Liquibase HashiCorp Vault Extension

You can natively read your application secrets in Liquibase with the Hashicorp Vault extension. If you connect to your vault using the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.

For more information, see HashiCorp Vault documentation.

Requirements

Installation

CLI

  1. Navigate to the liquibase-hashicorp-vault extension on Maven Central
  2. Download liquibase-hashicorp-vault-<version>.jar and move it to the liquibase/lib directory

Maven

If you use Maven, add the HashiCorp Vault extension dependency in your pom.xml file to download the JAR:

<dependency>
    <groupId>org.liquibase.ext.vaults</groupId>
    <artifactId>liquibase-hashicorp-vault</artifactId>
    <version>1.0.0</version>
</dependency>

Liquibase Package Manager

Alternatively, you can install the HashiCorp Vault extension with lpm (Liquibase Package Manager).

lpm update
lpm add liquibase-hashicorp-vault

Usage

You can store any Liquibase property in HashiCorp Vault.

  1. Set the VAULT_ADDR and VAULT_TOKEN attributes as environment variables, as -D Java system properties, or in your liquibase.properties file.
  2. In HashiCorp Vault, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.
  3. In your liquibase.properties file or other valid configuration location, specify the path to each secret in your vault. Use the syntax VAULT,PATH,FIELD.
  4. Note: If your PATH includes whitespace, you must surround it with quotes. For example: "secret/my path/".

The following example shows a liquibase.properties file configured to store secrets in a vault:

Token authentication

Tip: Token authentication is the recommended way to connect Liquibase to HashiCorp Vault.

Vault usage without namespace using token authentication:

# Enable Liquibase Pro functionality
liquibase.licenseKey= hashicorp,secret/liquibase/license,pro_key

# Properties to store in the vault
url= hashicorp,secret/liquibase/url,url
username= hashicorp,secret/liquibase/username,username
password= hashicorp,secret/liquibase/password,password

# Authentication
vault.addr= ***Vault URL***
vault.token= ***Vault Token***

JSON web token (JWT) authentication

Tip: If you need to use JWT authentication, please email support@liquibase.com for configuration assistance.

Vault usage with namespace using JWT authentication:

# Properties to store in the vault
liquibase.licenseKey= hashicorp,secret/liquibase/license,pro_key
url= hashicorp,secret/liquibase/url,url
username= hashicorp,secret/liquibase/username,username
password= hashicorp,secret/liquibase/password,password

# Authentication
vault.addr= ***Vault URL***
vault.jwt= ***Vault JWT***
vault.namespace= ***Vault Namespace***
vault.role= ***Role for JWT***

Attributes

Attribute Definition Requirement
--license-key

Your Liquibase Pro license key

Required
--vault-addr URL for HashiCorp Vault Server Required
--vault-token Access Token for HashiCorp Vault Server Optional
--vault-namespace Namespace for HashiCorp Vault Requests Optional
--vault-jwt JSON Web Token (JWT) for HashiCorp Vault Server. Not recommended. Optional
--vault-role Role for JSON Web Token (JWT) for HashiCorp Vault Server. Not recommended. Optional

Feedback

Please submit all feedback and issues to this idea board.