AWS Secrets Manager offers a solution to the problem of handling database credentials. Secrets such as usernames and passwords can be stored in the Secrets Manager, and then accessed via an id known to authorized users. This keeps sensitive credentials out of application configuration.

Driver

Supported databases

Secrets Manager support is currently provided by the AWS Secrets Manager JDBC Library for the following databases:

Configuring Flyway

To make Flyway pull credentials from the Secrets Manager, you need to perform the following steps:

• Ensure the AWS CLI is installed and configured to be able to access the Secrets Manager.
• Add the driver to your project dependencies, or add it to the drivers folder if using the CLI or Flyway Desktop.
• If you've specified the driver class manually using flyway.driver then remove this configuration property.
• Modify your connection URL to replace jdbc: with jdbc-secretsmanager:.
  • e.g. jdbc:mariadb://localhost:1234/example_db -> jdbc-secretsmanager:mariadb://localhost:1234/example_db
• Change the flyway.user configuration property to contain the secret id.
• Remove the flyway.password configuration property.

Now you can run migrate, info, etc. and the credentials will be pulled out of the Secrets Manager.