Liquibase HashiCorp Vault Extension

You can natively read your application secrets in Liquibase with the Hashicorp Vault extension. If you connect to your vault using the liquibase.properties file, you can store sensitive Liquibase authentication details such as database url, username, and password attributes and your Liquibase Pro license key in your vault.

For more information, see HashiCorp Vault documentation.

Requirements

• Liquibase 4.18.0+
• Liquibase Pro license. See How to Apply Your Liquibase Pro License Key
• HashiCorp Vault with V1 API enabled

Installation

CLI

1. Navigate to the liquibase-hashicorp-vault extension on Maven Central
2. Download liquibase-hashicorp-vault-<version>.jar and move it to the liquibase/lib directory

Maven

If you use Maven, add the HashiCorp Vault extension dependency in your pom.xml file to download the JAR:

<dependency>
    <groupId>org.liquibase.ext.vaults</groupId>
    <artifactId>liquibase-hashicorp-vault</artifactId>
    <version>1.0.0</version>
</dependency>

Liquibase Package Manager

Alternatively, you can install the HashiCorp Vault extension with lpm (Liquibase Package Manager).

lpm update
lpm add liquibase-hashicorp-vault

Usage

You can store any Liquibase property in HashiCorp Vault.

1. Set the VAULT_ADDR and VAULT_TOKEN attributes as environment variables, as -D Java system properties, or in your liquibase.properties file.
2. In HashiCorp Vault, configure sensitive properties like your database username, password, URL, and Liquibase Pro license key as secrets.
3. In your liquibase.properties file or other valid configuration location, specify the path to each secret in your vault. Use the syntax VAULT,PATH,FIELD.

Note: If your PATH includes whitespace, you must surround it with quotes. For example: "secret/my path/".

The following example shows a liquibase.properties file configured to store secrets in a vault:

Token authentication

Tip: Token authentication is the recommended way to connect Liquibase to HashiCorp Vault.

Vault usage without namespace using token authentication:

# Enable Liquibase Pro functionality
liquibase.licenseKey= hashicorp,secret/liquibase/license,pro_key

# Properties to store in the vault
url= hashicorp,secret/liquibase/url,url
username= hashicorp,secret/liquibase/username,username
password= hashicorp,secret/liquibase/password,password

# Authentication
vault.addr= ***Vault URL***
vault.token= ***Vault Token***

JSON web token (JWT) authentication

Tip: If you need to use JWT authentication, please email support@liquibase.com for configuration assistance.

Vault usage with namespace using JWT authentication:

# Properties to store in the vault
liquibase.licenseKey= hashicorp,secret/liquibase/license,pro_key
url= hashicorp,secret/liquibase/url,url
username= hashicorp,secret/liquibase/username,username
password= hashicorp,secret/liquibase/password,password

# Authentication
vault.addr= ***Vault URL***
vault.jwt= ***Vault JWT***
vault.namespace= ***Vault Namespace***
vault.role= ***Role for JWT***

Attributes

Attribute	Definition	Requirement
--license-key	Your Liquibase Pro license key	Required
--vault-addr	URL for HashiCorp Vault Server	Required
--vault-token	Access Token for HashiCorp Vault Server	Optional
--vault-namespace	Namespace for HashiCorp Vault Requests	Optional
--vault-jwt	JSON Web Token (JWT) for HashiCorp Vault Server. Not recommended.	Optional
--vault-role	Role for JSON Web Token (JWT) for HashiCorp Vault Server. Not recommended.	Optional

Feedback

Please submit all feedback and issues to this idea board.