{"id":165606,"date":"2026-04-11T02:27:36","date_gmt":"2026-04-10T23:27:36","guid":{"rendered":"https:\/\/computingforgeeks.com\/?p=165606"},"modified":"2026-04-11T02:27:36","modified_gmt":"2026-04-10T23:27:36","slug":"aws-secrets-manager-rotation-guide","status":"publish","type":"post","link":"https:\/\/computingforgeeks.com\/aws-secrets-manager-rotation-guide\/","title":{"rendered":"Configure AWS Secrets Manager: Rotation, IAM, and ECS"},"content":{"rendered":"\n

Hardcoded database passwords in a .env<\/code> file committed to Git is still how a surprising number of teams ship software in 2026. It worked for the first release, nobody rotated anything, and now the credential lives in five repos, two CI systems, and a Slack thread from 2023. AWS Secrets Manager is the native fix. It stores secrets encrypted with KMS, rotates them on a schedule, audits every read in CloudTrail, and hands the value to your workload at runtime over an IAM-authenticated API call.<\/p>\n\n\n\n

This guide walks through the full workflow: creating secrets from the CLI, retrieving them safely in scripts, versioning and rollback, identity-based and resource-based IAM policies, customer-managed KMS keys, cross-region replication, ECS task injection, automatic rotation for RDS, auditing who read a secret with CloudTrail, real cost math against Parameter Store, and a tested Terraform module you can drop into a real project. Every command and output below came from a live eu-west-1 account. If you also run workloads on EKS, pair this with our IRSA guide<\/a> because Pod Identity and IRSA are how most Kubernetes workloads end up calling Secrets Manager.<\/p>\n\n\n\n

Verified April 2026 with AWS CLI v2.22, Terraform 1.5, and Secrets Manager in eu-west-1<\/em><\/p>\n\n\n\n

Secrets Manager vs Parameter Store: decide before you build<\/h2>\n\n\n\n

Every Secrets Manager article that skips this section is dodging the first question every engineer asks. Both services store sensitive data. Only one of them charges you, and only one of them rotates credentials for you. Pick the wrong service at day zero and you will either rewrite your bootstrap code in six months or pay $4,000 a year for config you could have stored free.<\/p>\n\n\n\n

Feature<\/th>Secrets Manager<\/th>Parameter Store (Standard)<\/th>Parameter Store (Advanced)<\/th><\/tr><\/thead>
Storage cost<\/td>$0.40 per secret per month<\/td>Free<\/td>$0.05 per parameter per month<\/td><\/tr>
API cost<\/td>$0.05 per 10,000 calls<\/td>Free up to account limits<\/td>$0.05 per 10,000 higher-throughput calls<\/td><\/tr>
Max value size<\/td>64 KB<\/td>4 KB<\/td>8 KB<\/td><\/tr>
Max items per account per region<\/td>500,000<\/td>10,000<\/td>100,000<\/td><\/tr>
Default throughput<\/td>10,000 TPS<\/td>40 TPS (scalable)<\/td>Up to 10,000 TPS<\/td><\/tr>
Encryption<\/td>KMS, mandatory<\/td>Optional SecureString<\/td>Optional SecureString<\/td><\/tr>
Automatic rotation<\/td>Yes, built-in<\/td>Not supported<\/td>Not supported<\/td><\/tr>
Managed RDS rotation<\/td>Yes<\/td>No<\/td>No<\/td><\/tr>
Cross-region replication<\/td>Native<\/td>Manual<\/td>Manual<\/td><\/tr>
Cross-account sharing<\/td>Resource policies<\/td>Not supported<\/td>Via AWS RAM<\/td><\/tr>
Generate random passwords<\/td>Yes (get-random-password)<\/td>No<\/td>No<\/td><\/tr>
Reference from Parameter Store<\/td>N\/A<\/td>Yes, via \/aws\/reference\/secretsmanager\/<\/td>Same<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The rule of thumb is simple. Database credentials, OAuth tokens, third-party API keys that must rotate on a schedule, cross-account secrets, and anything under PCI or HIPAA audit go in Secrets Manager. Feature flags, app config, non-rotating bootstrap values, and anything read thousands of times per second at container start belong in Parameter Store SecureString. If a secret costs more than about $5 a month in API calls on Secrets Manager because your app re-reads it on every request, you are holding it wrong. Cache the value in process memory with a short TTL, or move it to Parameter Store.<\/p>\n\n\n\n

How Secrets Manager actually works<\/h2>\n\n\n\n

Secrets Manager is a regional service. A secret created in eu-west-1 does not exist in us-east-1 until you explicitly replicate it. Every secret is encrypted at rest with a KMS key. By default that key is the AWS-managed aws\/secretsmanager<\/code> key (free). For production workloads with compliance requirements, bring your own customer-managed KMS key so the key policy becomes a second audit layer on top of the resource policy.<\/p>\n\n\n\n

