Liquibase CyberArk PAM Vault Extension

Natively read your CyberArk PAM (Privileged Access Manager) based vault secrets in Liquibase. For more information, see CyberArk PAM documentation.

Supported products

Liquibase Pro


  • Liquibase 4.10+
  • Liquibase Pro license
  • CyberArk PAM Vault with API enabled
  • RootCA certificate in your Java security keystore (typically cacerts)


The easiest way to install this extension is with lpm (Liquibase Package Manager).

lpm update
lpm add cyberarkpam-vault


A Liquibase Pro License key is required.

Required parameters

    URL for CyberArk PAM Vault Server
    [deprecated: --vaultAddr]

    Certificate for CyberArk PAM Vault Server
    [deprecated: --vaultCertfile]

Adding RootCA certificate in your Java security keystore


sudo keytool -importcert -alias CyberArkRoot -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home/lib/security/cacerts -storepass changeit -file RootCA.crt

If there is an error message showing PKIX exception, you could have imported into the wrong cacerts file. Run liquibase -version to see which JVM Liquibase is using

To debug the SSL connection, you can add this Java environment variable to your command line:

Using secrets in

Any property in a file can be stored in CyberArk PAM Vault. Use the syntax VAULT_TYPE,PATH_TO_NAME_IN_PAM,FIELD_TO_MAP to tell the vault plugin which properties to populate from the vault:

username= cyberarkpam,UserName,username
password= cyberarkpam,Content,password


Please submit all feedback and issues to this idea board.

Related links