[{"data":1,"prerenderedAt":378},["ShallowReactive",2],{"blog-how-to/aws-secrets-manager":3},{"id":4,"title":5,"body":6,"category":359,"date":360,"dateModified":360,"description":361,"draft":362,"extension":363,"faq":364,"featured":362,"headerVariant":365,"image":364,"keywords":364,"meta":366,"navigation":367,"ogDescription":368,"ogTitle":364,"path":369,"readTime":364,"schemaOrg":370,"schemaType":371,"seo":372,"sitemap":373,"stem":374,"tags":375,"twitterCard":376,"__hash__":377},"blog/blog/how-to/aws-secrets-manager.md","How to Use AWS Secrets Manager",{"type":7,"value":8,"toc":344},"minimark",[9,13,17,21,27,30,43,48,51,54,58,85,113,132,148,175,199,208,212,242,248,252,257,260,264,267,271,278,282,285,307,325],[10,11],"category-badge",{"category":12},"How-To Guide",[14,15,5],"h1",{"id":16},"how-to-use-aws-secrets-manager",[18,19,20],"p",{},"Managed secrets storage with automatic rotation",[22,23,24],"tldr",{},[18,25,26],{},"TL;DR (15 minutes):\nCreate a secret in AWS Secrets Manager console, grant IAM access to your app, then use the AWS SDK to retrieve secrets at runtime. Secrets Manager handles encryption, versioning, and optional automatic rotation.",[18,28,29],{},"Prerequisites:",[31,32,33,37,40],"ul",{},[34,35,36],"li",{},"AWS account with admin access",[34,38,39],{},"AWS CLI configured locally",[34,41,42],{},"Basic understanding of IAM roles",[44,45,47],"h2",{"id":46},"why-this-matters","Why This Matters",[18,49,50],{},"AWS Secrets Manager is a fully managed service that eliminates the need to hardcode credentials in your application. It encrypts secrets at rest using KMS, provides automatic rotation for supported databases, and integrates seamlessly with other AWS services.",[18,52,53],{},"Compared to storing secrets in environment variables or config files, Secrets Manager provides audit logging, fine-grained access control, and versioning - essential for compliance and incident response.",[44,55,57],{"id":56},"step-by-step-guide","Step-by-Step Guide",[59,60,62,67,70],"step",{"number":61},"1",[63,64,66],"h3",{"id":65},"create-a-secret-in-aws-console","Create a secret in AWS Console",[18,68,69],{},"Navigate to AWS Secrets Manager and click \"Store a new secret\":",[71,72,73,76,79,82],"ol",{},[34,74,75],{},"Go to AWS Console → Secrets Manager",[34,77,78],{},"Click \"Store a new secret\"",[34,80,81],{},"Choose \"Other type of secret\" for API keys/custom secrets",[34,83,84],{},"Or choose \"Credentials for Amazon RDS database\" for database passwords",[59,86,88,92,95,106],{"number":87},"2",[63,89,91],{"id":90},"configure-your-secret-values","Configure your secret values",[18,93,94],{},"Add your key-value pairs:",[96,97,102],"pre",{"className":98,"code":100,"language":101},[99],"language-text","# Example secret structure\n{\n  \"STRIPE_SECRET_KEY\": \"sk_live_xxxxx\",\n  \"OPENAI_API_KEY\": \"sk-xxxxx\",\n  \"DATABASE_URL\": \"postgresql://user:pass@host:5432/db\"\n}\n","text",[103,104,100],"code",{"__ignoreMap":105},"",[18,107,108,109,112],{},"Give your secret a meaningful name like ",[103,110,111],{},"myapp/production/api-keys",". The path-like naming helps organize secrets across environments.",[59,114,116,120,123,129],{"number":115},"3",[63,117,119],{"id":118},"set-up-iam-permissions","Set up IAM permissions",[18,121,122],{},"Create an IAM policy that allows your application to read the secret:",[96,124,127],{"className":125,"code":126,"language":101},[99],"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"secretsmanager:GetSecretValue\"\n      ],\n      \"Resource\": [\n        \"arn:aws:secretsmanager:us-east-1:123456789:secret:myapp/production/*\"\n      ]\n    }\n  ]\n}\n",[103,128,126],{"__ignoreMap":105},[18,130,131],{},"Attach this