Use the AWS Secrets manager extension
Last updated: July 14, 2025
Starting with Liquibase Pro 4.31.0, new features and fixes are not applied to the individual AWS S3, AWS Secrets Manager, and Amazon DynamoDB Pro extensions. While you can still use the individual extensions, it will not receive future updates. We recommend using the Liquibase AWS extension to get the latest improvements and prevent conflicts.
You can natively read your application secrets in Liquibase with the AWS Secrets Manager extension. If you connect to your vault using the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes, and your Liquibase Pro license key in your vault.
Note: By default, AWS Secrets Manager enforces TLS, ensuring that secrets are safe in transit. Learn more here: Infrastructure security in AWS Secrets Manager.
For more information, see AWS Secrets Manager documentation.
Before you begin
Liquibase 4.18.0+
Liquibase Pro license.
AWS Secrets Manager credentials.
Configure your AWS credentials in any standard method.
aws_access_key_id
,aws_secret_access_key
andaws_region
are required.
Procedure
In AWS Secrets Manager, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.
Gather the secret name of each secret in your vault.
For example, my-database-secret
.
Specify each secret name.
Specify each secret using the format VAULT,SECRET,KEY
in your liquibase.properties
file or any other supported configuration method, such as environment variables or command-line arguments. For example, use this syntax as the value for parameters like url
. If you're using AWS Systems Manager instead of Secrets Manager, use the format VAULT,PARAMETER
.
The following example shows a liquibase.properties
file configured to store secrets in a vault:
# Liquibase Pro license key
liquibase.licenseKey= aws-secrets,liquibase-secret-license,pro_key
# AWS Secrets Manager
url= aws-secrets,liquibase-secret,url
username= aws-secrets,liquibase-secret,username
password= aws-secrets,liquibase-secret,password
# AWS Systems Manager
url= aws-ssm,liquibase-secret-url
username= aws-ssm,liquibase-secret-username
password= aws-ssm,liquibase-secret-password