DEV Community

丁久
丁久

Posted on • Originally published at dingjiu1989-hue.github.io

Secret Management Tools: Vault vs AWS Secrets Manager vs Doppler

#developertools #productivity

This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Secret Management Tools: Vault vs AWS Secrets Manager vs Doppler

Introduction

Managing database credentials, API keys, and TLS certificates is one of the most critical security challenges in modern infrastructure. Hard-coded secrets in configuration files or environment variables are a leading cause of data breaches. Dedicated secret management tools provide encryption, access control, rotation, and audit trails. This article compares HashiCorp Vault, AWS Secrets Manager, and Doppler across the dimensions that matter in production.

HashiCorp Vault

Vault offers the most comprehensive feature set with dynamic secrets, encryption-as-a-service, and multi-cloud support:

# Vault configuration

storage "raft" {

  path = "/vault/data"

  node_id = "node1"

}

listener "tcp" {

  address     = "0.0.0.0:8200"

  tls_disable = false

  tls_cert_file = "/vault/certs/cert.pem"

  tls_key_file  = "/vault/certs/key.pem"

}

seal "awskms" {

  region     = "us-east-1"

  kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/abc123"

}

api_addr = "https://vault.example.com:8200"

cluster_addr = "https://vault.example.com:8201"
Enter fullscreen mode Exit fullscreen mode

Dynamic Database Secrets

Vault can generate temporary database credentials on demand, eliminating long-lived credentials:

# Configure database backend

path "database/creds/my-role" {

  capabilities = ["read"]

}

# Generate ephemeral PostgreSQL credentials

vault read database/creds/payment-app

# Key                Value

# ---                -----

# lease_id           database/creds/payment-app/abc123

# lease_duration     1h

# lease_renewable    true

# password           aB3x...kL9p

# username           v-token-payment-app-x7Yz...
Enter fullscreen mode Exit fullscreen mode

Application integration:

// Vault sidecar pattern

package main

import (

    "github.com/hashicorp/vault/api"

)

type DynamicCredentials struct {

    client *api.Client

}

func (d *DynamicCredentials) GetCredentials() (string, string, error) {

    secret, err := d.client.Logical().Read("database/creds/payment-app")

    if err != nil {

        return "", "", err

    }

    username := secret.Data["username"].(string)

    password := secret.Data["password"].(string)

    // Schedule renewal before lease expires

    go d.renewLease(secret.LeaseDuration)

    return username, password, nil

}

func (d *DynamicCredentials) renewLease(duration int) {

    // Renew at 50% of lease duration

    time.Sleep(time.Duration(duration/2) * time.Second)

    d.client.Sys().Renew("database/creds/payment-app", duration)

}
Enter fullscreen mode Exit fullscreen mode

AWS Secrets Manager

Secrets Manager integrates natively with the AWS ecosystem:

# CloudFormation: Create a secret with rotation

Resources:

  DatabaseSecret:

    Type: AWS::SecretsManager::Secret

    Properties:

      Name: payment/db-credentials

      Description: "Payment database credentials"

      GenerateSecretString:

        SecretStringTemplate: '{"username": "payment_app"}'

        GenerateStringKey: "password"

        PasswordLength: 32

        ExcludeCharacters: "@%*"

      RotationSchedule:

        RotationLambdaARN: !GetAtt RotationLambda.Arn

        RotationSchedule:

          Duration: "7d"

      Tags:

        - Key: Environment

          Value: Production
Enter fullscreen mode Exit fullscreen mode

Application retrieval using the SDK:

import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";

const client = new SecretsManagerClient({ region: "us-east-1" });

async function getDbConfig(): Promise<DbConfig> {

    const response = await client.send(new GetSecretValueCommand({

        SecretId: "payment/db-credentials",

    }));

    const secret = JSON.parse(response.SecretString!);

    return {

        host: process.env.DB_HOST,

        username: secret.username,

        password: secret.password,

        database: process.env.DB_NAME,

    };

}
Enter fullscreen mode Exit fullscreen mode

Doppler

Doppler provides a developer-friendly approach with workspace-based secret management:

# CLI workflow

doppler setup --project payment-service --config prd

# Fetch secrets locally

doppler secrets substitute < config.yaml > config.resolved.yaml

# Run an application with secrets injected

doppler run -- npm start

# doppler.yaml for project

setup:

  project: payment-service

  configs:

    - dev

    - stg

    - prd

environments:

  - name: dev

    secrets:

      DB_CONNECTION_STRING: postgres://dev_user:dev_pass@localhost:5432/payment

      STRIPE_API_KEY: sk_test_***

      JWT_SECRET: dev-secret-key

  - name: prd

    secrets:

      DB_CONNECTION_STRING: doppler://payment-service/prd/db_conn
Enter fullscreen mode Exit fullscreen mode

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.

Top comments (0)