This brief tutorial will teach you how to integrate Google Cloud Secret Manager into your Flyway process.
Google Cloud Secret Manager (GCSM) is a cloud service for secrets management, allowing you to securely store and provide access to sensitive information. You can learn more about it here. Flyway integrates with GCSM, letting you securely store and provide access to any confidential Flyway parameters.
This tutorial will assume you already have a GCSM project and know how to configure secrets in it. if you haven’t used GCSM before, follow this tutorial for creating a project containing some secrets.
There are two new parameters to configure in Flyway in order to set up the GCSM integration:
gcsm.projectThis is the name of the project you have created that contains the secrets.
gcsm.secretsThis is a comma-separated list of secrets in Google Cloud Secret Manager which Flyway should try to read from.
The value of each secret must be structured like a Flyway configuration file. For example, if we wanted to store a
database password in a secret we would give the secret flyway.password=<database_password> as its value.
Our example will assume that we have:
quixotic-ferret-345678 with name my-flyway-config and the following contents:flyway.url=<database_url>
flyway.user=<database_user>
flyway.password=<database_password>
If we now execute the following Flyway command:
flyway info -plugins.gcsm.project="quixotic-ferret-345678" -plugins.gcsm.secrets="my-flyway-config"
Flyway will connect to your database without needing the database credentials to be provided in plaintext.
Instead, Flyway will read in the specified secret and use its value to configure the database credentials and
display the overview of the schema history table that results from info.
In this brief tutorial we saw how to: