Storing Kamal secrets in AWS Secrets Manager and deploying to a cheap Hetzner VPS

A step-by-step guide to moving your Kamal secrets from plaintext to AWS Secrets Manager and deploying your app to Hetzner

sabato 23 maggio 2026 New tab

877 words~4 min read

I ran into a problem with Kamal. My .kamal/secrets file was full of API keys sitting in plaintext on my laptop. Anyone with access could read them all.

TLDR; Use Kamal with AWS Secrets Manager and deploy to a Hetzner VPS. No plaintext secrets, cheap hosting, compliance happy.

The problem

Kamal is great for deploying apps. But by default secrets are in a plaintext file. For SOC 2 and GDPR that does not work. You need a managed store. I went with AWS Secrets Manager.

But then I hit another issue. The kamal secrets fetch --adapter aws_secrets_manager command with --from expects each key to be its own AWS secret. If you store everything as one JSON blob (like I did), you get:

Storing Kamal secrets in AWS Secrets Manager and deploying to a cheap Hetzner VPS

Storing Kamal secrets in AWS Secrets Manager and deploying to a cheap Hetzner VPS

Other newsrooms on this story

Related reading

Category: AWS Secrets Manager

Deploy a Secure Containerized App on Amazon ECS Fargate Using ECR and Secrets…

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

I Leaked API Keys Through My .env File — Here's What I Learned About Secret…

AWS MCP Server Just Gave AI Agents Your Cloud Keys — Here's Why That Should…

Finance company stored their DB credentials in spreadsheet

Other newsrooms on this story

Related reading

Category: AWS Secrets Manager

Deploy a Secure Containerized App on Amazon ECS Fargate Using ECR and Secrets…

How to Stop Leaking AWS Keys to GitHub (And What to Do When You Already Did)

I Leaked API Keys Through My .env File — Here's What I Learned About Secret…

AWS MCP Server Just Gave AI Agents Your Cloud Keys — Here's Why That Should…

Finance company stored their DB credentials in spreadsheet