Liquibase CyberArk PAM Vault Extension

You can natively read your application secrets in Liquibase with the CyberArk PAM Vault extension. If you connect to your vault using the file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.

For more information, see CyberArk PAM documentation.




  1. Navigate to the liquibase-cyberark-pam extension on Maven Central
  2. Download liquibase-cyberarkpam-vault-<version>.jar and move it to the liquibase/lib directory

Liquibase Package Manager

Alternatively, you can install the CyberArk PAM Vault extension with lpm (Liquibase Package Manager).

lpm update
lpm add cyberarkpam-vault


You must add a RootCA certificate in your Java security keystore. For example:

sudo keytool -importcert -alias CyberArkRoot -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/lib/security/cacerts -storepass changeit -file RootCA.crt

If there is an error message showing PKIX exception, you could have imported into the wrong cacerts file. Run liquibase -version to see which JVM Liquibase is using

To debug the SSL connection, you can add this Java environment variable to your command line:


You can store any Liquibase property in CyberArk PAM Vault.

  1. Set the VAULT_ADDR and VAULT_CERTFILE attributes as environment variables, as -D Java system properties, or in your file, OR as a command line attribute as shown in the command line section below.
  2. In CyberArk PAM Vault, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.
  3. In your file or other valid configuration location, specify the path to each secret in your vault. Use the syntax VAULT_TYPE,PATH_TO_NAME_IN_PAM,FIELD_TO_MAP.

The following example shows a file configured to store secrets in a vault:

Note: liquibase.licenseKey= OR liquibase.licenseKey: are valid ways to indicate the values in the file.

Copy cyberark example

liquibase.vault.addr= https://YOUR_CYBERARK_ENDPOINT:18702/AIMWebService/api/Accounts?
liquibase.vault.certfile= YOUR_CERT_PATH/client.p12liquibase.command.username: cyberarkpam,UserName,username
liquibase.command.password= cyberarkpam,Content,password

Command Line Attributes

Attribute Definition Requirement

Your Liquibase Pro license key

--vault-addr URL for CyberArk PAM Vault Server Required
--vault-certfile Certificate for CyberArk PAM Vault Server Optional


Please submit all feedback and issues to this idea board.

Related links