Secrets Management in Production: HashiCorp Vault vs AWS Secrets Manager vs Doppler
Secrets management is the quiet backbone of every cloud-native application. It doesn’t get the dashboard time that EDR or CNAPP gets, but credentials are involved in roughly half of all breaches, and 86% of web application attacks involve stolen credentials. The tool that holds your database passwords, API keys, and service tokens is not negotiable — it’s a question of which one, not whether.
Three platforms dominate the conversation in 2026: HashiCorp Vault, AWS Secrets Manager, and Doppler. They are not interchangeable. They represent three different answers to the same question, and picking the wrong one costs you months of rework.
We’ve been watching this market closely through a pivotal eighteen months. IBM completed its $6.4 billion acquisition of HashiCorp in February 2025. HCP Vault Secrets — the SaaS product — was sunsetted mid-2025. Pricing across the board has moved. Doppler has matured into a genuine enterprise option. And AWS Secrets Manager has quietly become the default for anyone operating on AWS without cross-cloud requirements.
Here’s how the three compare in production in 2026, with real pricing, real weaknesses, and a clear recommendation for each major buyer profile.
The executive summary
If you want the answer before the analysis:
- Default to AWS Secrets Manager if you’re on AWS and have no serious multi-cloud ambitions in the next two years. The economics and integration are unbeatable.
- Default to Doppler if developer experience is the bottleneck and you’re willing to accept a closed-source SaaS-only tool. Pricing is predictable, onboarding is minutes not weeks.
- Default to HashiCorp Vault if you have genuine multi-cloud requirements, need dynamic secrets and advanced PKI, and have platform engineering capacity to run it. Be realistic about the IBM ownership risk.
There is no wrong answer between the three for the right use case. There are plenty of wrong answers when teams pick based on familiarity or reputation without thinking through what they actually need.
How each platform thinks about the problem
The three tools start from different assumptions about who the user is, and those assumptions drive almost every product decision.
HashiCorp Vault is built for platform engineering teams. It treats secrets management as one facet of identity-based access control, with opinions on how secrets should be issued, leased, rotated, and revoked. The Vault worldview is that static secrets are a failure mode — the goal is dynamic secrets with short TTLs, generated on demand, tied to ephemeral identities. That’s genuinely powerful. It’s also genuinely complex. Vault requires administrators to understand authentication methods, token lifecycle management, secret paths, and the HCL policy language. Developers typically never touch it directly; they consume secrets through abstractions that platform teams build on top.
AWS Secrets Manager takes the opposite view. It’s infrastructure. Store a secret, retrieve it via API, rotate it on a schedule, integrate with IAM for access control. The service is deliberately boring in the best sense. It does one job well, integrates natively with RDS for database credential rotation, and costs very little. The limitation is that it’s an AWS service — it works well in AWS, poorly outside AWS, and makes no pretence of being anything else.
Doppler treats secrets management as a developer experience problem. The core insight — which is correct — is that the best-configured Vault in the world produces zero security value if engineers paste production database URLs into .env files at midnight because the official tool is too painful to use. Doppler’s CLI injects secrets as environment variables into the running process. Developers run doppler run -- npm start and the secrets are there. No code changes, no SDK imports. The platform handles storage, backups, high availability, and synchronisation to other tools (AWS Secrets Manager, GitHub Actions, Vercel, Kubernetes).
These are not three flavours of the same thing. They are three different products answering three different questions.
Pricing: the real numbers in 2026
This is where the decision usually gets made, and where the marketing is least useful.
HashiCorp Vault post-IBM has limited transparency and multiple paths. Vault Community Edition is free but lacks enterprise features like namespaces, disaster recovery, and performance replication — it’s not a realistic production option for anything beyond small deployments. HCP Vault Dedicated (managed cloud) is billed hourly with a per-client fee on top. On Essentials and Standard tiers, clients are charged at roughly $72.92 per month each, where a client is any unique application, service, or user that authenticates to Vault. At 50 clients, list price sits around $51,000 annually, though buyers routinely negotiate discounts of 28–74% depending on deal size. Vault Enterprise (self-hosted) pricing is not public and requires a sales conversation. Hidden costs — support tier upgrades, renewals, HSM integration — commonly add 25–60% on top of the initial quote.
