"A hands-on breakdown of Azure Key Vault, AWS Secrets Manager, IRSA, Azure Managed Identity, and when HashiCorp Vault actually matters."
This is Part 3 of our 4-part series on secret management for cloud-native teams. Start with Part 1 if you haven't.
Most cloud teams face this decision: should we use Azure Key Vault, AWS Secrets Manager, Google Secret Manager, or HashiCorp Vault?
The marketing departments of Azure and AWS have strong opinions. The internet has conflicting opinions.
We're going to give you the technical answer.
The Scoreboard
| Feature | Azure Key Vault | AWS Secrets Manager | Google SM | Vault |
|---|---|---|---|---|
| Managed Identity Integration | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ (IRSA) | ⭐⭐⭐⭐ | N/A |
| Auto DB Credential Rotation | ⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| Dynamic Credentials | ⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| PKI / TLS Management | ⭐⭐ | ⭐ | ⭐⭐ | ⭐⭐⭐⭐⭐ |
| Multi-Cloud Support | ⭐⭐ | N/A (AWS-only) | N/A (GCP-only) | ⭐⭐⭐⭐⭐ |
| Price per Secret | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | Self-hosted / Enterprise |
When to Use Each
Azure Key Vault
Use this if:
- 90% of your workloads live in Azure (App Service, Functions, AKS)
- Your team is Azure-first and has Entra ID mastery
- You need managed identity integration out-of-the-box
- Compliance requirement: "secrets must be in the same cloud"
YAML Example:
# Kubernetes Pod with Azure Workload Identity
apiVersion: v1
kind: Pod
metadata:
labels:
azure.workload.identity/use: "true"
spec:
serviceAccountName: app-sa
containers:
- name: app
image: myapp:v1
env:
- name: AZURE_VAULT_URL
value: https://myvault.vault.azure.net/
AWS Secrets Manager
Use this if:
- 90% of your workloads live in AWS (ECS, Lambda, EKS)
- You need automatic RDS/Redshift credential rotation (strongest feature)
- Your database already has IAM auth enabled
- You want per-secret CloudTrail audit events
YAML Example:
# Kubernetes with IRSA (IAM Roles for Service Accounts)
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-sa
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/app-role
---
apiVersion: v1
kind: Pod
metadata:
name: myapp
spec:
serviceAccountName: app-sa
containers:
- name: app
image: myapp:v1
env:
- name: AWS_ROLE_ARN
value: arn:aws:iam::ACCOUNT:role/app-role
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
Google Secret Manager
Use this if:
- You're GCP-native (Cloud Run, GKE, Cloud Functions)
- You need deep integration with GCP Workload Identity
- You want automatic secret versioning and access logs
HashiCorp Vault
Use this if:
- Your infrastructure is multi-cloud (AWS + Azure + On-Prem)
- You need dynamic credentials (short-lived, auto-generated)
- You need PKI/TLS certificate management
- You manage databases, SSH keys, or APIs that require rotation
- Compliance requirement: centralized secret audit trail
Production Pattern:
# ExternalSecret syncs from Vault to Kubernetes
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: app-secrets
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
target:
name: app-secret
data:
- secretKey: db_password
remoteRef:
key: secret/data/prod/app/db
property: password
Vault rotates the secret in the backend → ESO picks it up on the next refresh → App reads the updated file.
The Real Truth
Your choice isn't "Key Vault vs Secrets Manager."
Your choice is: Do I need a secrets storage solution, or a secrets management solution?
- Storage = Key Vault, Secrets Manager (static secrets only)
- Management = Vault (rotation, dynamic creds, PKI, audit)
Most teams end up with both: Cloud platform for workload identity credentials (zero storage, pure auth), and Vault for everything else.
Read the Full Technical Deep Dive
We broke down:
- ✅ Managed Identity internals (how IRSA actually works)
- ✅ Database credential rotation patterns
- ✅ Cost analysis (which is cheaper at scale?)
- ✅ Security architecture (etcd encryption, audit trails)
- ✅ When to choose which tool
Read Part 3: Azure Key Vault vs AWS Secrets Manager (Full Technical Breakdown)
Series
- Part 1: Your Secrets Are Probably Leaking
- Part 2: HashiCorp Vault Deep Dive
- Part 3: Azure Key Vault vs AWS Secrets Manager (you are here)
- Part 4: Kubernetes Secrets & Production Patterns (coming soon)
Top comments (0)