Self-Hosted Alternatives to AWS Secrets Manager
Why Replace AWS Secrets Manager?
AWS Secrets Manager charges $0.40 per secret per month plus $0.05 per 10,000 API calls. At 100 secrets with moderate API usage, you’re paying $40-60/month. At 500 secrets, it’s $200+/month. The cost scales linearly with the number of secrets you manage.
Updated February 2026: Verified with latest Docker images and configurations.
Key concerns:
| Issue | Impact |
|---|---|
| Per-secret pricing | $0.40/secret/month adds up fast as infrastructure grows |
| API call costs | $0.05 per 10,000 calls — high-frequency apps pay more |
| AWS lock-in | Tight coupling with AWS IAM, Lambda, RDS — hard to migrate |
| Multi-cloud impossible | Secrets are bound to AWS; managing GCP/Azure secrets requires separate tools |
| Compliance | Some regulations require secrets to remain on-premises |
| Outage risk | AWS regional outages can block secret access across your entire application |
Best Alternatives
HashiCorp Vault — Best Overall Replacement
Vault is the industry standard for secrets management. It provides dynamic secrets (auto-generated credentials), secret rotation, encryption as a service, PKI certificate management, and fine-grained access policies. It’s cloud-agnostic and runs on any infrastructure.
Why it wins: Vault covers every AWS Secrets Manager feature and adds dynamic secrets, transit encryption, and multi-cloud support. The open-source version is fully functional for most teams.
| Feature | AWS Secrets Manager | HashiCorp Vault |
|---|---|---|
| Cost (100 secrets) | ~$40/month + API calls | $0 (self-hosted OSS) |
| Cost (500 secrets) | ~$200/month + API calls | $0 (self-hosted OSS) |
| Secret rotation | Automatic (Lambda-based) | Automatic (built-in + custom) |
| Dynamic secrets | No | Yes (database, cloud, PKI) |
| Multi-cloud | AWS only | Any cloud + on-prem |
| Encryption as a service | No (use KMS separately) | Yes (Transit engine) |
| Audit logging | CloudTrail | Built-in audit backend |
| Access control | IAM policies | Policies + namespaces + OIDC |
[Read our full guide: How to Self-Host HashiCorp Vault]
Infisical — Best for Application Teams
Infisical is a modern secrets management platform focused on developer experience. It provides environment-specific secrets, native Docker/Kubernetes integrations, CI/CD pipeline injection, and a clean dashboard. It’s simpler to set up than Vault and purpose-built for application secrets.
Why it fits: If you use AWS Secrets Manager primarily for application environment variables and API keys (not infrastructure secrets like database credentials), Infisical provides a better developer workflow with native .env file support, secret versioning, and team collaboration features.
[Read our full guide: How to Self-Host Infisical]
Migration Guide
Exporting from AWS Secrets Manager
Use the AWS CLI to export all secrets:
# List all secret names
aws secretsmanager list-secrets --query 'SecretList[].Name' --output text
# Export each secret to a JSON file
for secret in $(aws secretsmanager list-secrets --query 'SecretList[].Name' --output text); do
aws secretsmanager get-secret-value --secret-id "$secret" \
--query '{Name: Name, Value: SecretString}' \
--output json > "secrets/${secret}.json"
doneImporting into Vault
# Enable the KV secrets engine
vault secrets enable -version=2 kv
# Import each secret
for file in secrets/*.json; do
name=$(jq -r '.Name' "$file")
value=$(jq -r '.Value' "$file")
vault kv put "kv/$name" value="$value"
doneImporting into Infisical
Use the Infisical CLI:
# Log into your Infisical instance
infisical login
# Import secrets from .env format
infisical secrets set --env=production KEY1=value1 KEY2=value2What transfers: Secret values, secret names. What doesn’t transfer: IAM policies (must recreate as Vault policies), Lambda rotation functions (must implement in Vault), CloudTrail audit logs (historical — Vault starts fresh).
Cost Comparison
| AWS Secrets Manager | Vault (Self-Hosted) | Infisical (Self-Hosted) | |
|---|---|---|---|
| 50 secrets | ~$20/month | $0 | $0 |
| 100 secrets | ~$40/month | $0 | $0 |
| 500 secrets | ~$200/month | $0 | $0 |
| 1,000 secrets | ~$400/month | $0 | $0 |
| API calls | $0.05/10K calls | Unlimited | Unlimited |
| Server cost | Included | ~$10-20/month VPS | ~$10-20/month VPS |
| Annual (500 secrets) | ~$2,400/year | ~$120-240/year | ~$120-240/year |
What You Give Up
- AWS-native integration — Secrets Manager works seamlessly with RDS, Lambda, ECS, and other AWS services through IAM. Self-hosted solutions require configuring OIDC, sidecar injectors, or init containers
- Managed rotation — AWS handles rotation Lambda functions and RDS credential rotation out of the box. Vault has built-in rotation but you manage the infrastructure
- Zero infrastructure management — AWS Secrets Manager is fully managed. Self-hosted solutions require you to maintain high availability, backup, and disaster recovery
- Cross-region replication — AWS replicates secrets across regions automatically. Vault requires explicit replication setup
- Compliance certifications — AWS carries SOC 2, ISO 27001, HIPAA certifications. Self-hosted infrastructure requires your own compliance validation
Related
Get self-hosting tips in your inbox
Get the Docker Compose configs, hardware picks, and setup shortcuts we don't put in articles. Weekly. No spam.
Comments