Add infrastructure to the self-hosted bill. Running Vault in production requires at minimum three nodes for high availability, persistent storage, and monitoring. On AWS, that’s roughly $200–400 per month in compute alone, before you count the engineering time for upgrades, incident response, and the person who actually knows how to operate Raft consensus under pressure.
AWS Secrets Manager is genuinely simple: $0.40 per secret per month, prorated hourly, plus $0.05 per 10,000 API calls. There is no free tier. The service is regional and cross-region replication multiplies the cost. A typical application with 20 secrets and 500,000 API calls per month costs about $10.50 per month. An organisation with 1,500 secrets and moderate traffic runs in the low hundreds.
The hidden gotcha is the per-secret model. Teams that adopt a “micro-secrets” pattern — one secret per customer, or one secret per environment-variable — balloon their bill fast. The solution is straightforward: store multiple related values as a JSON object in a single secret. A database connection with host, port, username, and password as four separate secrets costs $1.60 per month. As one JSON secret, $0.40. This is a 90% saving that many teams miss.
For static configuration values that don’t need rotation, AWS Systems Manager Parameter Store Standard is free and stores SecureString parameters with KMS encryption. The right AWS pattern is: Parameter Store for configuration and static values, Secrets Manager for rotating credentials. Mixing the two correctly is the cheapest way to run secrets on AWS.
Doppler prices by user, not by secret. Free tier covers up to 3 users with unlimited secrets. Team plan is $21 per user per month (billed annually; monthly billing is typically 20–30% more). Enterprise is custom and requires a sales conversation. A 25-person team at Team-tier sits at around $525 per month — comparable to mid-range AWS Secrets Manager usage, more than free Parameter Store, less than Vault Enterprise at similar scale.
The pricing philosophy matters. Doppler does not charge extra for machine identities or non-human accounts, which makes it predictable at scale. Vault’s per-client model charges for the same pattern, which is why Vault quotes balloon as deployments grow. AWS Secrets Manager charges per secret regardless of who accesses it, which favours applications with many clients sharing a small number of secrets.
Feature comparison: where each tool wins and loses
Detailed platform comparison
| Capability | HashiCorp Vault | AWS Secrets Manager | Doppler |
|---|---|---|---|
| Deployment | Self-hosted, HCP managed | AWS-native only | SaaS only |
| Pricing model | Per client (HCP), custom (Enterprise) | Per secret + API calls | Per user |
| Typical cost (25 people, moderate use) | $30K+/year (Enterprise) | $50–200/month | $525/month (Team) |
| Open source | BSL license (not OSI open source) | No | No |
| Multi-cloud | Native | No (AWS only) | Syncs to AWS/Azure/GCP/others |
| Dynamic secrets | Yes, extensive | Limited (native RDS rotation only) | On roadmap |
| Secret rotation | Built-in, customisable | Native for RDS/Redshift/DocumentDB; Lambda for custom | Automated rotation supported |
| PKI / certificate authority | Full CA capabilities | ACM (separate service) | No |
| Encryption as a service | Yes (Transit) | KMS (separate service) | No |
| Kubernetes integration | Injector, CSI, Agent | External Secrets Operator | External Secrets Operator, native integrations |
| Developer CLI UX | Functional; steep learning curve | AWS CLI (functional, not purpose-built) | Excellent, purpose-built |
| Time to production | Weeks to months | Hours to days | Minutes to hours |
| Audit logging | Extensive | CloudTrail | Built-in access logs |
| Compliance posture | Strong (FIPS 140-2, HSM) | Strong (SOC 2, HIPAA, PCI-DSS) | SOC 2 Type II |
| Self-service for developers | Requires admin tooling on top | Limited | Native |
| Vendor lock-in risk | Medium (BSL, IBM roadmap) | High (AWS-only) | High (closed-source, SaaS-only) |
Where Vault wins
Vault’s dynamic secrets capability remains the most sophisticated in the market. Generate a database credential on demand that lives for 15 minutes and auto-revokes. Mint short-lived AWS IAM credentials tied to a specific task. Issue SSH certificates for just-in-time access. This is the capability that originally put Vault on the map and it’s still where it’s strongest. If your security architecture genuinely depends on short-lived, just-in-time credentials across heterogeneous infrastructure, Vault is still the clear leader.
