Using Liquibase and AWS RDS

Amazon Web Services (AWS) provides a set of cloud-based products including compute, storage, databases, analytics, networking, mobile, developer tools, management tools, IoT, security and enterprise applications.

Amazon Relational Database Service (Amazon RDS) is a web service that helps you set up, operate, and scale a relational database in the AWS Cloud. Amazon RDS is available on several database instance types and offers six database engines including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server.

Each Amazon RDS DB instance has an endpoint, and each endpoint has the DNS name (host) and port number for the DB instance to connect.

Liquibase integrates with application build and deploy tools for CI/CD on AWS and automates the deployment of database changes in-line with related application changes. Using Liquibase and AWS RDS, you can access database engines like PostgreSQL, MariaDB, or Oracle in cloud and control your deployments by versioning them with the SQL, XML, JSON, or YAML files. It means that the code, applications, and tools you use with your existing databases can be used with Liquibase and Amazon RDS to track, manage, and apply database schema changes.

Use AWS IAM Auth Token to connect Liquibase to AWS RDS Databases

AWS provides the ability to generate tokens to authenticate a user to connect to a database.
Further information can be found in this article: Using IAM authentication to connect with pgAdmin Amazon Aurora PostgreSQL or Amazon RDS for PostgreSQL

Liquibase doesn't natively support these tokens in the file. However, in combination with Liquibase Environment Variables, Liquibase can pass along the token as the password for connecting to the target AWS database.

How to:

  1. Depending on your platform/pipeline, you set the environment password variable (LIQUIBASE_COMMAND_PASSWORD), which is the variable that Liquibase can read from during Liquibase operations.

    Note: If you use the environment variable for the password, do not pass it via the CLI or have the password in the file.

  2. Below is an example of how this would be on a Linux/Mac platform:
      export LIQUIBASE_COMMAND_PASSWORD="$(aws rds generate-db-auth-token \
      --hostname $RDSHOST \
      --port 5432 \
      --region us-east-1 \
      --username mydbuser)"

      RDSHOST – The hostname of the DB cluster (cluster endpoint) that you want to access.

      mydbuser – The name of the database account to associate with IAM authentication.

  3. With the AWS CLI, you are able to call generate-db-auth-token to auto-generate a token, which LIQUIBASE_COMMAND_PASSWORD will be set to. This will allow you to connect to an AWS RDS via the token.

Need to know more about Liquibase and AWS RDS? Check out the following topics: