Self-Hosted Alternatives to AWS Secrets Manager
Why Replace AWS Secrets Manager?
AWS Secrets Manager charges $0.40 per secret per month plus $0.05 per 10,000 API calls. At 100 secrets with moderate API usage, you’re paying $40-60/month. At 500 secrets, it’s $200+/month. The cost scales linearly with the number of secrets you manage.
Updated February 2026: Verified with latest Docker images and configurations.
Key concerns:
| Issue | Impact |
|---|---|
| Per-secret pricing | $0.40/secret/month adds up fast as infrastructure grows |
| API call costs | $0.05 per 10,000 calls — high-frequency apps pay more |
| AWS lock-in | Tight coupling with AWS IAM, Lambda, RDS — hard to migrate |
| Multi-cloud impossible | Secrets are bound to AWS; managing GCP/Azure secrets requires separate tools |
| Compliance | Some regulations require secrets to remain on-premises |
| Outage risk | AWS regional outages can block secret access across your entire application |
Best Alternatives
HashiCorp Vault — Best Overall Replacement
Vault is the industry standard for secrets management. It provides dynamic secrets (auto-generated credentials), secret rotation, encryption as a service, PKI certificate management, and fine-grained access policies. It’s cloud-agnostic and runs on any infrastructure.
Why it wins: Vault covers every AWS Secrets Manager feature and adds dynamic secrets, transit encryption, and multi-cloud support. The open-source version is fully functional for most teams.
| Feature | AWS Secrets Manager | HashiCorp Vault |
|---|---|---|
| Cost (100 secrets) | ~$40/month + API calls | $0 (self-hosted OSS) |
| Cost (500 secrets) | ~$200/month + API calls | $0 (self-hosted OSS) |
| Secret rotation | Automatic (Lambda-based) | Automatic (built-in + custom) |
| Dynamic secrets | No | Yes (database, cloud, PKI) |
| Multi-cloud | AWS only | Any cloud + on-prem |
| Encryption as a service | No (use KMS separately) | Yes (Transit engine) |
| Audit logging | CloudTrail | Built-in audit backend |
| Access control | IAM policies | Policies + namespaces + OIDC |
[Read our full guide: How to Self-Host HashiCorp Vault]
Infisical — Best for Application Teams
Infisical is a modern secrets management platform focused on developer experience. It provides environment-specific secrets, native Docker/Kubernetes integrations, CI/CD pipeline injection, and a clean dashboard. It’s simpler to set up than Vault and purpose-built for application secrets.
Why it fits: If you use AWS Secrets Manager primarily for application environment variables and API keys (not infrastructure secrets like database credentials), Infisical provides a better developer workflow with native .env file support, secret versioning, and team collaboration features.
[Read our full guide: How to Self-Host Infisical]
Migration Guide
Exporting from AWS Secrets Manager
Use the AWS CLI to export all secrets:
# List all secret names
aws secretsmanager list-secrets --query 'SecretList[].Name' --output text
# Export each secret to a JSON file
for secret in $(aws secretsmanager list-secrets --query 'SecretList[].Name' --output text); do
aws secretsmanager get-secret-value --secret-id "$secret" \
--query '{Name: Name, Value: SecretString}' \
--output json > "secrets/${secret}.json"
doneImporting into Vault
# Enable the KV secrets engine
vault secrets enable -version=2 kv
# Import each secret
for file in secrets/*.json; do
name=$(jq -r '.Name' "$file")
value=$(jq -r '.Value' "$file")
vault kv put "kv/$name" value="$value"
doneImporting into Infisical
Use the Infisical CLI:
# Log into your Infisical instance
infisical login
# Import secrets from .env format
infisical secrets set --env=production KEY1=value1 KEY2=value2What transfers: Secret values, secret names. What doesn’t transfer: IAM policies (must recreate as Vault policies), Lambda rotation functions (must implement in Vault), CloudTrail audit logs (historical — Vault starts fresh).
