Kamal secrets with AWS Secrets Manager and Hetzner VPS for indie founders

This review examines a secure, cost-effective deployment pattern for Kamal applications, integrating AWS Secrets Manager for secret management and Hetzner VPS for infrastructure. We assess its suitability for indie developers.

TL;DR Best for: Indie founders using Kamal who need secure secret management without a dedicated ops team, prioritizing cost-effectiveness and compliance (SOC 2, GDPR). Skip if: You require multi-cloud secret solutions beyond AWS, or prefer a fully managed Platform-as-a-Service (PaaS) where secret management is abstracted away. Bottom line: This pattern offers a robust, low-cost solution for secure application secret storage and deployment, provided you manage AWS Secrets Manager access carefully and understand Kamal's role in secret retrieval is limited to specific deployment variables.

METHODOLOGY This v0 review draws on the founder's published claims and technical guide at the dev.to blog post "Storing Kamal secrets in AWS Secrets Manager and deploying to a cheap Hetzner VPS" by devto, accessed on 2026-05-23. The review covers the proposed integration patterns for Kamal, AWS Secrets Manager, and Hetzner VPS, including code snippets for config/deploy.yml, shell commands, and JSON secret structures. We analyze the author's stated problem (plaintext secrets) and their suggested solution for secure storage and cost-effective deployment. This review does not include independent performance benchmarks, long-term workflow assessments, or edge-case testing of the described setup. Update cadence: This review will be re-tested when claims diverge from observed behavior or when more comprehensive data becomes available.

WHAT IT DOES

Securing application secrets in AWS Secrets Manager

The core problem addressed is the storage of application API keys (e.g., DEEPGRAM_API_KEY, ASSEMBLY_AI_API_KEY) in plaintext files within a Kamal project. The author proposes using AWS Secrets Manager to store these sensitive credentials. The process involves creating a new "Other type of secret" in the AWS Secrets Manager console and pasting a JSON blob containing all application secrets into the plaintext tab. This centralizes secret storage in a managed, encrypted service, addressing compliance concerns like SOC 2 and GDPR.

Cost-effective hosting on Hetzner VPS

For deployment infrastructure, the guide recommends a Hetzner Cloud VPS, specifically noting the CAX series starting at approximately 4 euro a month. The author uses a CX22 instance, providing 2 vCPUs and 4GB RAM, which they state is sufficient for production workloads. The setup involves basic apt update && apt install -y docker.io commands on the Hetzner server and copying an SSH key for Kamal to connect. This provides a low-cost, self-managed hosting environment.

Kamal's deployment role

Kamal, a tool for deploying web apps to remote servers via Docker, orchestrates the deployment. The config/deploy.yml snippet shows configuration for servers, proxy (with SSL), and registry settings. Kamal uses a Docker Hub account for image registry, with the KAMAL_REGISTRY_PASSWORD expected as an environment variable. The author notes a specific issue where Kamal's secrets fetch --adapter aws_secrets_manager --from command expects each key to be its own AWS secret, failing when a single JSON blob is used. The guide, however, proceeds to show storing secrets as a JSON blob without clarifying how Kamal directly consumes these application secrets from the blob.

WHAT'S INTERESTING / WHAT'S NOT

What's interesting about this pattern is its direct approach to solving a common problem for indie developers: secure secret management without incurring significant operational overhead or cost. The explicit mention of SOC 2 and GDPR compliance highlights a real-world benefit beyond mere security hygiene. Leveraging Hetzner's aggressively priced VPS offerings with Kamal's Docker-centric deployment simplifies the infrastructure stack, making it accessible for single-person teams or small startups. The author's practical experience with the kamal secrets fetch command's limitation, even if not fully resolved in the presented solution, points to a common friction point that others will encounter.

What's not fully clear, and therefore less interesting from a complete solution perspective, is the mechanism by which Kamal directly consumes the JSON blob of application secrets stored in AWS Secrets Manager. The author explicitly states the kamal secrets fetch command fails when secrets are stored as a single JSON blob. While the guide shows how to store the JSON blob, it does not demonstrate the corresponding Kamal command or configuration that successfully retrieves and uses these application secrets during deployment. This implies the application itself, running within the deployed Docker container, is responsible for fetching and parsing the JSON secret from AWS Secrets Manager using the AWS SDK, rather than Kamal handling it transparently. This distinction is crucial for understanding the true integration pattern and responsibility boundaries, and it means the title "Storing Kamal secrets in AWS Secrets Manager" is slightly misleading regarding the application secrets.

PRICING

• Hetzner Cloud VPS: CAX series starts at approximately 4 euro per month. The CX22 instance, as used by the author, provides 2 vCPUs and 4GB RAM. (Pricing snapshot: 2026-05-23)
• AWS Secrets Manager: The first 5 secrets are free. After that, it costs $0.40 per secret per month, plus $0.05 per 10,000 API calls for retrieval. For a single JSON blob secret, costs would be minimal.
• Docker Hub: Offers a free tier for public repositories. Private repositories require a paid subscription, starting at $7/month for a Pro plan.

VERDICT This deployment pattern is a strong contender for indie founders using Kamal who prioritize both cost-effectiveness and robust secret management. It effectively addresses the security vulnerability of plaintext secrets by integrating AWS Secrets Manager, a battle-tested solution for sensitive data. The choice of Hetzner VPS provides a lean, high-performance infrastructure at a fraction of the cost of major cloud providers. However, users must be aware that Kamal's native secret fetching capabilities are limited when secrets are stored as a single JSON blob; the application itself will likely need to integrate with AWS Secrets Manager to retrieve these. This approach offers a pragmatic balance of security, cost, and control, making it a viable option for small teams or individual developers building production applications.

WHAT WE'D TEST NEXT

For a v2 review, we would benchmark the performance of Kamal deployments on various Hetzner VPS tiers to validate the "enough for production" claim. We would also investigate and document the precise mechanism for applications to retrieve the JSON blob of secrets from AWS Secrets Manager within a Kamal-deployed Docker container, including code examples. Further testing would involve exploring alternative secret management adapters for Kamal that natively support JSON blob parsing or more granular secret management. Finally, we would assess the implications of automated secret rotation within AWS Secrets Manager for this specific setup, ensuring seamless updates without deployment interruptions.

Pull quote: “This pattern offers a robust, low-cost solution for secure application secret storage and deployment, provided you manage AWS Secrets Manager access carefully and understand Kamal's role in secret retrieval is limited to specific deployment variables.”