policy to your Lambda function's role, EC2 instance profile, or ECS task role.",[59,133,135,139,142],{"number":134},"4",[63,136,138],{"id":137},"retrieve-secrets-in-your-application","Retrieve secrets in your application",[18,140,141],{},"Use the AWS SDK to fetch secrets at runtime:",[96,143,146],{"className":144,"code":145,"language":101},[99],"// Node.js\nimport { SecretsManagerClient, GetSecretValueCommand } from \"@aws-sdk/client-secrets-manager\";\n\nconst client = new SecretsManagerClient({ region: \"us-east-1\" });\n\nasync function getSecrets() {\n  const command = new GetSecretValueCommand({\n    SecretId: \"myapp/production/api-keys\"\n  });\n\n  const response = await client.send(command);\n  return JSON.parse(response.SecretString);\n}\n\n// Use in your app\nconst secrets = await getSecrets();\nconst stripe = new Stripe(secrets.STRIPE_SECRET_KEY);\n",[103,147,145],{"__ignoreMap":105},[59,149,151,155,158,164],{"number":150},"5",[63,152,154],{"id":153},"cache-secrets-for-performance","Cache secrets for performance",[18,156,157],{},"Avoid calling Secrets Manager on every request - cache secrets:",[96,159,162],{"className":160,"code":161,"language":101},[99],"// Cache secrets with TTL\nlet cachedSecrets = null;\nlet cacheExpiry = 0;\nconst CACHE_TTL = 5 * 60 * 1000; // 5 minutes\n\nasync function getCachedSecrets() {\n  if (cachedSecrets && Date.now() \u003C cacheExpiry) {\n    return cachedSecrets;\n  }\n\n  cachedSecrets = await getSecrets();\n  cacheExpiry = Date.now() + CACHE_TTL;\n  return cachedSecrets;\n}\n",[103,163,161],{"__ignoreMap":105},[18,165,166,167,174],{},"AWS also provides the ",[168,169,173],"a",{"href":170,"rel":171},"https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_cache-ref-impl.html",[172],"nofollow","Secrets Manager caching library"," for production use.",[59,176,178,182,185],{"number":177},"6",[63,179,181],{"id":180},"enable-automatic-rotation-optional","Enable automatic rotation (optional)",[18,183,184],{},"For RDS databases, Secrets Manager can automatically rotate credentials:",[71,186,187,190,193,196],{},[34,188,189],{},"In the secret configuration, click \"Edit rotation\"",[34,191,192],{},"Enable automatic rotation",[34,194,195],{},"Choose a rotation schedule (e.g., every 30 days)",[34,197,198],{},"Select the Lambda rotation function (AWS provides built-in ones for RDS)",[200,201,202,205],"warning-box",{},[18,203,204],{},"Cost Considerations:",[18,206,207],{},"AWS Secrets Manager costs $0.40/secret/month plus $0.05 per 10,000 API calls. For apps with many secrets, consider grouping related secrets into single entries to reduce costs.",[44,209,211],{"id":210},"how-to-verify-it-worked","How to Verify It Worked",[71,213,214,224,230,236],{},[34,215,216,220,221],{},[217,218,219],"strong",{},"CLI test:"," Run ",[103,222,223],{},"aws secretsmanager get-secret-value --secret-id myapp/production/api-keys",[34,225,226,229],{},[217,227,228],{},"Check CloudTrail:"," Verify access attempts are being logged",[34,231,232,235],{},[217,233,234],{},"Test IAM permissions:"," Ensure only authorized roles can retrieve secrets",[34,237,238,241],{},[217,239,240],{},"Application test:"," Deploy and verify your app successfully retrieves secrets",[96,243,246],{"className":244,"code":245,"language":101},[99],"# Test from CLI\naws secretsmanager get-secret-value \\\n  --secret-id myapp/production/api-keys \\\n  --query SecretString --output text | jq\n\n# List all secrets\naws secretsmanager list-secrets\n",[103,247,245],{"__ignoreMap":105},[44,249,251],{"id":250},"common-errors-troubleshooting","Common Errors & Troubleshooting",[253,254,256],"h4",{"id":255},"error-accessdeniedexception","Error: \"AccessDeniedException\"",[18,258,259],{},"Your