EDITION: ENTERPRISE

This tutorial shows you how to configure Flyway's GCSM resolver to fetch database credentials from Google Cloud Secret Manager at runtime.

Pre-requisites

• Flyway Enterprise Edition
• A Google Cloud project with Secret Manager enabled
• Secrets created in the project containing the values Flyway needs
• Authentication to Google Cloud — either a service account key file or workload identity on GCP infrastructure

If you are new to GCSM, see the Secret Manager quickstart.

Storing secrets in Google Cloud Secret Manager

Create secrets using the `gcloud` CLI:

echo -n "flyway_deployer" | gcloud secrets create prod-db-user --data-file=- --project=my-gcp-project
echo -n "s3cur3_p@ssw0rd" | gcloud secrets create prod-db-password --data-file=- --project=my-gcp-project

Configuring Flyway

[environments.production]
url = "jdbc:postgresql://prod-host:5432/mydb"
user = "${googlesecrets.prod-db-user}"
password = "${googlesecrets.prod-db-password}"

[environments.production.resolvers.gcsm]
project = "my-gcp-project"

flyway info -environment=production

Authenticating to Google Cloud

• Service account key file:
  

  export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
  flyway migrate -environment=production

  
  
• Workload identity (GCP infrastructure): The attached service account is used automatically.
• Application Default Credentials (development):
  

  gcloud auth application-default login

Related reference

• Google Cloud Secret Manager resolver