AWS Secrets Manager vs HashiCorp Vault: Cloud-Native vs Platform-Neutral (2026)

Convenience inside AWS, power across everything else

AWS Secrets Manager and HashiCorp Vault both store secrets, but they answer different questions. Secrets Manager is a proprietary, fully AWS-managed service. It integrates natively with AWS IAM, rotates secrets automatically through Lambda functions, and gives you nothing to run. Inside a single AWS account it is the path of least resistance.

HashiCorp Vault is platform-neutral. It runs across multi-cloud, hybrid, and on-prem environments, generates dynamic secrets across a wide set of backends, and offers leasing and revocation that Secrets Manager does not match. It is far more capable, and it is far more to operate, since you run it yourself or pay for HashiCorp's managed HCP. Vault is BUSL-1.1 source-available, and HashiCorp is now an IBM company. The decision is the classic trade between cloud-native convenience with lock-in and platform-neutral power with operational cost.

The platform question, in plain terms

AWS Secrets Manager only works inside AWS. That is its strength and its constraint. If your workloads live in AWS and authenticate with AWS IAM, the integration is seamless and the operational overhead is effectively zero. You never patch a server, manage high availability, or own an upgrade path. For non-secret configuration, you pair it with AWS Parameter Store, which is cheaper for plain values.

The moment your estate reaches beyond AWS, that convenience inverts into lock-in. Secrets Manager cannot be the single secrets layer for another cloud or an on-prem system. Vault was built for that reach: one platform-neutral secrets layer across providers, with auth methods and secrets engines for many of them. If an OSI-approved licence is also a requirement, OpenBao is the MPL-2.0 open fork of Vault and keeps the same platform neutrality.

Feature comparison

Where the capabilities diverge

Both store secrets and both rotate them, but they rotate differently. AWS Secrets Manager rotates on a schedule by invoking a Lambda function that changes the credential at the source and updates the stored value. That covers a large share of real use, such as rotating database passwords on AWS, with very little wiring.

Vault goes further. It generates short-lived credentials on demand across databases, cloud IAM, and PKI, then revokes them on lease expiry. Rotation and on-demand generation solve different problems: rotation replaces a long-lived secret periodically, while dynamic generation hands out a fresh, short-lived credential per request and reclaims it automatically. If your security model depends on per-request credentials across many systems, that is Vault's territory, and Secrets Manager does not reach it.

Operations, cost, and managed options

AWS Secrets Manager is fully managed, so there is no infrastructure to run. Pricing is about $0.40 per secret per month plus a per-10,000-API-calls charge. Those numbers are indicative; verify current AWS rates before you budget, since they change. At modest secret counts inside one AWS account, the zero-ops total cost is hard to beat.

Vault has no per-secret fee, but you pay for the infrastructure, the engineering time to operate it, and optionally for the commercial Enterprise tier or HashiCorp's managed HCP, whose roadmap has been in flux post-acquisition, so confirm current availability. Vault carries the largest ecosystem in the category and is cloud-agnostic; Secrets Manager's ecosystem is deep within AWS and thin outside it. The cost comparison therefore tracks the platform question: zero-ops and cheap inside AWS, more capable but more to run everywhere else.

Which to choose

Choose AWS Secrets Manager if your workloads live inside AWS and you want zero operational overhead. The native IAM integration, scheduled rotation, and fully managed model make it the path of least resistance, and at modest scale it is the cheaper total. Pair it with Parameter Store for plain configuration.

Choose HashiCorp Vault if you run across multiple clouds or hybrid and on-prem systems, or if you need dynamic secrets generated on demand across many backends with leasing and revocation. Vault is far more capable and platform-neutral, at the cost of running it yourself or paying for HCP. If you want the same neutrality under an OSI-approved licence, OpenBao is the open fork.

If you are choosing a secrets backend for AI agents specifically, the platform answer comes first, Secrets Manager inside AWS, Vault or OpenBao across clouds, but the more important point is architectural: put whichever store you choose behind a credential proxy so your agents never hold the secret. We cover that pattern, and the proxies that implement it, in the credential vaults for AI agents radar shortlist. For the broader field, including the open-source forks, see HashiCorp Vault alternatives and OpenBao vs HashiCorp Vault.

Is AWS Secrets Manager cheaper than HashiCorp Vault?

It depends on scale and where you run. AWS Secrets Manager charges roughly $0.40 per secret per month plus a per-10,000-API-calls fee, with no servers to maintain, so at low secret counts it is cheap and effectively zero-ops. Vault has no per-secret fee, but you pay for the infrastructure to run it, the engineering time to operate it, and optionally for Enterprise or managed HCP. At thousands of secrets or across many clouds, Vault's flat model can win; inside one AWS account at modest scale, Secrets Manager is usually the cheaper total. Treat all pricing as indicative and verify current AWS rates before you budget.

Can AWS Secrets Manager do dynamic secrets like Vault?

Not in the same way. AWS Secrets Manager rotates secrets on a schedule by invoking a Lambda function that changes the credential at the source and updates the stored value. That is rotation, and it works well for things like database passwords on AWS. HashiCorp Vault goes further: it generates short-lived credentials on demand across many backends, including databases, cloud IAM, and PKI, and revokes them on lease expiry. If you need credentials created per request and torn down automatically across a range of systems, that is Vault's domain, not Secrets Manager's.

What about multi-cloud or hybrid environments?

This is the clearest dividing line. AWS Secrets Manager is AWS-only, so it cannot be your single secrets layer across other clouds or on-prem systems. HashiCorp Vault is platform-neutral and runs on multi-cloud, hybrid, and on-prem, with auth methods and secrets engines for many providers. If your estate spans more than AWS, Vault (or its open fork OpenBao) is the platform-neutral choice; using Secrets Manager would leave you with a separate secrets tool per cloud.

AWS Secrets Manager vs Parameter Store, which do I use?

They solve different problems and are often used together. Parameter Store holds plain configuration and non-sensitive values and is cheaper for that role. Secrets Manager is purpose-built for secrets, with automatic rotation and tighter rotation tooling that Parameter Store lacks. A common AWS pattern is Parameter Store for config and Secrets Manager for credentials that need rotation. Choosing Secrets Manager over Vault is a separate decision about platform reach and capability, not about Parameter Store.

Which is better for AI agents?

Neither, on its own, solves the agent credential problem. Both AWS Secrets Manager and Vault are stores that return the secret to whatever authenticates, which is exactly the exposure you want to avoid with an LLM agent. The pattern that works is the store behind a credential proxy that injects secrets outside the agent's reach. Pick the store on platform grounds (Secrets Manager inside AWS, Vault or OpenBao across clouds), then put a proxy in front of it. Our radar shortlist covers the proxy layer in detail.