Vault vs Secrets Manager vs Doppler: Cost & Migration

Three secrets management platforms, three completely different operational models, three radically different bills. The choice usually gets made on Friday afternoon by an engineer who needs something working by Monday. Here is the version that helps you make a real choice, with actual production numbers from 5,000 secrets across 50 engineers.

The 60-second summary

• HashiCorp Vault: maximum flexibility, dynamic secrets, every auth method ever, and you pay for it in operational complexity. Self-hosted is free but the operational cost is 0.5 to 1 FTE.
• AWS Secrets Manager: simple, fully managed, deeply integrated with AWS services, charges per secret per month plus per API call.
• Doppler: developer-experience focused, strong CI/CD and local-development story, opinionated workflow that some teams love and others find too rigid.

Real 2026 cost at 5,000 secrets and 50 engineers

HashiCorp Vault Self-Hosted (Open Source)

License cost: free. Real cost is people and infrastructure.

• 3-node Vault cluster on EC2 (m6i.large) with Raft storage: ~$200/month
• Backup storage and observability: ~$50/month
• Operational time: realistically 0.5 to 1.0 FTE for a properly run cluster (upgrades, unsealing, audit log management, integration support)
• Operational FTE cost (loaded): $80,000 to $160,000 per year

True cost: $80,000 to $165,000 per year. Most of it is people, not infrastructure.

HashiCorp Vault Enterprise (HCP Vault Dedicated)

HashiCorp's managed offering. Pricing is per HVD (HashiCorp Vault Dedicated) cluster size and feature tier.

• Standard tier, small cluster: starts ~$1.50 per hour = ~$13,000/year
• Plus 5,000 secrets: ~$1,000 to $5,000/year depending on tier features

True cost: $15,000 to $40,000 per year, plus much lower operational overhead than self-hosted (~0.1 FTE).

AWS Secrets Manager

Per-secret pricing, fully managed.

• $0.40 per secret per month: 5,000 secrets = $2,000/month = $24,000/year
• $0.05 per 10,000 API calls: typical workload adds ~$50 to $200/month
• Automatic rotation runs Lambda: minor charge, usually under $50/month
• Operational overhead: ~0.05 FTE

True cost: ~$25,000 to $30,000 per year. Mostly the per-secret fee scales linearly, which is fine until you have 50,000 secrets and the bill is $240,000.

Doppler

Per-seat pricing with usage-based add-ons.

• Doppler Team: $14 per user per month. 50 engineers = $700/month = $8,400/year
• Doppler Production: $20 per user per month for advanced auth and audit features. 50 engineers = $1,000/month = $12,000/year
• Enterprise tier: custom, typically $30+ per user with SSO, SCIM, dedicated support
• No per-secret charge
• Operational overhead: ~0.05 FTE

True cost: $8,400 to $25,000 per year. Cheapest cash cost, no per-secret tax.

The decision is not about price; it is about your stack

Sticker price aside, the practical decision usually comes down to where your workloads run.

• Pure AWS, single cloud, IAM-heavy auth model: AWS Secrets Manager. The integration with IAM policies, RDS rotation, and Parameter Store is unmatched, and you avoid managing yet another platform.
• Multi-cloud, Kubernetes-native, dynamic secrets needed: HashiCorp Vault. Nothing else does dynamic database credentials, on-demand AWS STS tokens, or PKI issuance the way Vault does. Self-hosted if you have the team, HCP if you do not.
• Developer-experience focused, lots of CI/CD pipelines, want zero ops: Doppler. The local development story and CI/CD integrations are the cleanest of the three.
• Compliance-heavy with PCI, HIPAA, FedRAMP requirements: Vault Enterprise or AWS Secrets Manager. Doppler's compliance story is improving but is still behind on FedRAMP authorization.

Migration paths between the three

From AWS Secrets Manager → Vault

Doable, mostly via scripted bulk export and bulk import. The tricky part is rotation: if you have RDS rotation Lambdas configured in Secrets Manager, you need to rebuild equivalent rotation in Vault using the database secrets engine. Plan 2 to 4 weeks for the migration plus a parallel-run period.

