HashiCorp Vault vs AWS Secrets Manager in Python

Both store secrets and rotate them; they differ in how credentials are issued and how tightly they bind to a cloud. For a Python team the decision usually comes down to “are we all-in on AWS?” and “do we need dynamic, short-lived credentials?” This page compares them concretely, building on the enterprise secrets management overview.

Problem 1: assuming they are interchangeable

# ANTI-PATTERN: picking one without considering the auth and credential model
secret = get_secret("db")   # static? dynamic? IAM-scoped? AppRole? it matters

The retrieval call looks similar, but the credential model behind it is the real difference.

Problem 2: static credentials where dynamic ones fit

A long-lived password in either store is weaker than a Vault dynamic credential that expires in an hour. If your backends support dynamic secrets, a static-only approach leaves value on the table.

Comparison

Dimension HashiCorp Vault AWS Secrets Manager
Credential model Dynamic, short-lived (and static KV) Static, with scheduled rotation
Auth in Python AppRole via hvac IAM role via boto3
Cloud binding Cloud-agnostic AWS-native
Rotation Lease TTL / rotation engines Built-in (esp. RDS)
Ops burden You run/secure Vault Fully managed
Best when Multi-cloud, dynamic creds All-in on AWS

Secure implementation

# secrets/provider.py — one interface, swap the backend
from pydantic import SecretStr

def from_vault(role: str) -> SecretStr:
    import hvac
    c = hvac.Client(url="https://vault.internal:8200")
    c.auth.approle.login(role_id=RID, secret_id=SID.get_secret_value())
    data = c.secrets.database.generate_credentials(name=role)["data"]   # dynamic
    return SecretStr(data["password"])

def from_asm(secret_id: str) -> SecretStr:
    import boto3
    raw = boto3.client("secretsmanager").get_secret_value(SecretId=secret_id)
    return SecretStr(raw["SecretString"])                                # static + rotated

Wrap whichever backend you choose behind one interface returning SecretStr, so the application does not care which store it is. See Vault and AWS Secrets Manager for each in depth.

Gotchas & version-specific behaviour

  • Vault dynamic credentials expire with their lease — design for re-fetch; ASM values persist until rotated.
  • ASM’s RDS rotation is turnkey; Vault’s database engine is more flexible but you operate it.
  • Vault is cloud-agnostic; ASM ties you to AWS IAM and KMS.
  • Both should be wrapped in SecretStr and cached with a short TTL.

Production parity checklist

  • The choice matches your cloud posture (AWS-only vs multi-cloud).
  • Dynamic credentials are used where the backend supports them.
  • Secrets are wrapped in SecretStr behind one provider interface.
  • Rotation is automated in whichever store you pick.
  • Access is least-privilege (IAM resource scoping or Vault policies).

Conclusion

Choose AWS Secrets Manager when you are all-in on AWS and want managed rotation; choose Vault when you need cloud-agnostic, dynamic, short-lived credentials. For a Kubernetes-specific comparison, see Doppler vs Vault for Kubernetes.

Back to Secrets Management & Rotation