Every secret has a current value plus a short history of previous values, tagged with staging labels. The three built-in labels are AWSCURRENT<\/code> (the active value your applications read), AWSPREVIOUS<\/code> (the last value, kept for rollback), and AWSPENDING<\/code> (a new value being tested during rotation). You can also create custom staging labels if you need more than three pointers. Applications should always read the default label, which is AWSCURRENT<\/code>, and only reach for AWSPREVIOUS<\/code> explicitly during a rollback scenario.<\/p>\n\n\n\n

Rotation is a four-step Lambda lifecycle: createSecret generates the new credential and stores it as AWSPENDING, setSecret updates the target system, testSecret verifies the new credential works, and finishSecret promotes AWSPENDING to AWSCURRENT while demoting the old value to AWSPREVIOUS. For RDS, Aurora, DocumentDB, Redshift admin passwords, and ECS Service Connect private CA certificates, AWS runs managed rotation on your behalf and you never touch Lambda at all. For anything else, AWS ships a rotation template and you customize setSecret and testSecret for your target system. The minimum rotation interval is every 4 hours, and managed rotation typically finishes in under a minute.<\/p>\n\n\n\n

One common trap: ElastiCache and MemoryDB are not managed rotation targets. They ship with rotation Lambda templates only, which is different from “managed” in AWS documentation terms. If you read another tutorial claiming managed rotation for Redis, that tutorial is wrong.<\/p>\n\n\n\n

Prerequisites<\/h2>\n\n\n\n
    \n
  • An AWS account with an IAM admin user or role. Test account spend for this walkthrough stays under $1 if you destroy everything when done.<\/li>\n
  • AWS CLI v2.22 or newer, configured with credentials for the target region. Run aws --version<\/code> to verify.<\/li>\n
  • Terraform 1.5 or newer for the IaC section.<\/li>\n
  • A workstation with Python 3 and jq<\/code> for JSON parsing in shell scripts.<\/li>\n
  • Tested on: AWS CLI 2.22.0, Terraform 1.5.7, Rocky Linux 10.1 workstation, eu-west-1 region, April 2026.<\/li>\n<\/ul>\n\n\n\n

    Set your default region so you do not have to repeat it on every command.<\/p>\n\n\n\n

