
Using the New AWS Secrets Manager for Serverless - bwooster
https://spiegelmock.com/2019/01/08/making-use-of-aws-secrets-manager/
======
arkadiyt
The author touched on it a bit but I personally don't see the benefit of using
Secrets Manager over Parameter Store:

\- Parameter Store works just as well and is free (outside of the KMS key
cost)

\- Tools like Chamber only support Parameter Store

\- The one benefit that SM had for me was out of the box support for rotating
RDS passwords, but RDS authentication with an IAM role is an even better
solution for that

~~~
Cpoll
I've been bitten by Parameter Store's rate limiting (non-increasable) from
just launching a new environment of a regular application (we were storing a
lot of values, and there's no real bulk GET as far as I recall). There are
countless threads about this problem online.

I imagine that with a serveless workflow, this might be an even bigger
problem.

I haven't explored Secrets Manager yet though.

~~~
scarface74
I’ve been bitten by it doing something as simple as creating parameters using
CloudFormation. The only way around it is judicious use of DependsOn to make
them single threaded.

~~~
Cpoll
Thanks for this, I was considering bringing params into CF, the main blocker
being that it doesn't support secure params (which is obvious in retrospect,
they wouldn't be secure in the template).

~~~
scarface74
For secure strings in cloud formation, I use a cloud formation parameter ( -
meaning I have to enter the parameter manually and set NoEcho to true. And
then set the CF parameter value to the SSM Parameter value.

This is with the help of a lambda backed custom resource

[https://svdgraaf.nl/2018/04/13/CloudFormation-ssm-secure-
str...](https://svdgraaf.nl/2018/04/13/CloudFormation-ssm-secure-string-
support-boto3-custom-resource.html)

Obviously , this can’t be a part of your CI/CD Pipeline. I run the
CloudFormation template manually in the console to enter the parameters and my
CI Pipeline can then update the stack when needed.

