Key Takeaways
- You usually pick the one that matches your cloud — AWS Secrets Manager is the default managed secrets store on AWS; Azure Key Vault is the default on Azure. Both bind tightly to their platform's identity model, so on a single-cloud footprint the choice is normally settled by where your workloads already run.
- Different pricing models, not just different prices — AWS charges roughly $0.40 per secret per month plus a per-API-call fee (indicative; verify). Azure charges per operation (transaction) rather than per stored secret. Which is cheaper depends entirely on your secret count versus your call volume, so model both against your actual usage.
- Azure stores more than secrets — AWS Secrets Manager is secrets-focused and pairs with AWS Systems Manager Parameter Store for plain configuration. Azure Key Vault is broader: it stores secrets, cryptographic keys, and certificates in one service, with HSM-backed options on the Premium tier and Azure Managed HSM.
- For AI agents, neither alone is the answer — Both are stores that hand the secret to whatever authenticates, which is exactly the exposure to avoid with an LLM agent. The pattern is the cloud store behind a credential proxy that injects secrets outside the agent's reach. See our radar shortlist for the proxy layer.
Two clouds, two defaults
AWS Secrets Manager and Azure Key Vault are each the default managed secrets store on their own platform. On AWS, secrets go in Secrets Manager; on Azure, they go in Key Vault. Both are fully managed, both bind to their cloud's native identity model, and both remove the work of operating your own secrets infrastructure. For most teams on a single cloud, the choice is already made by where the workloads run.
That makes the interesting comparison less "which is better" and more "where do they actually differ." The real differences are four: the pricing model (AWS prices per secret per month, Azure prices per operation), the scope (AWS stores secrets only, Azure stores secrets, keys, and certificates), the built-in rotation approach, and the identity model (AWS IAM versus Microsoft Entra ID). Those four points decide everything that matters once your cloud is settled.
Pricing: per secret versus per operation
The two services price on different axes, which is why a flat "which is cheaper" answer does not exist. AWS Secrets Manager charges roughly $0.40 per secret per month plus a per-API-call fee, so your bill scales with how many secrets you store. Azure Key Vault charges per operation, a transaction model with no per-secret monthly fee, so your bill scales with how often you call it. Both figures here are indicative; confirm current rates on each provider's pricing page before you budget.
The practical takeaway is to model both against your real usage. A small number of secrets that your services read constantly tends to favour AWS's flat per-secret charge. A large catalogue of secrets that are read infrequently tends to favour Azure's per-operation model. On AWS, you can also push plain, non-sensitive configuration into Systems Manager Parameter Store, which keeps those values out of the per-secret line on the Secrets Manager bill.
Feature comparison
AWS Secrets Manager vs Azure Key Vault
| Feature | AWS Secrets Manager | Azure Key Vault |
|---|---|---|
| Platform & Identity | ||
| Native cloud | AWS, fully managed | Azure, fully managed |
| Identity model | Native AWS IAM policies and roles | Microsoft Entra ID (formerly Azure AD) |
| Best fit | AWS-native workloads | Azure-native workloads |
| Multi-cloud fit | Tied to AWS; no native cross-cloud story | Tied to Azure; no native cross-cloud story |
| Scope & Pricing | ||
| What it stores | Secrets only; pair with Parameter Store for plain config | Secrets, cryptographic keys, and certificates |
| Pricing model | Per secret per month (about $0.40, indicative) plus per-API-call charge | Per operation (transaction), no per-secret monthly fee |
| HSM-backed storage | Via AWS KMS / CloudHSM, not the Secrets Manager service itself | Premium tier and Azure Managed HSM |
| Certificate management | Use AWS Certificate Manager separately | Built in |
| Rotation & Operations | ||
| Built-in rotation | Automatic rotation via AWS Lambda functions | Supported, configured per object type; differs from the Lambda model |
| Self-managed infrastructure | None; AWS operates it | None; Azure operates it |
| Ecosystem integration | Deep across AWS services and SDKs | Deep across Azure services and SDKs |
Scope: secrets only versus secrets, keys, and certificates
AWS Secrets Manager is deliberately secrets-focused. It holds API keys, database credentials, and similar sensitive strings, and it expects you to use sibling AWS services for adjacent jobs: Parameter Store for plain configuration, AWS Certificate Manager for TLS certificates, and AWS KMS or CloudHSM for cryptographic key material. That separation keeps each service tight, at the cost of touching several services to cover the full surface.
Azure Key Vault takes the opposite approach and folds three object types into one service: secrets, cryptographic keys, and certificates. It also offers HSM-backed storage through the Premium tier and Azure Managed HSM for workloads with hardware-backed key requirements. If you want a single service spanning secrets, keys, and certs rather than wiring several together, that breadth is a genuine advantage of Key Vault.