Vault’s PKI engine is effectively a production-grade certificate authority that happens to be bundled with your secrets manager. For organisations running service mesh architectures (mTLS between services), this alone justifies Vault.
Transit encryption — the “encryption as a service” feature where applications call Vault to encrypt/decrypt data without ever handling the keys — is unique at this level of maturity. AWS KMS does something similar but the Transit workflow is better integrated into Vault’s policy model.
Where Vault loses
The operational complexity is real and has not improved. Teams routinely report Vault deployments taking months to get to production, with dedicated engineers required to maintain it. The HCL policy language has a learning curve. Path-based access controls are powerful and regularly misconfigured. Multiple enterprises have reported that Vault debugging sessions consume disproportionate platform engineering time.
The IBM acquisition has introduced genuine uncertainty. HCP Vault Secrets — HashiCorp’s SaaS-only product — was sunsetted mid-2025. The HCP Vault Dedicated Starter tier was discontinued. Pre-acquisition HashiCorp’s BSL licence change was already controversial among security researchers who depend on transparent code for verification; IBM’s long-term stewardship is an open question. For contracts expiring in late 2026 or 2027, the consensus advice among licensing consultants is to negotiate 3-year renewals now at current pricing to lock in before IBM’s packaging changes land.
Community Edition is not a production answer for anything non-trivial. The gap between Community and Enterprise is real — namespaces, DR replication, and HSM integration are all Enterprise-only. Teams that start on Community Edition and scale into needing these features face an unpleasant migration.
Where AWS Secrets Manager wins
The economics are unmatched for anyone operating on AWS. Under a hundred dollars a month covers real production workloads. The pricing scales predictably with usage, not with team size.
Native RDS integration is the killer feature. Enable rotation with a few clicks and AWS handles the Lambda function, the rotation logic, the verification, and the credential handoff. For MySQL, PostgreSQL, Oracle, SQL Server, MariaDB, Redshift, and DocumentDB, this is table stakes that competing tools require substantial custom work to match. Rotation itself costs fractions of a cent per execution.
IAM integration is deep. Permissions follow the same model as every other AWS service, which means your existing access patterns, audit tooling, and policy-as-code (CloudFormation, CDK, Terraform) translate directly. This is underappreciated until you’ve tried to operate a separate IAM model for a separate secrets tool and felt the friction.
Cross-region replication and cross-account resource policies are built in and work well for AWS-native multi-account organisations. Combined with AWS Organizations and SCPs, you can centralise secrets governance without deploying additional tooling.
Where AWS Secrets Manager loses
It is AWS-only. If you run workloads on Azure or GCP, you’ll run three different secrets stores unless you’re willing to accept cross-cloud latency and egress costs. There is no path around this — the service is a feature of AWS, not a cross-cloud product.
Dynamic secrets are limited to the native rotation patterns (primarily database credentials via Lambda). Custom rotation logic is possible but you write it, deploy it, and maintain it. The feature surface doesn’t approach Vault’s.
Developer experience is AWS-CLI-standard, which is functional but not purpose-built for secrets workflows. Teams that value CLI polish — environment switching, local development flows, branch-aware secrets — will find the experience competent but uninspired.