Cost Comparison
| AWS Secrets Manager | Vault (Self-Hosted) | Infisical (Self-Hosted) | |
|---|---|---|---|
| 50 secrets | ~$20/month | $0 | $0 |
| 100 secrets | ~$40/month | $0 | $0 |
| 500 secrets | ~$200/month | $0 | $0 |
| 1,000 secrets | ~$400/month | $0 | $0 |
| API calls | $0.05/10K calls | Unlimited | Unlimited |
| Server cost | Included | ~$10-20/month VPS | ~$10-20/month VPS |
| Annual (500 secrets) | ~$2,400/year | ~$120-240/year | ~$120-240/year |
What You Give Up
- AWS-native integration — Secrets Manager works seamlessly with RDS, Lambda, ECS, and other AWS services through IAM. Self-hosted solutions require configuring OIDC, sidecar injectors, or init containers
- Managed rotation — AWS handles rotation Lambda functions and RDS credential rotation out of the box. Vault has built-in rotation but you manage the infrastructure
- Zero infrastructure management — AWS Secrets Manager is fully managed. Self-hosted solutions require you to maintain high availability, backup, and disaster recovery
- Cross-region replication — AWS replicates secrets across regions automatically. Vault requires explicit replication setup
- Compliance certifications — AWS carries SOC 2, ISO 27001, HIPAA certifications. Self-hosted infrastructure requires your own compliance validation
FAQ
Can Vault automatically rotate database credentials like AWS Secrets Manager does?
Yes. Vault’s database secrets engine generates dynamic credentials — short-lived database usernames and passwords created on demand. When a credential’s TTL expires, Vault revokes it automatically. This is more powerful than AWS Secrets Manager’s Lambda-based rotation because credentials are created per-request rather than rotated on a schedule.
How do I inject Vault secrets into Docker containers without hardcoding them?
Use the Vault Agent sidecar or init container pattern. Vault Agent authenticates with Vault, retrieves secrets, and writes them to a shared volume or environment file that your application container reads. For Kubernetes, the Vault CSI provider or Vault Secrets Operator handles injection natively.
Is Infisical easier to set up than Vault for a small team?
Significantly easier. Infisical deploys as a single Docker Compose stack and provides a web dashboard for managing secrets by environment (dev, staging, production). Vault requires understanding seal/unseal, storage backends, and policy language. For teams managing application secrets (not infrastructure secrets), Infisical is the practical choice.
Can Vault handle multi-cloud environments where we use both AWS and GCP?
Yes — this is Vault’s primary advantage over cloud-native solutions. Vault’s secrets engines generate dynamic credentials for AWS IAM, GCP service accounts, Azure, and databases from a single interface. One Vault instance manages secrets across all cloud providers, eliminating per-cloud secrets management tools.
What happens if my Vault server goes down — do applications lose access to secrets?
Applications should cache secrets after retrieval. If Vault is unreachable, cached secrets continue working until their TTL expires. For high availability, run Vault in HA mode with multiple nodes (Raft storage backend supports 3-5 node clusters). Infisical also supports clustering for redundancy.
How do I migrate from AWS Secrets Manager without application downtime?
Run both systems in parallel during migration. Update applications one at a time to read from Vault/Infisical instead of AWS Secrets Manager. Use the same secret names in Vault to minimize application code changes. Once all applications are migrated, decommission AWS Secrets Manager.
Does Vault have an audit trail equivalent to AWS CloudTrail?
Yes. Vault has built-in audit logging that records every API request — including who accessed which secret, when, and from where. Enable the file, syslog, or socket audit backend. Unlike CloudTrail (which has delivery delays), Vault audit logs are synchronous — the request blocks until the audit entry is written.
Related
Get self-hosting tips in your inbox
Get the Docker Compose configs, hardware picks, and setup shortcuts we don't put in articles. Weekly. No spam.
Comments