CASE 140 · MAGMA · 2025
HashiCorp Vault, retired in favour of the AWS-native equivalent.
A real-estate tech company ran self-hosted HashiCorp Vault as the secrets backbone for AWS-hosted workloads. Vault worked well but operating it had become a steady tax. We migrated secrets to AWS Secrets Manager and SSM Parameter Store, on a path that retired Vault entirely.
Real-estate tech
MIGRATION
2025
RESULTS
What changed, by the numbers.
VAULT OPERATIONAL TAX
GONE
SECRETS MIGRATED
1,140
ROTATION COVERAGE
100%
AUDIT TRAIL
CLOUDTRAIL
HOW IT WENT
Vault’s appeal had been "secrets the same way everywhere." The reality was a Vault cluster the team had been carefully nursing through major-version migrations, with backup procedures and a steady operational burden that had drifted away from "the same way everywhere" toward "the AWS-native services are right there."
We migrated static secrets to Secrets Manager (with rotation enabled where Vault had only static), and the few dynamic-secret patterns (database credentials, AWS STS) to IAM-native equivalents. The application code change was small — a thin SDK wrapper that the team had already abstracted.
Vault operational tax went to zero. Rotation coverage went from 31% (only the secrets Vault had been actively rotating) to 100% (Secrets Manager rotates by default). The annual saving funds a junior platform engineer.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.