Using Liquibase and AWS RDS

Last updated: July 14, 2025

Amazon Web Services (AWS) provides cloud-based products, including compute, storage, databases, analytics, networking, mobile, developer tools, management tools, IoT, security, and enterprise applications. Amazon Relational Database Service (Amazon RDS) is a web service that helps you set up, operate, and scale a relational database in the AWS Cloud. Amazon RDS is available on several database instance types and offers six database engines, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server.

Each Amazon RDS DB instance has an endpoint, which has the DNS name (host) and port number for the DB instance to connect to.

Liquibase integrates with application build and deploy tools for CI/CD on AWS and automates the deployment of database changes in-line with related application changes. Using Liquibase and AWS RDS, you can access database engines like PostgreSQL, MariaDB, or Oracle in the cloud and control your deployments by versioning them with the SQL, XML, JSON, or YAML files. It means that the code, applications, and tools you use with your existing databases can be used with Liquibase and Amazon RDS to track, manage, and apply database schema changes.

Use AWS IAM Auth Token to connect Liquibase to AWS RDS Databases

AWS provides the ability to generate tokens to authenticate a user to connect to a database. Further information can be found in this article: Using IAM authentication to connect with pgAdmin Amazon Aurora PostgreSQL or Amazon RDS for PostgreSQL.

Liquibase doesn't natively support these tokens in the liquibase.properties file. However, in combination with Liquibase environment variables, Liquibase can pass along the token as the password for connecting to the target AWS database.

Procedure

1

Depending on your platform/pipeline, you set the environment password variable (LIQUIBASE_COMMAND_PASSWORD), which is the variable that Liquibase can read from during Liquibase operations.

Note: If you use the environment variable for the password, do not pass it via the CLI or have the password in the liquibase.properties file.

Below is an example of this on a Linux/Mac platform.

Be sure to:

  • Replace your_rds_host with the hostname of the DB cluster (cluster endpoint) you want to access.

  • Replace your_db_user with the name of the database account to associate with IAM authentication.

export LIQUIBASE_COMMAND_PASSWORD="$(aws rds generate-db-auth-token \
--hostname your_rds_host \
--port 5432 \
--region us-east-1 \
--username your_db_user)"
2

With the AWS CLI, you are able to call generate-db-auth-token to auto-generate a token, which LIQUIBASE_COMMAND_PASSWORD will be set to. This will allow you to connect to an AWS RDS via the token.