AWS Secrets Manager Extension

You can natively read your application secrets in Liquibase with the AWS Secrets Manager extension. If you connect to your vault using the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.

For more information, see AWS Secrets Manager documentation.

Requirements

Installation

CLI

  1. Navigate to the liquibase-aws-secrets-manager extension on Maven Central
  2. Download liquibase-aws-secrets-manager-<version>.jar and move it to the liquibase/lib directory

Maven

If you use Maven, add the AWS Secrets Manager extension dependency in your pom.xml file to download the JAR:

<plugin>
     <groupId>org.liquibase</groupId>
	<artifactId>liquibase-maven-plugin</artifactId>
			<version>4.27.0</version>
	<dependencies>
		<dependency>
			<groupId>org.liquibase.ext.vaults</groupId>
			<artifactId>liquibase-aws-secrets-manager</artifactId>
			<version>1.0.5</version>
		</dependency>
	</dependencies>
</plugin>

Liquibase Package Manager

Alternatively, you can install the AWS Secrets Manager extension with lpm (Liquibase Package Manager).

lpm update
lpm add liquibase-aws-secrets-manager

Setup

Configure your AWS credentials in any standard method. aws_access_key_id, aws_secret_access_key and aws_region are required.

Usage

You can store any Liquibase property in AWS Secrets Manager.

  1. In AWS Secrets Manager, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.
  2. Gather the secret name of each secret in your vault. For example, my-database-secret.
  3. In your liquibase.properties file or other valid configuration location, specify each of those names as the values of Liquibase parameters, such as url. Use the syntax VAULT,SECRET,KEY. You can also enable support for AWS Systems Manager with VAULT,PARAMETER.

The following example shows a liquibase.properties file configured to store secrets in a vault:

# Liquibase Pro license key
liquibase.licenseKey= aws-secrets,liquibase-secret-license,pro_key

# AWS Secrets Manager
url= aws-secrets,liquibase-secret,url
username= aws-secrets,liquibase-secret,username
password= aws-secrets,liquibase-secret,password

# AWS Systems Manager
url= aws-ssm,liquibase-secret-url
username= aws-ssm,liquibase-secret-username
password= aws-ssm,liquibase-secret-password