A problem that organizations often encounter is where to store and how to access sensitive data such as the credentials for connecting to a database or their Flyway license key.
Flyway comes with support for the following secrets management solutions that enable you to successfully handle sensitive data:
AWS Secrets Manager offers a solution to the problem of handling database credentials. Secrets such as usernames and passwords can be stored in the Secrets Manager, and then accessed via an id known to authorized users. This keeps sensitive credentials out of application configuration.
|Ships with Flyway Command-line||No|
|Maven Central coordinates||
Secrets Manager support is currently provided by the AWS Secrets Manager JDBC Library for the following databases:
To make Flyway pull credentials from the Secrets Manager, you need to perform the following steps:
flyway.driverthen remove this configuration property.
flyway.userconfiguration property to contain the secret id.
Now you can run
info, etc. and the credentials will be pulled out of the Secrets Manager.
Flyway integrates with Vault’s key-value engine in order to allow users to store Flyway configuration parameters securely. This can be used to securely read license keys without storing them in application configuration, and other configuration parameters can also be stored and read such as your database password or Flyway placeholders.
Parameters stored in secrets in Vault are read with the highest priority and will override all other configurations.
Assume we have the following two secrets in Vault:
flyway.url=jdbc:h2:mem:dband uses key-value engine V1
flyway.user=saand uses key-value engine V2
In order to read these secrets you need to configure just the following Flyway parameters:
After configuring the above parameters, we would be able to connect to a database in Flyway without configuring a database connection locally as all of the necessary configuration would be read from Vault.