    export AWS_DEFAULT_REGION=eu-west-1\naws sts get-caller-identity<\/code><\/pre>\n\n\n\n
    The identity check confirms which account you are about to modify. Never run Secrets Manager commands against an account you have not verified, especially in shared tooling environments.<\/p>\n\n\n\n
    Create your first secret<\/h2>\n\n\n\n
    Secrets Manager accepts two flavors of secret payload: a plain string or a JSON document. Use JSON whenever you have more than one field (username, password, host, port, database name) because it keeps related credentials in one atomic version. Start with a plain-string API key so you see the basic shape of the API.<\/p>\n\n\n\n
    aws secretsmanager create-secret \\\n  --name \"computingforgeeks\/demo\/api-key\" \\\n  --description \"Plain string API key for the computingforgeeks Secrets Manager demo\" \\\n  --secret-string \"sk-example-1234567890abcdefghijklmnop\" \\\n  --tags Key=Environment,Value=demo Key=Application,Value=cfg-blog \\\n  --region eu-west-1<\/code><\/pre>\n\n\n\n
    The API returns the full ARN, the friendly name, and a version ID for the value you just stored.<\/p>\n\n\n\n
    {\n    \"ARN\": \"arn:aws:secretsmanager:eu-west-1:123456789012:secret:computingforgeeks\/demo\/api-key-UFlApf\",\n    \"Name\": \"computingforgeeks\/demo\/api-key\",\n    \"VersionId\": \"d8aacfec-0da8-4d64-b25e-771e5eb64206\"\n}<\/code><\/pre>\n\n\n\n
    The six-character suffix (UFlApf<\/code> in this case) is appended automatically by Secrets Manager. It exists to prevent accidental IAM wildcards from matching a recreated secret with the same name. Always reference your secrets by the friendly name in code, never the full ARN, otherwise you hardcode this random suffix and any recreate-delete cycle will break your app.<\/p>\n\n\n\n
    Now create a realistic database credential secret with a structured JSON payload. This is the shape you will use 90% of the time in production.<\/p>\n\n\n\n
    aws secretsmanager create-secret \\\n  --name \"computingforgeeks\/demo\/db-credentials\" \\\n  --description \"PostgreSQL credentials for the demo application\" \\\n  --secret-string '{\"username\":\"appuser\",\"password\":\"S3cur3-D3mo-Pa55w0rd!\",\"host\":\"db.prod.example.com\",\"port\":5432,\"dbname\":\"appdb\",\"engine\":\"postgres\"}' \\\n  --tags Key=Environment,Value=production Key=Application,Value=api Key=Component,Value=database \\\n  --region eu-west-1<\/code><\/pre>\n\n\n\n
    Tagging every secret with Environment<\/code>, Application<\/code>, and Component<\/code> (or similar) is not optional. Tags drive cost allocation, IAM conditions, automated cleanup, and the answer to the question “which team owns this credential?” that will come up during the next audit. Set a convention and enforce it with SCPs or Terraform module defaults.<\/p>\n\n\n\n
    Inspect the secret metadata without revealing the value. The describe-secret call is safe to run from any IAM principal with secretsmanager:DescribeSecret<\/code> and is the right way to build a secret inventory or validate tags.<\/p>\n\n\n\n
    aws secretsmanager describe-secret \\\n  --secret-id \"computingforgeeks\/demo\/db-credentials\" \\\n  --region eu-west-1<\/code><\/pre>\n\n\n\n
    Describe never returns the secret value, only metadata. That is exactly what you want for monitoring scripts.<\/p>\n\n\n\n
    {\n    \"ARN\": \"arn:aws:secretsmanager:eu-west-1:123456789012:secret:computingforgeeks\/demo\/db-credentials-9NWLWY\",\n    \"Name\": \"computingforgeeks\/demo\/db-credentials\",\n    \"Description\": \"PostgreSQL credentials for the demo application\",\n    \"LastChangedDate\": 1775844659.55,\n    \"Tags\": [\n        {\"Key\": \"Component\", \"Value\": \"database\"},\n        {\"Key\": \"Environment\", \"Value\": \"production\"},\n        {\"Key\": \"Application\", \"Value\": \"api\"}\n    ],\n    \"VersionIdsToStages\": {\n        \"9213e49c-4499-4818-aec3-5101753ff66e\": [\"AWSCURRENT\"]\n    },\n    \"CreatedDate\": 1775844659.521\n}<\/code><\/pre>\n\n\n\n
    Notice the VersionIdsToStages<\/code> block. Right now the only version ID is labeled AWSCURRENT<\/code>. After the first rotation that block will also include an AWSPREVIOUS<\/code> entry. This map is how Secrets Manager tracks the rollback history and how your applications pin to a specific version if they ever need to.<\/p>\n\n\n\n
    Retrieve a secret<\/h2>\n\n\n\n
    The GetSecretValue API is what applications hit at startup. It returns the version stages, the string payload, and the created date.<\/p>\n\n\n\n
    aws secretsmanager get-secret-value \\\n  --secret-id \"computingforgeeks\/demo\/db-credentials\" \\\n  --region eu-west-1<\/code><\/pre>\n\n\n\n
    The default output wraps your value in a metadata envelope.<\/p>\n\n\n\n
    {\n    \"ARN\": \"arn:aws:secretsmanager:eu-west-1:123456789012:secret:computingforgeeks\/demo\/db-credentials-9NWLWY\",\n    \"Name\": \"computingforgeeks\/demo\/db-credentials\",\n    \"VersionId\": \"9213e49c-4499-4818-aec3-5101753ff66e\",\n    \"SecretString\": \"{\\\"username\\\":\\\"appuser\\\",\\\"password\\\":\\\"S3cur3-D3mo-Pa55w0rd!\\\",\\\"host\\\":\\\"db.prod.example.com\\\",\\\"port\\\":5432,\\\"dbname\\\":\\\"appdb\\\",\\\"engine\\\":\\\"postgres\\\"}\",\n    \"VersionStages\": [\"AWSCURRENT\"],\n    \"CreatedDate\": 1775844659.545\n}<\/code><\/pre>\n\n\n\n
    For shell scripts you only want the SecretString<\/code> field. Use the --query<\/code> and --output text<\/code> combo so you get the raw JSON back without the envelope.<\/p>\n\n\n\n
    aws secretsmanager get-secret-value \\\n  --secret-id \"computingforgeeks\/demo\/db-credentials\" \\\n  --region eu-west-1 \\\n  --query SecretString \\\n  --output text<\/code><\/pre>\n\n\n\n
    Now the output is exactly the payload you stored, ready for downstream parsing.<\/p>\n\n\n\n
    {\"username\":\"appuser\",\"password\":\"S3cur3-D3mo-Pa55w0rd!\",\"host\":\"db.prod.example.com\",\"port\":5432,\"dbname\":\"appdb\",\"engine\":\"postgres\"}<\/code><\/pre>\n\n\n\n
    Most of the time you want a single key, not the whole JSON blob. Pipe through Python’s built-in json<\/code> module for a dependency-free extractor.<\/p>\n\n\n\n
    aws secretsmanager get-secret-value \\\n  --secret-id \"computingforgeeks\/demo\/db-credentials\" \\\n  --region eu-west-1 \\\n  --query SecretString \\\n  --output text | python3 -c \"import sys,json; print(json.loads(sys.stdin.read())['password'])\"<\/code><\/pre>\n\n\n\n
    That one-liner is the most common pattern in ops scripts. It works without jq<\/code>, which matters on minimal container images and fresh EC2 instances. If you prefer jq<\/code>, the equivalent is jq -r .password<\/code> and is one fewer character.<\/p>\n\n\n