Use the AWS Secrets manager extension

Last updated: July 14, 2025

Starting with Liquibase Pro 4.31.0, new features and fixes are not applied to the individual AWS S3, AWS Secrets Manager, and Amazon DynamoDB Pro extensions. While you can still use the individual extensions, it will not receive future updates. We recommend using the Liquibase AWS extension to get the latest improvements and prevent conflicts.

You can natively read your application secrets in Liquibase with the AWS Secrets Manager extension. If you connect to your vault using the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes, and your Liquibase Pro license key in your vault.

Note: By default, AWS Secrets Manager enforces TLS, ensuring that secrets are safe in transit. Learn more here: Infrastructure security in AWS Secrets Manager.

For more information, see AWS Secrets Manager documentation.

Before you begin

Liquibase 4.18.0+
Liquibase Pro license.
AWS Secrets Manager credentials.
Install the Liquibase Pro AWS Extension
Configure your AWS credentials in any standard method. aws_access_key_id, aws_secret_access_key and aws_region are required.

Procedure

In AWS Secrets Manager, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.

Gather the secret name of each secret in your vault.

For example, my-database-secret.

Specify each secret name.

Specify each secret using the format VAULT,SECRET,KEY in your liquibase.properties file or any other supported configuration method, such as environment variables or command-line arguments. For example, use this syntax as the value for parameters like url. If you're using AWS Systems Manager instead of Secrets Manager, use the format VAULT,PARAMETER.

The following example shows a liquibase.properties file configured to store secrets in a vault:

# Liquibase Pro license key liquibase.licenseKey= aws-secrets,liquibase-secret-license,pro_key # AWS Secrets Manager url= aws-secrets,liquibase-secret,url username= aws-secrets,liquibase-secret,username password= aws-secrets,liquibase-secret,password # AWS Systems Manager url= aws-ssm,liquibase-secret-url username= aws-ssm,liquibase-secret-username password= aws-ssm,liquibase-secret-password