AWS has recently announced the AWS Workload Credentials Provider to automatically deliver and refresh certificates and secrets for applications. The open source tool reduces the need for custom automation, helps prevent outages caused by expired certificates, and works in both AWS and non-AWS environments.
The new tool supports ACM certificate export and automatic renewal for both public and private TLS certificates, providing a local credential layer that retrieves, caches, exports, and automatically refreshes secrets and certificates. It also caches secrets from AWS Secrets Manager and is compatible with existing Secrets Manager Agent deployments.
For organizations using AWS Secrets Manager and AWS Certificate Manager, the new service can be viewed as an AWS-native alternative to Vault Agent for credential and certificate delivery. Ashish Kasaudhan, senior cloud architect at PwC Acceleration Centers, explains:
For years, HashiCorp Vault Agent provided a clean answer to this problem: authenticate once, cache locally, render credentials to disk, and refresh them automatically. AWS had excellent managed services for storing secrets and certificates, but it never offered a first-party equivalent on the client side (...) The hidden cost of secrets management isn’t the API call. It’s the operational complexity.
According to the documentation, Workload Credentials Provider runs natively as a system service on both Linux (requires systemd) and Windows (with PowerShell 5.1 or later) under a dedicated low-privilege user, writing certificate files with restricted permissions. Formerly known as the AWS Secrets Manager Agent, it can be used for workloads running both on AWS and off-premises.
The project automatically checks configured certificates every 24 hours, exporting and updating local files only when certificate content has changed. When updates occur, it can trigger a command to reload dependent services such as NGINX or Apache. It also performs an initial refresh at startup, uses randomized timing to prevent large-scale simultaneous API requests, and supports dynamic configuration reloads, allowing certificate settings to be added or modified without reinstalling the service. Up to 50 certificates can be configured, each running in its own isolated management process.
[logging]
log_level = "info"
log_to_file = true
[capabilities.acm]
enabled = true
[[capabilities.acm.certificates]]
certificate_arn = "arn:aws:acm:us-west-2:123456789012:certificate/abcd1234-5678-90ab-cdef-EXAMPLE11111"
role_arn = "arn:aws:iam::123456789012:role/ACMExportRole"
certificate_path = "/etc/pki/tls/certs/example.com.crt"
private_key_path = "/etc/pki/tls/private/example.com.key"
chain_path = "/etc/pki/tls/certs/example.com-chain.pem"
refresh_command = "/usr/sbin/nginx -s reload"
Example of a configuration file. Source: AWS documentation
Initial reactions are positive, with practitioners viewing it as an AWS-native alternative for local secret and certificate delivery. Corey Quinn, chief cloud economist at The Duckbill Group, writes in his newsletter:
A name only a committee could love, automating the certificate-renewal cron job you've maintained with duct tape and EventBridge since 2019, before it was EventBridge. It's open source and free, which means AWS will recoup costs through the Secrets Manager bill it cheerfully caches against. Your ops team finally gets to sleep through cert expiry weekends. I mean, they always did, but it was rude to say it.
While using the provider is free, using Secrets Manager and ACM will incur associated costs. The Workload Credentials Provider is configured via a TOML file, in which developers define certificate settings, output paths, refresh commands, and other runtime options. It is released under an Apache-2.0 license and available on GitHub.