Skip to content
skret logo skret logo skret

Provider Comparison & Ranking

skret supports multiple cloud-provider secret backends. This page ranks them by cost, features, and fit for typical skret use cases.

TL;DR

Section titled “TL;DR”
RankBackendMonthly cost*Recommended for
1AWS SSM Parameter Store (Standard)$0Default for most users — AWS-native or mixed-cloud
2OCI Vault (software-protected)$0Best rotation; users with OCI tenancy
3Azure Key Vault (Standard)~$0.09Azure-native workloads, multi-cloud DR
4GCP Secret Manager~$20GCP-native workloads, large (>25 KB) payloads
5AWS Secrets Manager~$136Only when managed rotation (RDS/Redshift) is required

* Cost based on reference scenario: 17 repos × 20 secrets/repo × 1,000 reads/day (30k/month), ap-southeast-1/Singapore region.

Choosing a backend

Section titled “Choosing a backend”

Use this decision tree:

Are your secrets > 4 KB (TLS certs, PEM keys, JSON blobs)?
├── No → AWS SSM Parameter Store (Standard)           [rank 1, $0]
└── Yes
    ├── Do you have OCI infrastructure already?
    │    └── Yes → OCI Vault                           [rank 2, $0]
    ├── Do you run on Azure / need Azure AD identity?
    │    └── Yes → Azure Key Vault                     [rank 3, ~$0.09]
    ├── Do you run on GCP?
    │    └── Yes → GCP Secret Manager                  [rank 4, ~$20]
    └── Do you need automatic rotation for RDS/Redshift?
         └── Yes → AWS Secrets Manager (opt-in, per-secret)

You can mix backends in a single .skret.yaml: default environment uses SSM, specific oversized secrets route to OCI Vault via the overrides: block (v0.4+).

Cost at different scales

Section titled “Cost at different scales”

Solo developer (1 repo × 20 secrets × 100 reads/day)

Section titled “Solo developer (1 repo × 20 secrets × 100 reads/day)”
BackendMonthly cost
AWS SSM Standard$0
OCI Vault$0 (within 150 free cap)
Azure Key Vault~$0.01
GCP Secret Manager~$0.84 (14 active versions × $0.06)
AWS Secrets Manager~$8.00

Small team (5 repos × 30 secrets × 5,000 reads/day)

Section titled “Small team (5 repos × 30 secrets × 5,000 reads/day)”
BackendMonthly cost
AWS SSM Standard$0
OCI Vault$0 (150 free cap applies)
Azure Key Vault~$0.45
GCP Secret Manager~$9
AWS Secrets Manager~$60

skret reference scale (17 repos × 20 secrets × 1,000 reads/day)

Section titled “skret reference scale (17 repos × 20 secrets × 1,000 reads/day)”
BackendMonthly cost
AWS SSM Standard$0
OCI Vault$0 (overflow uses free software keys)
Azure Key Vault~$0.09
GCP Secret Manager~$20.10
AWS Secrets Manager~$136.15

Large scale (100 repos × 50 secrets × 100,000 reads/day)

Section titled “Large scale (100 repos × 50 secrets × 100,000 reads/day)”
BackendMonthly cost
AWS SSM Standard$0 to ~$1.50 (may need Higher Throughput)
OCI Vault$0 (software keys; verify billing)
Azure Key Vault~$0.90
GCP Secret Manager~$300
AWS Secrets Manager~$2,000

Feature matrix

Section titled “Feature matrix”

See the provider comparison reference for the full matrix including:

  • Free tier details per provider
  • Max secret value sizes (4 KB – 64 KB)
  • API rate limits (40 – 90,000 req/min)
  • Versioning semantics (fixed 100 vs unlimited with aliases)
  • Automatic rotation support (none / Lambda / 4-step / Pub/Sub)
  • Cross-region replication modes
  • Audit logging integrations
  • Private-network options (PrivateLink / Service Gateway / VPC-SC)
  • Go SDK maturity per provider
  • Compliance certifications (SOC 2, ISO 27001, FedRAMP High, HIPAA, PCI-DSS)
  • APAC region coverage

When a backend crosses a tier threshold

Section titled “When a backend crosses a tier threshold”

skret warns in skret cost estimate output (v0.5+) when a configuration is needlessly expensive:

  • A repo default set to AWS Secrets Manager for bulk config → suggests SSM Standard.
  • GCP user-managed replication across 3+ locations when automatic replication (1-location billing) would serve the same purpose.
  • SSM Advanced used for secrets that fit in 4 KB → recommends Standard.

This is advisory; skret does not change provider selection automatically.