AWS Secrets Manager Alternative
Your secrets should not be locked to one cloud.
AWS Secrets Manager is deeply integrated with the AWS ecosystem. That's its strength and its weakness. If you deploy to multiple clouds, work locally, or want a developer-friendly CLI, you are fighting the tool instead of using it. secr gives you encrypted secrets management that works everywhere.
The AWS Lock-in Problem
AWS Secrets Manager is built for AWS. Every interaction goes through the AWS console, the AWS CLI, or an AWS SDK. That means:
- •No local development story. Developers either mock secrets locally or maintain a parallel .env file, defeating the purpose of a secrets manager.
- •Console-heavy workflow. Creating, updating, and rotating secrets means navigating the AWS console or writing verbose CLI commands with IAM policy boilerplate.
- •Multi-cloud friction. If any part of your stack runs outside AWS — Vercel for the frontend, Railway for a microservice, GitHub Actions for CI — you need workarounds for each one.
- •IAM complexity. Granting a developer access to a single secret requires IAM policies, resource ARNs, and understanding of AWS's permission model. In secr, you invite them and assign a role.
Hidden Costs at Scale
AWS Secrets Manager pricing looks simple until you do the math:
AWS Secrets Manager Pricing
secr's free tier includes 3 projects with unlimited secrets. Pro is $6/seat/month with no per-secret charges and no API call fees. For a team of 5 with 200 secrets, that's $30/month on secr vs $100+ on AWS.
AWS Secrets Manager vs secr
| Feature | AWS Secrets Manager | secr |
|---|---|---|
| Vendor lock-in | AWS only | Cloud-agnostic |
| Local development | No built-in solution | secr run -- <cmd> (zero-disk) |
| Pricing model | $0.40/secret/month + API calls | Free tier, then $6/seat/month |
| CLI experience | aws secretsmanager (verbose) | secr set / secr run (minimal) |
| Multi-cloud | AWS ecosystem only | Works with any provider |
| Secret scanning | Not included | 20+ patterns, pre-commit hook |
| Team management | IAM policies and ARNs | Invite + role assignment |
| Dashboard | AWS Console | Purpose-built web UI |
| Environments | Manual (tags/paths) | Named environments with promotion |
| Hosting | AWS-managed only | Cloud-hosted (cloud-agnostic) |
| SDKs | AWS SDKs (all languages) | Node.js, Python, Go |
| Webhooks | EventBridge (extra setup) | Built-in webhook delivery |
Import Your AWS Secrets
secr has a built-in import adapter for AWS Secrets Manager. Point it at your region and it pulls every secret, including JSON values that get flattened into individual keys:
# Import from AWS Secrets Manager
secr import --from aws-secrets-manager \
--access-key-id AKIA... \
--secret-access-key ... \
--region us-east-1
# Or import from AWS Parameter Store
secr import --from aws-parameter-store \
--access-key-id AKIA... \
--secret-access-key ... \
--region us-east-1 \
--path-prefix /myapp/production/
The import runs in two steps: preview (shows what will be imported) and execute (writes the secrets). You can also import from the dashboard with a visual interface.
When to Stay on AWS Secrets Manager
AWS Secrets Manager is the right choice in certain scenarios:
All-in on AWS
If every service runs on AWS and your team already understands IAM, the native integration with Lambda, ECS, RDS, and other services is hard to beat.
Automatic rotation requirements
AWS Secrets Manager supports automatic rotation of RDS credentials and other AWS service secrets via Lambda functions. secr handles manual rotation with version history.
Enterprise compliance mandates
If your compliance team requires secrets to remain within the AWS boundary and audit through CloudTrail, staying native may be the simplest path.
Secrets management without cloud lock-in
npm i -g @secr/cli
secr init
secr import --from aws-secrets-manager --region us-east-1
secr run -- npm start