AWS Secrets Manager Extension
You can natively read your application secrets in Liquibase with the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.
For more information, see
Requirements
- Liquibase 4.1
- Liquibase Pro license. See How to Apply Your Liquibase Pro License Key
- AWS Secrets Manager credentials
Installation
CLI
- Navigate to the
- Download
liquibase-aws-secrets-manager-<version>.jarand move it to theliquibase/libdirectory
Maven
If you use Maven, add the pom.xml file to download the JAR:
<plugin>
<groupId>org.liquibase</groupId>
<artifactId>liquibase-maven-plugin</artifactId>
<version>4.27.0</version>
<dependencies>
<dependency>
<groupId>org.liquibase.ext.vaults</groupId>
<artifactId>liquibase-aws-secrets-manager</artifactId>
<version>1.0.5</version>
</dependency>
</dependencies>
</plugin>Liquibase Package Manager
Alternatively, you can install the lpm (Liquibase Package Manager).
lpm update
lpm add liquibase-aws-secrets-managerSetup
Configure your AWS credentials in any standard method. aws_access_key_id, aws_secret_access_key and aws_region are required.
Usage
You can store any Liquibase property in
- In
- In your
liquibase.propertiesfile or other valid configuration location, specify the path to each secret in your vault. Use the syntaxVAULT,SECRET,KEY.VAULT,PARAMETER.
The following example shows a liquibase.properties file configured to store secrets in a vault:
# Liquibase Pro license key
liquibase.licenseKey= aws-secrets,liquibase-secret-license,pro_key
# AWS Secrets Manager
url= aws-secrets,liquibase-secret,url
username= aws-secrets,liquibase-secret,username
password= aws-secrets,liquibase-secret,password
# AWS Systems Manager
url= aws-ssm,liquibase-secret-url
username= aws-ssm,liquibase-secret-username
password= aws-ssm,liquibase-secret-password