
AWS Secrets Manager is Amazon's native secrets manager and an equivalent to GCP Secret Manager and Azure Key Vault: a cloud-native secrets management tool that looks like a convenient option for anyone using that cloud provider.
Choosing a secrets manager matters because migrating secrets is painful and can cause operational disruptions.
Like any tool, it has pros and cons. Its main upside is a set of deep, native integrations with AWS services that enable getting started quickly. It's also relatively cheap to get started with.
But many organizations are exploring alternatives to AWS Secrets Manager. The tool itself does basic secrets management well, but users quickly run into three limitations:
- It's AWS-native, which makes it infeasible for any organization building on multiple clouds, self-hosting, or hybrid infrastructure that includes third-party SaaS.
- Most automations require manual workarounds and custom logic. Even a basic secret rotation requires custom Lambda functions, which increases the complexity. Advanced features like dynamic secrets don't exist at all.
- AWS Secrets Manager charges per secret, and cost multiplies for secrets across environments, regions, and more.
1. Infisical
Infisical is an open source secret management platform. It provides an end-to-end set of tools that cover all aspects of secret management:
- Secure version-controlled secret storage
- Automated, scheduled or ad-hoc secret rotation across all environments.
- Integrations across all types of infrastructure, including self-hosted environments or cross-cloud products.
- Advanced features like short-lived dynamic secrets
- Secret scanning and leak prevention
Infisical has amassed 27,000 GitHub stars and secures 10 billion secrets every day. It is widely adopted by large enterprises, fast-growing startups, and international governments.

Key features
Compared to AWS Secrets Manager, Infisical has a more advanced feature set. Infisical's main product directions include:
-
Secrets Management: Manage secrets securely and efficiently across your infrastructure. Integrate with development, CI/CD, and production environments.
-
Dynamic Secrets and Rotation: Automatically generate and rotate secrets based on specified settings. Works with all major databases.
-
Secrets Scanning: Automatically detect and prevent any secret leaks to git and other environments. Over 150+ different secret types are supported.
-
Secret Sharing: Generate end-to-end encrypted links based on defined security settings, then share these links safely within or outside your organization.
Infisical also offers certificate management and privileged access management products which enables customers to minimize vendor sprawl.
How does Infisical compare to AWS Secrets Manager?
Security tooling is Infisical's focus, while Secrets Manager is just another service in AWS's portfolio, which makes Infisical a more mature, developer-friendly solution. AWS Secrets Manager lacks functionality many developers and organizations need.
Infisical is not only an alternative to AWS Secrets Manager, but can also act as a layer on top of it via secret syncs. Organizations can continue using AWS Secrets Manager for its native integrations while Infisical acts as the control plane. This enables multi-cloud and hybrid deployment secrets management with Infisical as a single source of truth and center of operations.
| Infisical | AWS Secrets Manager | |
|---|---|---|
| Open Source Audit code, contribute to roadmap, and build integrations | ✅ | ❌ |
| Self-hostable Host on your own infrastructure (if required) | ✅ | ❌ |
| Dynamic Secrets and Rotation Automatically rotate database access tokens and more | ✅ | ❌ (only via custom Lambda functions) |
| Integrations and Ecosystem Seamlessly integrate with existing tools in your ecosystem | ✅ | ⚠️ (native with AWS services, limited beyond it) |
| Developer Workflows Self-serve secrets with Approval Workflows, Access Requests, etc. | ✅ | ❌ |
| Secret Scanning Automatically identify secret leaks to Git and other systems | ✅ | ❌ |
| Governance Audit logs, roles-based access, permissions | ✅ | ✅ |
| Developer Community Wide developer adoption across the world for better reliability and support | ✅ | ✅ |
Why do companies choose Infisical?
Companies often choose Infisical over AWS Secrets Manager when they run into one of a few problems:
- They need infrastructure flexibility. Infisical provides a wide range of integrations with leading developer and infrastructure tools, including cloud-native secrets managers. This gives organizations freedom to adopt the infrastructure they want without running into vendor dependencies.
- They want to eliminate manual workflows. Infisical automates many things for which AWS Secrets Manager requires manual work or custom functions that increase complexity.
- They need better developer experience. Infisical is built by engineers for engineers. A developer-friendly UI, API, and CLI make Infisical beloved by engineers.
2. HashiCorp Vault
HashiCorp Vault is a secrets manager designed to fight secret sprawl and integrate with DevOps methodologies. It is focused on managing application identities and providing secure access to cloud resources.

How does HashiCorp Vault compare to AWS Secrets Manager?
There are various Vault products that have different limitations, but some characteristics persist independent of hosting model or Vault version.
HashiCorp Vault boasts a larger developer community around its product compared to AWS Secrets Manager.
Vault differs from AWS Secrets Manager. Whereas Amazon's solution is a simple service, Vault is a custom, encrypted database that acts as a key store with an API. It's a powerful (if complex to operate) tool that's better described as building blocks for a secret manager than a turnkey product.
While AWS Secrets Manager is usually handled by a DevOps/platform/infrastructure engineer, Vault often requires dedicated engineers and a long on-ramp to build interfaces, integrations, workflows, and more. That operational cost shows up in Vault's pricing too, especially once a team moves from the open-source edition to Vault Enterprise or HCP Vault Dedicated.
| HashiCorp Vault | AWS Secrets Manager | |
|---|---|---|
| Open Source Audit code, contribute to roadmap, and build integrations | ❌ | ❌ |
| Self-hostable Host on your own infrastructure (if required) | ✅ | ❌ |
| Self-serve Upgrade Free to try, no mandatory sales calls | ❌ | ✅ |
| Dynamic Secrets and Rotation Automatically rotate database access tokens and more | ✅ | ❌ (only custom) |
| Integrations and Ecosystem Seamlessly integrate with existing tools in your ecosystem | ✅ | ⚠️ (Deeply with AWS, limited with third-party) |
| Developer Workflows Self-serve secrets with Approval Workflows, Access Requests, etc. | ❌ (custom-built) | ❌ |
| Secret Scanning Automatically identify secret leaks to Git and more | ✅ | ❌ |
| Secret Sharing Share secrets securely among people in and outside of your organization | ❌ | ❌ |
| Governance Audit logs, roles-based access, permissions | ✅ | ✅ |
| Developer Community Wide developer adoption across the world for better reliability and support | ✅ | ✅ |
Why do companies choose HashiCorp Vault?
There are a few main aspects of HashiCorp Vault that users appreciate:
- Security: HashiCorp Vault provides a large number of security configurations for the most advanced security-focused organizations.
- Automations: HashiCorp Vault provides a very wide range of automations for integrating secret management workflows across infrastructure, managing certificates, rotating secret values, and more.
- Availability: High uptime and reliability are critical for secrets management. HashiCorp Vault is able to provide high availability (HA) setups for both self-hosted and cloud-managed environments.
3. Doppler
Doppler is a secrets management platform built around environment-based secret storage, integrations, and a strong developer experience.

How does Doppler compare to AWS Secrets Manager?
Doppler is a purpose-built secrets manager with a more modern interface and setup flow than AWS Secrets Manager, and it works across clouds rather than tying teams to AWS. The tradeoff is that Doppler is closed source, and self-hosting is limited to an Enterprise-tier On-prem offering rather than being available by default.
| Doppler | AWS Secrets Manager | |
|---|---|---|
| Open Source | ❌ | ❌ |
| Self-hostable | ✅ Enterprise On-prem only | ❌ |
| Self-serve Upgrade | ✅ | ✅ |
| Dynamic Secrets and Rotation | ❌ (integration-based rotation only) | ❌ (only custom) |
| Integrations and Ecosystem | ✅ | ✅ (often external) |
| Developer Workflows | ✅ (Enterprise approvals) | ❌ |
| Secret Scanning | ❌ | ❌ |
| Secret Sharing | ✅ Doppler Share | ❌ |
| Governance | ✅ | ✅ |
| Developer Community | ✅ | ✅ |
Why do companies choose Doppler?
Two reasons stand out:
- Fast setup: Doppler's config-based model and polished UI make it quick to get a small team up and running across multiple environments.
- Multi-cloud by default: unlike AWS Secrets Manager, Doppler isn't tied to a single cloud provider, which matters for teams already spanning AWS, GCP, and Azure.
4. FOSS secrets managers like OpenBao
HashiCorp Vault used to be open-source, but eventually switched to the Business Source License (BSL), which makes source code available to customers, but which the Open Source Initiative does not list as an approved license. This controversial split spawned a Vault fork called OpenBao, which is available as a free open-source secrets management solution.
A variety of other open-source secrets managers exist on GitHub, and some organizations adopt them as an alternative to closed-source tools like AWS Secrets Manager.
While a detailed comparison depends on the specific solution, most of these typically have specific pros and cons compared to something like AWS Secrets Manager:
How do open-source secrets managers compare to AWS Secrets Manager?
The obvious benefit of using a free open-source solution is that you can host it anywhere, including on AWS. You can also expand to other clouds later or move to self-hosted infrastructure. That same property can also become a downside, because you also have to sort out your own hosting.
This means the adjective "free" requires an asterisk. While OpenBao or other FOSS secrets managers send you no invoice at the end of your billing period, using free open-source solutions does create maintenance, operational, and infrastructure burdens. They also mean support is nonexistent and updates rely on open source maintainers.
Anyone choosing OpenBao or similar free open-source tooling as their secrets manager accepts the responsibility of maintaining, operating, and potentially building their own integrations and workflows.
Is Infisical right for you?
Here's our (short) sales pitch.
We're biased (obviously), but we think Infisical is a strong AWS Secrets Manager replacement if:
- You are looking for a developer-focused solution that will last you many years ahead. With Infisical, you get much more than just secure key-value storage (e.g., secret scanning, certificate management, secret sharing, and more).
- You want the flexibility to operate on any cloud or infrastructure whenever you want.
- You value transparency. We're open source and open core under the MIT license.
- You want to try before you buy. Infisical is self-serve with a generous free tier.
Check out our product page and read our documentation to learn more.
If you have any questions or want to schedule a product demo, you can talk to one of our experts.
