Liquibase HashiCorp Vault Extension

Natively read your HashiCorp Vault secrets in Liquibase. For more information, see HashiCorp Vault documentation.

Supported products

Liquibase Pro

Requirements

  • Liquibase 4.10+
  • Liquibase Pro license
  • HashiCorp Vault with V1 API enabled

Installation

The easiest way to install this extension is with lpm (Liquibase Package Manager).

lpm update
lpm add hashicorp-vault

Setup

A Liquibase Pro License key is required.

Required parameters

--vault-addr=PARAM
    URL for HashiCorp Vault Server
    (liquibase.vault.addr)
    (LIQUIBASE_VAULT_ADDR)
    [deprecated: --vaultAddr]

Optional parameters

--vault-namespace=PARAM
    Namespace for HashiCorp Vault Requests
    DEFAULT:
    (liquibase.vault.namespace)
    (LIQUIBASE_VAULT_NAMESPACE)
    [deprecated: --vaultNamespace]

You may use JWT to authenticate:

--vault-jwt=PARAM
    JWT for HashiCorp Vault Server
    (liquibase.vault.jwt)
    (LIQUIBASE_VAULT_JWT)
    [deprecated: --vaultJwt]
--vault-role=PARAM
    Role for JWT for HashiCorp Vault Server
    (liquibase.vault.role)
    (LIQUIBASE_VAULT_ROLE)
    [deprecated: --vaultRole]

You may also use a token to authenticate:

--vault-token=PARAM
    Access Token for HashiCorp Vault Server
    (liquibase.vault.token)
    (LIQUIBASE_VAULT_TOKEN)
    [deprecated: --vaultToken]

Using secrets in liquibase.properties

Any property in a liquibase.properties file can be stored in HashiCorp Vault. Use the syntax VAULT,PATH,FIELD to tell the vault plugin which properties to populate from the vault:

Token authentication

Tip: Token authentication is the recommended means of connecting Liquibase to HashiCorp Vault.

Vault usage without namespace using token authentication:

url= hashicorp,secret/liquibase/url,url
username= hashicorp,secret/liquibase/username,username
password= hashicorp,secret/liquibase/password,password

liquibase.pro.licenseKey= ***Insert Pro License Key***

vault.addr= ***Vault URL***
vault.token= ***Vault Token***

JSON web token (JWT) authentication

Warning: Liquibase recommends that you use token authentication instead of JWT authentication for your HashiCorp Vault secrets.

Vault usage with namespace using JWT authentication:

url= hashicorp,secret/liquibase/url,url
username= hashicorp,secret/liquibase/username,username
password= hashicorp,secret/liquibase/password,password

liquibase.pro.licenseKey= ***Insert Pro License Key***

vault.addr= ***Vault URL***
vault.jwt= ***Vault JWT***
vault.namespace= ***Vault Namespace***
vault.role= ***Role for JWT***

Feedback

Please submit all feedback and issues to this idea board.