IAM role doesn't have permission. Check the policy is attached and the resource ARN matches your secret.",[253,261,263],{"id":262},"error-resourcenotfoundexception","Error: \"ResourceNotFoundException\"",[18,265,266],{},"Secret doesn't exist or you're in the wrong region. Verify the secret name and region match.",[253,268,270],{"id":269},"error-decryptionfailure","Error: \"DecryptionFailure\"",[18,272,273,274,277],{},"KMS key access issue. Ensure your role has ",[103,275,276],{},"kms:Decrypt"," permission for the secret's encryption key.",[253,279,281],{"id":280},"high-api-costs","High API costs",[18,283,284],{},"You're calling GetSecretValue too often. Implement caching to reduce API calls.",[286,287,288,295,301],"faq-section",{},[289,290,292],"faq-item",{"question":291},"Secrets Manager vs. Parameter Store - which should I use?",[18,293,294],{},"Use Secrets Manager for sensitive credentials that need rotation, auditing, or cross-account access. Use Parameter Store (free tier) for non-sensitive configuration. Secrets Manager is more expensive but purpose-built for secrets.",[289,296,298],{"question":297},"How do I use Secrets Manager with Lambda?",[18,299,300],{},"Add the IAM policy to your Lambda execution role. For better cold-start performance, use the AWS Parameters and Secrets Lambda Extension which caches secrets locally.",[289,302,304],{"question":303},"Can I access secrets across AWS accounts?",[18,305,306],{},"Yes, using resource-based policies. Add a policy to the secret that allows the other account's role to access it, then assume that role or use direct cross-account access.",[18,308,309,312,316,317,316,321],{},[217,310,311],{},"Related guides:",[168,313,315],{"href":314},"/blog/how-to/vault-basics","HashiCorp Vault Basics"," ·\n",[168,318,320],{"href":319},"/blog/how-to/rotate-api-keys","How to Rotate API Keys",[168,322,324],{"href":323},"/blog/how-to/environment-variables","Environment Variables Guide",[326,327,328,334,339],"related-articles",{},[329,330],"related-card",{"description":331,"href":332,"title":333},"Step-by-step guide to configuring SSL certificates for custom domains on Vercel, Netlify, and Cloudflare. Includes DNS c","/blog/how-to/custom-domain-ssl","How to Set Up SSL for Custom Domains",[329,335],{"description":336,"href":337,"title":338},"Step-by-step guide to implementing database audit logging. Track who accessed what data, when, and detect unauthorized a","/blog/how-to/database-audit-logs","How to Set Up Database Audit Logs",[329,340],{"description":341,"href":342,"title":343},"Step-by-step guide to implementing secure database backups. Automated backups, encryption, retention policies, and disas","/blog/how-to/database-backups","How to Set Up Secure Database Backups",{"title":105,"searchDepth":345,"depth":345,"links":346},2,[347,348,357,358],{"id":46,"depth":345,"text":47},{"id":56,"depth":345,"text":57,"children":349},[350,352,353,354,355,356],{"id":65,"depth":351,"text":66},3,{"id":90,"depth":351,"text":91},{"id":118,"depth":351,"text":119},{"id":137,"depth":351,"text":138},{"id":153,"depth":351,"text":154},{"id":180,"depth":351,"text":181},{"id":210,"depth":345,"text":211},{"id":250,"depth":345,"text":251},"how-to","2026-01-09","Step-by-step guide to storing and retrieving secrets with AWS Secrets Manager. Secure your API keys, database credentials, and sensitive config.",false,"md",null,"yellow",{},true,"Step-by-step guide to AWS Secrets Manager for secure secrets storage.","/blog/how-to/aws-secrets-manager","[object Object]","HowTo",{"title":5,"description":361},{"loc":369},"blog/how-to/aws-secrets-manager",[],"summary_large_image","AXTgZFb_R51QtQHlbs680n8PoFt-WmQTP5xmWmGHNVQ",1775843928737]