Redgate Flyway

Tutorial - Manage Secrets with AWS Secrets Manager

Page last updated 20 April 2026

EDITION: ENTERPRISE

This tutorial shows you how to configure Flyway to retrieve database credentials from AWS Secrets Manager at connection time using the `jdbc-secretsmanager` URL prefix.

Pre-requisites

  • Flyway Enterprise Edition
  • An AWS Secrets Manager secret containing database credentials
  • AWS credentials available to Flyway (via environment variables, IAM role, or AWS credentials file)
  • Supported databases:

    • AWS Secrets Manager integration is supported with: MySQL, MariaDB, PostgreSQL, SQL Server, Oracle, DB2, and Redshift.


    • It is not supported with TimescaleDB or YugabyteDB.

Storing credentials in AWS Secrets Manager

Create a secret containing your database username and password. Using the AWS CLI:

aws secretsmanager create-secret \
  --name flyway/production \
  --secret-string '{"username":"flyway_deployer","password":"s3cur3_p@ssw0rd"}'

The secret must contain username  and password  keys. The secret name will be used to identify the credential set when connecting.

Configuring Flyway

Replace the jdbc:  prefix in your JDBC URL with jdbc-secretsmanager:`  Flyway will use the AWS Secrets Manager JDBC driver to retrieve the credentials at connection time.
Do not provide user  or password  — they are fetched from the secret automatically.
The secret to use is determined by the AWS Secrets Manager JDBC driver based on the connection URL. To specify a particular secret by name, pass it via jdbcProperties .
Examples:

  • jdbc-secretsmanager:postgresql://prod-host:5432/mydb
  • jdbc-secretsmanager:mysql://prod-host:3306/mydb
  • jdbc-secretsmanager:mariadb://prod-host:3306/mydb
  • jdbc-secretsmanager:sqlserver://prod-host:1433;databaseName=mydb
  • jdbc-secretsmanager:oracle:thin:@prod-host:1521/ORCL
  • jdbc-secretsmanager:db2://prod-host:50000/mydb
  • jdbc-secretsmanager:redshift://prod-host:5439/mydb


Either configure the settings in your project TOML

[environments.production]
url = "jdbc-secretsmanager:postgresql://prod-host:5432/mydb"

[environments.production.jdbcProperties]
secretId = "flyway/production"
flyway info -environment=production


or define the connection information inline

flyway info -url="jdbc-secretsmanager:postgresql://prod-host:5432/mydb"


Vault secrets cannot currently be configured using Flyway Desktop, though any configuration set in the TOML will be honored.

AWS authentication

The AWS Secrets Manager JDBC driver uses the standard AWS credential provider chain. Common approaches:

  • Environment variables:
    export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_REGION="eu-west-1"
flyway migrate -environment=production
  • IAM role (AWS infrastructure): On EC2, ECS, EKS, or Lambda, the attached IAM role is used automatically.
  • AWS credentials file: Configure a profile in `~/.aws/credentials`.

Ensure the IAM identity has the secretsmanager:GetSecretValue  permission on the secret Flyway needs to read.

To specify the AWS region explicitly, set the AWS_REGION  environment variable or configure it in your AWS SDK settings.

Didn't find what you were looking for?

Product Articles

Tips and how-to guides for Redgate products

University

Easy to follow video courses

Community Forums

Ask, discuss, and solve questions about Redgate's tools

Events & Friends

Meet us at an event, get sponsored, and join our Friends of Redgate

Simple Talk

In-depth articles and opinion from Redgate's technical journal