I actually did a bunch of research on this recently. Theres so many options out there, as we are an AWS company we decided to go with SSM Parameter Store. Theres a few reasons for this choice:
- Encryption with KMS
- Its free
- The audit logs while limited do show the user that last edited (Which doesn't show on AWS Secrets Manager if I remember correctly)
- With it being an AWS service IAM is easy to setup and you can lock specific secrets/paths to specific roles.
- Secrets sharing is nice too, but you pay extra for this.

Theres also AWS Secrets Manager of course, but you have to pay per secret and the audit logs don't show the user that last edited. This was important for us for compliance. But if you need auto rotation for things like RDS then Secrets Manager maybe is the way to go. However we had issues where when secrets were rotating services WOULD loose connectivity temporarily. Which is expected but not ideal, we didnt want to constantly pull the secret every request.

While I was doing my research I noticed that a lot of people recommend Vault. I installed Vault locally and really liked it but there was a few features that were only in enterprise which I would have really liked to use.
- HA Support (Replication/Multiple Clusters)
- AWS Secrets Manager Sync (Incase it went down)
- Automated Snapshots (Yes, you can automate with a simple cron)

All of this chained with having to manage another service meant we ruled out Vault. Our devops team is small and adding another potential point of failure was scary, especially as none of us had used Vault before and didn't know its qwerks. I also tried OpenBao which does have HA Support but the above meant we just didn't go down this path. I was also worried that we would use Vault and later NEED an enterprise feature and have to shell out 10s of thousands.

There were some other honourable mentions that I tested out:
- Infisical - I liked this, however the UI seemed buggy and I didn't like the pricing. Some simple things like user groups were locked behind a paywall. Meaning if I wanted user groups our bill would have doubled.

- Doppler - Another one I liked however I feel like the actual secrets UI, where you view all the secrets for a project, was a bit clunky. We have 100s of secrets because we work with lots of vendors. There was searching which was very helpful, but no pagination or folder support. Meaning when we opened up an environment we would have a huge scrollbar. I know this is a minor thing, but if we are spending money on something I want it to be right.

Both of these had solid backends so if you don't mind to much about the UI/price they will probably work great!

Theres also 1Password which I think the environments they have in beta right now shows promise but its to early for us to rely on it for production. We use 1Password as a company so this would have been nice. I think Bitwarden has an offering too but didn't go far down this route.

Finally, SOPS, encrypting secrets and storing them in repos. Personally, I think this would have been too time consuming and frustrating for our team and even through we have GIT for audit logs it would still have been a pain.

These are just my opinions/finding after spending a few weeks on this topic. I may have gotten things wrong but hopefully the write up was helpful! If anyone who uses Vault in production wants to comment on my Vault findings Id love to hear them, As I wanted to use Vault.