Liquibase HashiCorp Vault Extension
You can natively read your application secrets in Liquibase with the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.
For more information, see
Requirements
- Liquibase 4.1
- Liquibase Pro license. See How to Apply Your Liquibase Pro License Key
- HashiCorp Vault with V1 or V2 secrets engine enabled
Note: When using V2, you must add an additional parameter data to each of the variables being retrieved in Hashicorp. Learn more here: KV secrets engine
V1: LIQUIBASE_COMMAND_URL='hashicorp,liquibasev1/DEV,URL'
V2: LIQUIBASE_COMMAND_URL='hashicorp,liquibasev2/data/DEV,URL'
Installation
CLI
- Navigate to the
- Download
liquibase-hashicorp-vault-<version>.jarand move it to theliquibase/libdirectory
Maven
If you use Maven, add the pom.xml file to download the JAR:
<dependency>
<groupId>org.liquibase.ext.vaults</groupId>
<artifactId>liquibase-hashicorp-vault</artifactId>
<version>1.0.0</version>
</dependency>Liquibase Package Manager
Alternatively, you can install the lpm (Liquibase Package Manager).
lpm update
lpm add liquibase-hashicorp-vaultUsage
You can store any Liquibase property in
- Set the
VAULT_ADDRandVAULT_TOKENattributes as environment variables, as-DJava system properties, or in yourliquibase.propertiesfile, OR as a command line attribute as shown in the command line section below. - In
- In your
liquibase.propertiesfile or other valid configuration location, specify the path to each secret in your vault. Use the syntaxVAULT,PATH,FIELD.
Note: If your PATH includes whitespace, you must surround it with quotes. For example: "secret/my path/".
The following example shows a liquibase.properties file configured to store secrets in a vault:
Token authentication
Tip: Token authentication is the recommended way to connect Liquibase to HashiCorp Vault.
Vault usage without namespace using token authentication:
# Enable Liquibase Pro functionality
liquibase.licenseKey= hashicorp,vault/liquibase/license,pro_key
# Properties to store in the vault
url= hashicorp,vault/liquibase/urlLocation,url
username= hashicorp,vault/liquibase/usernameLocation,username
password= hashicorp,vault/liquibase/passwordLocation,password
# Authentication
vault.addr= https://vault.example.com:8200
vault.token= -DvaultTokenExampleJSON web token (JWT) authentication
Tip: If you need to use JWT authentication, please email support@liquibase.com for configuration assistance.
Vault usage with namespace using JWT authentication:
Note: liquibase.licenseKey= OR liquibase.licenseKey: are valid ways to indicate the values in the liquibase.properties file.
# Properties to store in the vault
liquibase.licenseKey= hashicorp,vault/liquibase/license,pro_key
url= hashicorp,secret/liquibase/urlLocation,url
username= hashicorp,vault/liquibase/usernameLocation,username
password= hashicorp,vault/liquibase/passwordLocation,password
# Authentication
vault.addr=https://vault.example.com:8200
vault.jwt=your-jwt-token
vault.namespace=your-vault-namespace
vault.role=your-vault-roleCommand Line Attributes
| Attribute | Definition | Requirement |
|---|---|---|
--license-key
|
Your Liquibase Pro license key |
Required |
--vault-addr
|
URL for HashiCorp Vault Server | Required |
--vault-token
|
Access Token for HashiCorp Vault Server | Optional |
--vault-namespace
|
Namespace for HashiCorp Vault Requests | Optional |
--vault-jwt
|
JSON Web Token (JWT) for HashiCorp Vault Server. Not recommended. | Optional |
--vault-role
|
Role for JSON Web Token (JWT) for HashiCorp Vault Server. Not recommended. | Optional |