# Bulk export from AWS Secrets Manager to JSON
aws secretsmanager list-secrets --query 'SecretList[].Name' --output text \
  | xargs -n1 -I{} aws secretsmanager get-secret-value --secret-id {} \
  | jq -s '.' > secrets-export.json

# Import to Vault (KV v2 engine)
jq -c '.[]' secrets-export.json | while read -r line; do
  NAME=$(echo "$line" | jq -r '.Name')
  SECRET=$(echo "$line" | jq -r '.SecretString')
  vault kv put secret/$NAME value="$SECRET"
done

From Doppler → AWS Secrets Manager

Easier than the reverse. Doppler has built-in syncs to AWS Secrets Manager. Configure the integration, sync, then update applications to read from Secrets Manager directly. Once apps are migrated, decommission Doppler.

From Vault → AWS Secrets Manager

Most painful migration of the three. Vault is more capable than Secrets Manager (dynamic secrets, transit encryption, transform secrets, more auth methods). Migrating means losing capabilities, so you have to plan carefully which workloads can move and which need to stay on Vault. Most teams that try this end up running both.

The operational differences that matter most

1. Auth methods: Vault has every auth method ever invented (Kubernetes ServiceAccount, AWS IAM, AppRole, JWT/OIDC, LDAP, Okta, Userpass). Secrets Manager uses IAM policies only. Doppler uses service tokens and SSO. If your apps run across AWS, GCP, on-prem, and Kubernetes, Vault is the only one that handles all of them natively.
2. Dynamic secrets: Vault can issue short-lived database credentials, AWS STS tokens, SSH certificates on demand. Secrets Manager and Doppler do not. This is the single feature most teams pick Vault for.
3. Audit logging: All three audit, but Vault's audit log is the most detailed (every operation, every path, every requesting identity) and Vault's enterprise tier supports filtered audit log export to SIEMs. Secrets Manager logs to CloudTrail; Doppler logs to its own audit panel.
4. Rotation automation: Secrets Manager has the deepest built-in rotation for AWS-native services. Vault rotates anything you write a database engine for. Doppler relies on integrations with the secret-owning service.
5. Multi-region and DR: Vault Enterprise has performance replication and disaster recovery replication built in. Secrets Manager replicates to other regions natively but with limitations. Doppler replicates within its own infra automatically.

The compliance and audit story

• SOC 2 Type II: All three have it.
• HIPAA BAA: All three offer Business Associate Agreements at appropriate tiers.
• PCI DSS: AWS Secrets Manager is in scope of AWS's PCI compliance. Vault Enterprise has PCI guidance. Doppler has PCI alignment but you should verify with their team.
• FedRAMP: AWS Secrets Manager is FedRAMP High in GovCloud. HashiCorp Vault has FedRAMP Moderate authorization for HCP Vault Federal. Doppler does not have FedRAMP authorization as of mid-2026.

If you sell to US federal government, this constraint alone narrows the field.

What we run at SecureBin.ai

For our scale (single AWS region, small team), AWS Secrets Manager wins on operational simplicity. We use it for production secrets, with Parameter Store for non-secret config. The per-secret fee is real but manageable, and the IAM integration eliminates an entire category of auth complexity.

If we were multi-cloud or needed dynamic database credentials, we would run Vault. If we were a 200-person team with heavy CI/CD, we would seriously evaluate Doppler.

The bottom line

Pick AWS Secrets Manager if you live entirely in AWS and value zero ops. Pick Vault if you need dynamic secrets or operate across clouds. Pick Doppler if developer experience and CI/CD integration matter more than dynamic secret features. Cost differences at 5,000 secrets and 50 engineers are surprisingly small once you include operational time. The expensive choice is picking the wrong one for your stack and running it for a year.

Related reading: Secrets Management for DevOps Teams, API Key Rotation Best Practices, Secure Environment Variables in Production, AWS Security Checklist, and Kubernetes Secrets Management.