The per-secret pricing model punishes fine-grained secret patterns. Teams need to consciously design around JSON-packed secrets and careful API call caching (via the Parameters and Secrets Lambda Extension) to keep costs sane at scale. Microservices that fetch secrets on every invocation without caching can generate enormous API volumes quickly.
Where Doppler wins
Developer experience is unmatched. A new engineer can be productive with Doppler in minutes — clone the project, run doppler login, run doppler run -- npm start, and they have the correct secrets for their environment and branch. No SDK integration, no code changes, no .env file management. The workflow is genuinely natural.
User-based pricing is predictable. Adding a new microservice doesn’t add cost. Adding a new Kubernetes deployment doesn’t add cost. Only adding a new human user does. For teams operating dozens of services, this is materially cheaper than per-secret or per-client models.
Sync destinations are a legitimate strength. Doppler can push secrets to AWS Secrets Manager, GitHub Actions, Vercel, Kubernetes, Terraform Cloud, and roughly a hundred other targets. This lets teams use Doppler as the developer-facing source of truth while feeding secrets into the backend systems that actually need them.
CI/CD integration works without ceremony. The Doppler CLI in a GitHub Actions step is genuinely two lines of config. Vault in the same context requires auth method configuration, policy debugging, and typically a platform engineer.
Where Doppler loses
Closed-source, SaaS-only. Self-hosting is not available. For regulated industries with data residency requirements or air-gapped environments, Doppler is disqualified immediately.
Dynamic secrets are less mature than Vault’s, though they’re on the roadmap. Teams that need on-the-fly credential generation with short TTLs across heterogeneous targets will find Doppler’s patterns require more manual work than Vault’s.
Organisational structure is shallower than Vault’s. Doppler uses projects and environments as the primary hierarchy, which works well at team scale but feels constraining for very large organisations with complex compartmentalisation requirements.
Vendor lock-in is real. If Doppler raises prices or changes strategy, migration is non-trivial because secrets and their access patterns are deeply embedded in workflows. The risk mitigates against Doppler being the only secrets store for a large enterprise; it’s well-suited as the developer-facing layer over a backend secrets store (AWS Secrets Manager or Vault).
The decision framework
Three questions resolve most selection decisions.
Are you AWS-only or meaningfully multi-cloud? If AWS-only, default to AWS Secrets Manager with Parameter Store for configuration. The combined stack covers 90% of what teams need at a fraction of the cost of any alternative, and the native integrations pay off daily.
If you’re meaningfully multi-cloud — production workloads on at least two of AWS, Azure, GCP — you have two credible paths. One is Vault as the cross-cloud authority. The other is a per-cloud approach (AWS Secrets Manager for AWS, Azure Key Vault for Azure, GCP Secret Manager for GCP) with something like the External Secrets Operator stitching them into Kubernetes. The per-cloud approach is cheaper and simpler if you can tolerate the operational split.
Is developer experience a genuine bottleneck? If developers are working around your secrets tooling — .env files in Git, secrets pasted into Slack, environment variables hardcoded in Dockerfiles — that’s a workflow problem, and no amount of Vault configuration will fix it. Doppler is purpose-built for this, and the pricing is competitive at team scale. The question is whether you can tolerate SaaS-only and closed-source.
Do you genuinely need dynamic secrets and a full PKI? If your security architecture depends on short-lived database credentials, just-in-time cloud access, or a service mesh with mTLS issued by an internal CA, Vault remains the correct answer. Accept the operational cost, lock in pricing before the IBM transitions land, and invest in platform engineering to run it well.
For most organisations the honest answer is AWS Secrets Manager or Doppler, not Vault. Vault’s dynamic secrets capability is powerful, but if you don’t actually use it, you’re paying a significant operational and licensing premium for a key-value store with a harder learning curve.
Related decisions
Secrets management doesn’t exist in isolation. The adjacent decisions worth aligning:
-
SaaS security: The Salesloft/Drift breach in 2025 highlighted that OAuth tokens in third-party SaaS integrations are secrets that your secrets manager probably doesn’t cover. See our analysis on SSPM and post-Salesloft OAuth hardening.
