Using Liquibase and AWS RDS
Amazon Web Services (AWS) provides a set of cloud-based products including compute, storage, databases, analytics, networking, mobile, developer tools, management tools, IoT, security and enterprise applications.
Amazon Relational Database Service (Amazon RDS) is a web service that helps you set up, operate, and scale a relational database in the AWS Cloud. Amazon RDS is available on several database instance types and offers six database engines including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server.
Each Amazon RDS DB instance has an endpoint, and each endpoint has the DNS name (host) and port number for the DB instance to connect.
Liquibase integrates with application build and deploy tools for CI/CD on AWS and automates the deployment of database changes in-line with related application changes. Using Liquibase and AWS RDS, you can access database engines like PostgreSQL, MariaDB, or Oracle in cloud and control your deployments by versioning them with the SQL, XML, JSON, or YAML files. It means that the code, applications, and tools you use with your existing databases can be used with Liquibase and Amazon RDS to track, manage, and apply database schema changes.
Use AWS IAM Auth Token to connect Liquibase to AWS RDS Databases
AWS provides the ability to generate tokens to authenticate a user to connect to a database.
Further information can be found in this article: Using IAM authentication to connect with pgAdmin Amazon Aurora PostgreSQL or Amazon RDS for PostgreSQL
Liquibase doesn't natively support these tokens in the liquibase.properties file. However, in combination with Liquibase Environment Variables, Liquibase can pass along the token as the password for connecting to the target AWS database.
How to:
- Depending on your platform/pipeline, you set the environment password variable (
LIQUIBASE_COMMAND_PASSWORD), which is the variable that Liquibase can read from during Liquibase operations.Note: If you use the environment variable for the password, do not pass it via the CLI or have the password in the liquibase.properties file.
- Below is an example of how this would be on a Linux/Mac platform:
export LIQUIBASE_COMMAND_PASSWORD="$(aws rds generate-db-auth-token \ --hostname $RDSHOST \ --port 5432 \ --region us-east-1 \ --username mydbuser)"
RDSHOST – The hostname of the DB cluster (cluster endpoint) that you want to access.
mydbuser – The name of the database account to associate with IAM authentication.
- With the AWS CLI, you are able to call
generate-db-auth-tokento auto-generate a token, whichLIQUIBASE_COMMAND_PASSWORDwill be set to. This will allow you to connect to an AWS RDS via the token.
Need to know more about Liquibase and AWS RDS? Check out the following topics:
- Learn what the Amazon Relational Database Service is
- Create a DB instance and connect to it
- Configure and manage an Amazon RDS DB instance
- Learn about Liquibase and Oracle on AWS RDS
- Learn about Liquibase and PostgreSQL on AWS RDS
- Learn about Liquibase and MariaDB on AWS RDS
- Learn about Liquibase and MySQL on AWS RDS
- Using IAM authentication to connect with pgAdmin Amazon Aurora PostgreSQL or Amazon RDS for PostgreSQL
- Liquibase Environment Variables
