There are a ton of benefits to aws-vault. Strategically: getting everyone on an aws-vault workflow is step one to eventually making your IAM story great. We'll be publishing some general stuff about how we think you should start cleaning up your IAM story. We have Strong Opinions(TM) on how to get you from "bunch of people have * : * perms with keys they have on disk" to best-in-class, BeyondCorp-compliant temporary perms acquired on trustworthy endpoints.
(FWIW: also undersigned re: start by listening. Latacora starts with an audit too, but that feels like a cop-out answer :))
Oops. I was thinking of the wrong tool. Personally, my biggest peeve with temporary IAM credentials is the duration. Having them invalidate in the middle of a Packer build is a real mood killer. Our own company got them extended to 12 hours recently, which was a huge win in this department.
Original content - about Secrets Manager:
AWS Secrets Manager is stupidly expensive for a password manager that rotates passwords. It can't even rotate all passwords, just those for a specific subset of AWS services.
Should instead start with parameter store (which is free but still offers encrypted password storage) and then figure out what parts really need a rotating password and that are operating with services which Vault can rotate passwords for - at which point you migrate only those.
Replying to new content: it's true that Hashicorp tools in particular are hilariously bad at dealing with expired credentials. Terraform doesn't realize the error and just sits there banging away (retrying) forever.
If this is really a problem (that is, you reliably need more than 1h of role time and you can't get AWS to extend your duration for you), aws-vault knows how to mimic the metadata API. This resolves the issue, since it will transparently get new credentials for you.
You appear to be confusing aws-vault, a gratis and open source project that manages IAM credentials, with AWS Secrets Manager, a hosted AWS service that stores and manages secrets.
I agree AWS Secrets Manager is overpriced but I doubt it's a major expenditure for anyone. You should probably just use KMS instead and dump the ciphertexts wherever you want. Parameter Store is a fine place for them.
That said, it is a major expenditure when used as part of the automatic workflow. And parameter store has KMS encryption/decryption built-in. Alongside full IAM level isolation.
So, concretely: $0.40/secret/month (prorated if < 1m) + $0.05 per 10,000 API calls. KMS: $1/CMK/mo + $0.03 per 10,000 requests.
What are you doing with it that makes it a major expenditure? That seems like a drop in the bucket compared to anyone's compute. Are you dumping 500 secrets in it?
We were looking at it for a configuration management backend. So, yes, 500+ values, consumed by microservices.
I still say - the only real value even when compared to other AWS services is the rotation, which currently only really works with DBs (and then only if your service connects to the Secrets Manager directly, with every DB open).
Just a note on Secrets Manager which you probably know, but is worth mentioning just in case:
Secrets Manager charges per Secret, but if you are storing non AWS values (API keys), then you can put several secret values in one Secret. Not sure if your 500 values number was 500 Secrets, or 500 secret values which could perhaps be grouped logically together into a smaller number?
Yep, definitely not debating that it's overpriced and questionable value compared to KMS + storage of your choosing -- just surprised that you ended up with a model where it's nontrivial cost :)
There are a ton of benefits to aws-vault. Strategically: getting everyone on an aws-vault workflow is step one to eventually making your IAM story great. We'll be publishing some general stuff about how we think you should start cleaning up your IAM story. We have Strong Opinions(TM) on how to get you from "bunch of people have * : * perms with keys they have on disk" to best-in-class, BeyondCorp-compliant temporary perms acquired on trustworthy endpoints.
(FWIW: also undersigned re: start by listening. Latacora starts with an audit too, but that feels like a cop-out answer :))