AWS Secrets Manager Extension

Note: Starting with Liquibase Pro 4.31.0, new features and fixes are not applied to the individual AWS S3, AWS Secrets Manager, and Amazon DynamoDB Pro extensions. While you can still use the individual extensions, it will not receive future updates. We recommend using the Liquibase AWS extension to get the latest improvements and prevent conflicts.

You can natively read your application secrets in Liquibase with the AWS Secrets Manager extension. If you connect to your vault using the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.

For more information, see AWS Secrets Manager documentation.

Requirements

Setup

Configure your AWS credentials in any standard method. aws_access_key_id, aws_secret_access_key and aws_region are required.

Usage

You can store any Liquibase property in AWS Secrets Manager.

  1. In AWS Secrets Manager, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.
  2. Gather the secret name of each secret in your vault. For example, my-database-secret.
  3. In your liquibase.properties file or other valid configuration location, specify each of those names as the values of Liquibase parameters, such as url. Use the syntax VAULT,SECRET,KEY. You can also enable support for AWS Systems Manager with VAULT,PARAMETER.

The following example shows a liquibase.properties file configured to store secrets in a vault:

# Liquibase Pro license key
liquibase.licenseKey= aws-secrets,liquibase-secret-license,pro_key

# AWS Secrets Manager
url= aws-secrets,liquibase-secret,url
username= aws-secrets,liquibase-secret,username
password= aws-secrets,liquibase-secret,password

# AWS Systems Manager
url= aws-ssm,liquibase-secret-url
username= aws-ssm,liquibase-secret-username
password= aws-ssm,liquibase-secret-password