on the machine (simply open a node / python console and invoke the APIs to know secrets).

Also with environment variables you can inject your secrets inside the code without hardcoding them, retrieving them in your code through some APIS (dotenv, process.env), and that can be accessed without a password by anyone that has an access on the machine (with the env command).

Why should I use AWS Secret Manager instead of simpler environment variables?

Andrean
  • 313
  • 1
  • 4
  • 13
  • 3
    Not sure why this question was closed, because it's an important thing to ask. The most important reason is that environment variables are available to any code running in your app, including untrusted third-party libraries. They also require you to manage the secrets _somewhere_, so that they can be deployed as environment variables. In most of the places that I've worked, this means a file that's stored somewhere, often without a well-defined security policy. – kdgregory Jan 16 '23 at 11:09

1 Answers1

0

I prefer SSM Parameter Store to Secrets, since it's easier to use, allows nesting values, and you can manually recall what was what with ease.
And of course you can have encrypted or non-encrypted values stored there, and especially given that Secrets Manager is just not fun to work with in general, I prefer SSMPS 10 times out of 10.

Randych
  • 56
  • 5