-
Supply chain security: SBOMs increasingly need to document which secrets are consumed and by which components. Our guide to software supply chain security covers the adjacent territory.
-
Identity and Zero Trust: Machine identity and non-human identity (NHI) management is the adjacent category — Aembit, Astrix, and CyberArk’s NHI products all live in the same neighbourhood. See our Zero Trust IAM comparison for how this fits the broader identity stack.
Frequently asked questions
Is HashiCorp Vault still the default choice for secrets management?
Not in 2026. The default has shifted. For AWS-native workloads, AWS Secrets Manager with Parameter Store is materially cheaper and simpler. For developer-experience-first teams, Doppler is genuinely better at the workflow problem. Vault remains the right choice for organisations with genuine multi-cloud requirements, dynamic secrets needs, or full PKI requirements — but that’s a narrower population than it was pre-2024.
What happened to HCP Vault Secrets?
IBM sunsetted HCP Vault Secrets — HashiCorp’s SaaS-only product — in mid-2025, following the February 2025 completion of the $6.4 billion acquisition. The HCP Vault Dedicated Starter tier was also discontinued. Organisations on those products have been pushed toward HCP Vault Dedicated (Essentials or Standard), Vault Enterprise, or the free Vault Community Edition. Tier names and structures have changed post-acquisition.
Is AWS Secrets Manager cheaper than Vault?
For most AWS-native teams, yes, by a wide margin. AWS Secrets Manager at $0.40 per secret per month plus API calls typically lands in the tens to low hundreds of dollars monthly. Vault Enterprise pricing starts in the tens of thousands annually once you factor in licensing, support, and self-hosted infrastructure (3-node HA cluster, KMS, monitoring). The gap narrows for multi-cloud workloads where AWS-only pricing doesn’t apply, and for organisations using Vault’s advanced features (dynamic secrets, PKI, Transit) that don’t have native AWS equivalents.
Can Doppler replace Vault entirely?
For teams that don’t need dynamic secrets, PKI, or on-premise deployment, yes. For teams that do, Doppler is better positioned as a developer-facing layer over a backend store (AWS Secrets Manager or Vault) rather than a complete replacement. Doppler’s sync destinations support this pattern natively.
What’s the difference between AWS Secrets Manager and Parameter Store?
Parameter Store (part of AWS Systems Manager) is a general-purpose configuration store with a free standard tier. Secrets Manager is purpose-built for credentials that need automatic rotation. The pattern most mature AWS teams use: Parameter Store for configuration, feature flags, and static secrets that don’t rotate; Secrets Manager for database credentials and anything requiring automated rotation. Parameter Store SecureString parameters are encrypted with KMS and are suitable for many secrets use cases, with the main limitation being lack of built-in rotation.
Should I self-host Vault or use HCP Vault Dedicated?
If you have dedicated platform engineering capacity and need specific enterprise features at predictable cost, self-hosted Vault Enterprise is defensible. If you’re starting fresh or don’t have the platform engineers, HCP Vault Dedicated removes the operational burden — at a premium. For contracts expiring late 2026 or 2027, negotiate 3-year renewals now to lock in pre-IBM-packaging-changes pricing.
Does the IBM acquisition affect security properties of Vault?
Not directly. The Vault product, binary, and protocols are unchanged in their security properties. What has changed is the commercial posture: pricing transparency has decreased, product lineup has narrowed (HCP Vault Secrets and Starter tier gone), and long-term roadmap is now shaped by IBM’s hybrid cloud strategy rather than HashiCorp’s independent direction. The BSL licence (in effect since 2023, pre-acquisition) remains. For security-critical use cases, monitor the roadmap and plan for alternatives — OpenBao is the open-source fork of Vault maintained by the Linux Foundation, and is gaining serious credibility as a long-term Vault alternative.