Connect Liquibase to Amazon S3
Last updated: June 8, 2026
This feature is available in Liquibase Secure v4.17.0 and later.
Starting with Liquibase Secure 4.31.0, new features and fixes are not applied to the individual AWS S3, AWS Secrets Manager, and Amazon DynamoDB Secure extensions. While you can still use the individual extensions, it will not receive future updates. We recommend using the Liquibase AWS extension to get the latest improvements and prevent conflicts.
Liquibase integrates the use of Amazon S3 to store and retrieve data from anywhere. Extending Liquibase to use remote file locations enables secure, centralized file management. Liquibase files include changelogs, snapshots, SQL files, liquibase.properties files, native executor configuration files, checks settings configuration files, and flow files. Remote file location access allows you to build a reusable repository of Liquibase files. It also removes the need for all developers to have local copies of Liquibase files, which ensures files are always accurate.
Note: By default, S3 enforces TLS, which ensures that secrets are safe while in transit. Learn more here: Enforcing encryption with Amazon S3.
Procedure
Download liquibase-AWS-extension-<version>.jar and put it in the liquibase/lib directory.
If you use Maven, add this dependency to your pom.xml file:
<dependency>
<groupId>org.liquibase</groupId>
<artifactId>liquibase-AWS-extension</artifactId>
<version>1.1.3</version>
</dependency>
Configure your AWS keys as local environment variables or in your AWS configuration files
You can use these secure credentials instead of a traditional username and password. You must set the following keys:
AWS_REGIONAWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN(optional)
For example, if you use AWS configuration files, you can set this in your config file (~/.aws/config):
[default]
region=us-east-2
In your shared credentials file (~/.aws/credentials), you can use temporary values from your AWS access portal. For example:
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_session_token=IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE
(Optional) Store your license key on S3
If you usually store your Liquibase Secure license key in a defaults file which you want to store on S3, set up your license in an environment variable, in the CLI, or with another standard property-setting method and then export the key in the CLI. Liquibase Secure license key is needed to access remote S3 files. Therefore, the license key will not be accessible if only stored in a remote S3 defaults file. It is best practice to set up an environment variable that contains the key.
Add the Liquibase license key to the environment variable.
LIQUIBASE_LICENSE_KEY=your_license_keyExport the key in the CLI.
export LIQUIBASE_LICENSE_KEY=your_license_key
For Linux or MacOS, use this syntax. For Windows command prompt or PowerShell, use the syntax described in the Amazon article Configuring environment variables for the AWS CLI.
Once the AWS keys and Liquibase Secure license key are configured, you are ready to begin using S3 with Liquibase.
What to do next
Create a changelog
You can create a basic Liquibase project, including a changelog, with the init project command:
liquibase init project
--project-dir=s3://mybucket//init
--project-guide=off
--changelog-file=dbchangelog.sql
Note: Liquibase creates the check-settings file locally unless you provide the absolute path with the project-dir attribute, as shown in this example. For more information, see Use the Checks Settings Configuration File.
When using init project, you cannot give attributes to changelogs. This prevents you from using a relative path with the changelog. To solve this, use the --changelog-file property in the liquibase.properties file to name the changelog file from the CLI when using init project in a non-interactive way. See also: Remote File Path Rules.
Run flow file
In the CLI, create a flow file with the flow command. Then you can run the flow file using S3:
liquibase
--changelog-file=example-changelog.sql
--search-path=s3://example/demo
--defaults-file=s3://example/demo/liquibase.properties
flow
--flow-file=s3://example/liquibases3/liquibase.s3.advanced.flowfile.yaml
For a list of commands you can use with S3, see Liquibase commands for remote files. For more information about the search-path property, see What are the rules for using search-path with remote files.