Identity and rotation
Each service binds to its cloud's identity system, and that binding is most of why you would not casually run one from the other cloud. AWS Secrets Manager uses native AWS IAM policies and roles to decide who can read which secret. Azure Key Vault uses Microsoft Entra ID, formerly Azure Active Directory, for the same job. Both are mature, but they are not interchangeable, and crossing them means crossing an identity boundary.
Rotation also differs in mechanism. AWS Secrets Manager drives automatic rotation through AWS Lambda functions, with managed templates for common databases, so you can schedule hands-off credential rotation. Azure Key Vault supports rotation as well, but it is configured per object type rather than through the Lambda model, and the experience differs across secrets, keys, and certificates. If scheduled, automatic database-credential rotation is a priority, AWS's Lambda-based approach is one of its stronger points.
When neither alone fits
Both tools are excellent inside their own cloud and awkward outside it. The moment your footprint spans AWS and Azure, or AWS and on-premises, picking either cloud's default store forces the rest of your estate to authenticate across an identity boundary it was never designed to cross. You end up managing two stores with two identity models and no single source of truth.
For genuinely multi-cloud or hybrid setups, a platform-neutral secrets manager is the better answer. OpenBao and Infisical both run anywhere and present one consistent interface across clouds, which is the property neither AWS Secrets Manager nor Azure Key Vault can offer by design. That is a trade of cloud-native integration depth for cross-cloud consistency.
Which to choose
Choose AWS Secrets Manager if your workloads run on AWS. You get native IAM authorization, Lambda-driven automatic rotation, and tight integration with the rest of the AWS estate, and you can offload plain configuration to Parameter Store to keep the per-secret bill down.
Choose Azure Key Vault if your workloads run on Azure. You get Microsoft Entra ID authorization, one service covering secrets, keys, and certificates, HSM-backed options on the Premium tier, and per-operation pricing that can be cheaper when you store many secrets that are read infrequently.
Choose a platform-neutral manager such as OpenBao or Infisical if you are multi-cloud or hybrid, because neither cloud default crosses identity boundaries cleanly. And if you are choosing a store for AI agents specifically, the more important point is architectural: put whichever store you pick behind a credential proxy so your agents never hold the secret. We cover that pattern, and the open-source proxies that implement it, in the credential vaults for AI agents radar shortlist. For the broader field, including the self-hosted options, see HashiCorp Vault alternatives.
Which is cheaper, AWS Secrets Manager or Azure Key Vault?
It depends on your usage shape, because the two price on different axes. AWS Secrets Manager charges roughly $0.40 per secret per month plus a per-API-call fee, so cost scales with how many secrets you store. Azure Key Vault charges per operation (transaction) with no per-secret monthly fee, so cost scales with how often you call it. A few secrets read constantly tends to favour AWS's flat per-secret model; many secrets read rarely tends to favour Azure's per-operation model. These figures are indicative, so model both against your real secret count and call volume and verify current rates on each provider's pricing page.
Does Azure Key Vault store certificates as well as secrets?
Yes. Azure Key Vault is broader than AWS Secrets Manager: it stores secrets, cryptographic keys, and certificates in one service, with HSM-backed options on the Premium tier and through Azure Managed HSM. AWS Secrets Manager is secrets-focused; on AWS you would use AWS Certificate Manager for certificates and AWS KMS or CloudHSM for keys, and pair Secrets Manager with Systems Manager Parameter Store for plain configuration values. If you want one service covering all three object types, that is a point in Azure Key Vault's favour.
Can you use one of them across both AWS and Azure?
Technically you can call either service's API from anywhere, but neither is built for it. AWS Secrets Manager binds to AWS IAM and Azure Key Vault binds to Microsoft Entra ID, so using one cloud's store from the other means crossing identity boundaries, accepting cross-cloud latency, and giving up the native integrations that make each tool worthwhile. For a genuinely multi-cloud or hybrid footprint, a platform-neutral secrets manager such as OpenBao or Infisical is a better fit than stretching either cloud's default across both.
How does rotation differ between the two?
AWS Secrets Manager offers automatic rotation driven by AWS Lambda functions: you attach a rotation function, set a schedule, and AWS handles the rotation lifecycle, with managed templates for common databases. Azure Key Vault supports rotation too, but the mechanism is configured per object type rather than through the Lambda model, and the experience differs across secrets, keys, and certificates. If hands-off, scheduled credential rotation for databases is a priority and you are on AWS, Secrets Manager's Lambda-based rotation is one of its stronger selling points.
Which is better for AI agents?
Neither, on its own. Both are vaults that return the secret to whatever authenticates, which is precisely the exposure you want to avoid when an LLM agent is in the loop. The pattern that works is the cloud store behind a credential proxy that injects secrets outside the agent's reach, so the agent never holds the raw credential. Pick the store that matches your cloud, then put it behind a proxy. Our radar shortlist covers the proxy layer in detail.
Ready to Find the Right AI Tools?
Browse our data-driven rankings to find the best AI tools for your team.