Use the Liquibase HashiCorp vault extension

Last updated: July 14, 2025

You can natively read your application secrets in Liquibase with the Hashicorp Vault extension. If you connect to your vault using the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.

For more information, see HashiCorp Vault documentation.

Before you begin

Liquibase 4.18.0+
Liquibase Pro license. See How to Apply Your Liquibase Pro License Key
HashiCorp Vault 1.4.x+ with kv secrets engine v1 or v2 enabled
Install the liquibase-hashicorp-vault extension

Procedure

Set the VAULT_ADDR and VAULT_TOKEN attributes as environment variables, as -D Java system properties, or in your liquibase.properties file, OR as a command line attribute.

In HashiCorp Vault, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.

Gather the Vault HTTP API path of each secret in your vault.

For example, /v1/secret/data/test_secrets.

Note: If you use kv secrets engine v1, your HTTP API path will look like /v1/secret/example. If you use kv secrets engine v2, the path uses an additional "data" prefix and will look like /v1/secret/data/example. (The version number at the beginning of the API path is from the Vault HTTP API and is not related to the version of kv you use.)

In your liquibase.properties file or other valid configuration location, specify each of those API paths as the values of Liquibase parameters, such as url.

Omit the /v1/ at the beginning of the API path. Use the syntax VAULT, PATH, FIELD.
Tip: If your PATH includes whitespace, you must surround it with quotes. For example: "secret/my path/".