Get the most out of Flyway v7 - Sign up for our webinar on the Redgate Hub ▶ Watch now

AWS Secrets Manager support

Flyway Teams

A problem that organizations often encounter is where to store the credentials for connecting to the database. AWS Secrets Manager offers a solution to the problem. Secrets such as usernames and passwords can be stored in the Secrets Manager, and then be accessed via an id known to authorized users. This keeps sensitive credentials out of application configuration.

Driver

Ships with Flyway Command-line No
Maven Central coordinates com.amazonaws.secretsmanager:aws-secretsmanager-jdbc:1.0.5
Supported versions 1.0.5 and later

Supported databases

Secrets Manager support is currently provided by the AWS Secrets Manager JDBC Library for the following databases:

  • MariaDB
  • MySQL
  • Oracle
  • PostgreSQL
  • SQL Server

Configuring Flyway

To make Flyway pull credentials from the Secrets Manager, you need to perform the following steps:

  • Ensure the AWS CLI is installed and configured to be able to access the Secrets Manager.
  • Add the driver to your project dependencies, or add it to the drivers folder if using the CLI.
  • If you’ve specified the driver class manually using flyway.driver then remove this configuration property.
  • Modify your connection URL to replace jdbc: with jdbc-secretsmanager:.
    • e.g. jdbc:mariadb://localhost:1234/example_db -> jdbc-secretsmanager:mariadb://localhost:1234/example_db
  • Change the flyway.user configuration property to contain the secret id.
  • Remove the flyway.password configuration property.

Now you can run migrate, info, etc and the credentials will be pulled out of the Secrets Manager.

Placeholders