thank you for your response.

Idea here is that using AWS Secrets Manager the developers will NOT have access to any api keys.

just an example, a big project with a lot of third-party api with a lot of api/token but client decide that he dont want to share all that sensitive data to any developer, so will not be like saving just api key in .env file...

but, using AWS Secret Manager, and only client having access to it, client is the only one who know the sensitive data and can change it anytime