Tutorial - Manage Secrets with HashiCorp Vault
Published 20 April 2026
EDITION: ENTERPRISE
This tutorial shows you how to configure Flyway's Vault resolver to fetch database credentials from HashiCorp Vault at runtime.
Pre-requisites
- Flyway Enterprise Edition
- A HashiCorp Vault instance with a key-value secret engine enabled
- A Vault token with read access to the secrets Flyway needs
- Network access from the machine running Flyway to the Vault API endpoint
If you are new to Vault, see the Vault getting started guide.
Storing secrets in Vault
Store your database credentials as key-value pairs. For example, using the Vault CLI:
vault kv put secret/flyway/production \ db_user="flyway_deployer" \ db_password="s3cur3_p@ssw0rd"
Configuring Flyway
Either configure vault settings in your project TOML
[environments.production]
url = "jdbc:postgresql://prod-host:5432/mydb"
user = "${vault.flyway/production/db_user}"
password = "${vault.flyway/production/db_password}"
[environments.production.resolvers.vault]
url = "http://vault.internal:8200/v1"
token = "${VAULT_TOKEN}"
engineName = "secret"
engineVersion = "v2"flyway info -environment=production
or define the connection information inline
flyway info \
-environment=production \
-environments.production.url="jdbc:postgresql://prod-host:5432/mydb" \
-environments.production.user='${vault.flyway/production/db_user}' \
-environments.production.password='${vault.flyway/production/db_password}' \
-environments.production.resolvers.vault.url="http://vault.internal:8200/v1" \
-environments.production.resolvers.vault.token="$VAULT_TOKEN" \
-environments.production.resolvers.vault.engineName="secret" \
-environments.production.resolvers.vault.engineVersion="v2"Vault secrets cannot currently be configured using Flyway Desktop, though any configuration set in the TOML will be honored.
