AWS Secrets Manager Extension

You can natively read your application secrets in Liquibase with the AWS Secrets Manager extension. If you connect to your vault using the file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.

For more information, see AWS Secrets Manager documentation.




  1. Navigate to the liquibase-aws-secrets-manager extension on Maven Central
  2. Download liquibase-aws-secrets-manager-<version>.jar and move it to the liquibase/lib directory


If you use Maven, add the AWS Secrets Manager extension dependency in your pom.xml file to download the JAR:


Liquibase Package Manager

Alternatively, you can install the AWS Secrets Manager extension with lpm (Liquibase Package Manager).

lpm update
lpm add liquibase-aws-secrets-manager


Configure your AWS credentials in any standard method. aws_access_key_id, aws_secret_access_key and aws_region are required.


You can store any Liquibase property in AWS Secrets Manager.

  1. In AWS Secrets Manager, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.
  2. In your file or other valid configuration location, specify the path to each secret in your vault. Use the syntax VAULT,SECRET,KEY. You can also enable support for AWS Systems Manager with VAULT,PARAMETER.

The following example shows a file configured to store secrets in a vault:

# Liquibase Pro license key
liquibase.licenseKey= aws-secrets,liquibase-secret-license,pro_key

# AWS Secrets Manager
url= aws-secrets,liquibase-secret,url
username= aws-secrets,liquibase-secret,username
password= aws-secrets,liquibase-secret,password

# AWS Systems Manager
url= aws-ssm,liquibase-secret-url
username= aws-ssm,liquibase-secret-username
password= aws-ssm,liquibase-secret-password