If you're running Liquibase using the Maven plugin using mvn liquibase: update, installing the extension with Maven ensures the right files are available and everything works together automatically. You can manage these extensions by adding them as dependencies in your project’s pom.xml file. Configuring Maven this way ensures that the necessary JAR files are retrieved from Maven Central during the build phase.

1. Configure your AWS keys as local environment variables or in your AWS configuration files. You can use these secure credentials instead of a traditional username and password. You must set the following keys:

• AWS_ACCESS_KEY_ID

• AWS_SECRET_ACCESS_KEY

• AWS_SESSION_TOKEN (optional)

Note: The Liquibase DynamoDB extension automatically detects the value of AWS_REGION from your database connection URL, so you don't have to specify it in your config file (~/.aws/config).

In your shared credentials file (~/.aws/credentials), you can use temporary values from your AWS access portal. For example:

[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY aws_session_token=IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZ2luX2IQoJb3JpZVERYLONGSTRINGEXAMPLE

2. Ensure your AWS user account has Identity and Access Management (IAM) permissions to make the following API actions: "dynamodb:CreateTable", "dynamodb:DeleteTable", "dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:UpdateTable", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem", "dynamodb:ConditionCheckItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:PartiQLDelete", "dynamodb:PartiQLInsert", "dynamodb:PartiQLSelect", "dynamodb:PartiQLUpdate", "dynamodb:Query", "dynamodb:Scan", "dynamodb:ListTagsOfResource", "dynamodb:TagResource", "dynamodb:UntagResource"

You may want to add more permissions. For a list of permission keys, see Actions, resources, and condition keys for Amazon DynamoDB.

3. (Optional) If you want to make operations with the sseSpecification feature, you must also have the following permissions:

"kms:DescribeKey", "kms:CreateGrant"

4. (Optional) If you want to use AWS Secrets Manager, you must also have the following permissions:

"secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:ListSecrets", "secretsmanager:ListSecretVersionIds"

5. (Optional) If you want to use changelogs from AWS S3, you must also have the following permissions:

"s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts"

6. (Optional) Specify custom values for Liquibase parameters for Amazon DynamoDB Secure. This is only necessary if you do not want to use the default Liquibase values. You can set these in your command line (CLI), in your liquibase.properties file, or as environment variables. There are two groups of parameters:

• Those that specify the initial billing modes and read/write capacity for Liquibase tracking tables: DATABASECHANGELOG and DATABASECHANGELOGLOCK.

• Those that specify the number of polling attempts, time between attempts, total timeouts, and timeout behavior for the DynamoDB waiter to use when running create, update, and delete operations through Liquibase.

1. Ensure your Amazon DynamoDB database is configured. For more information, see Amazon: Setting Up DynamoDB.

2. Ensure your Liquibase Secure license key is specified. For example, in a liquibase.properties file (defaults file): licenseKey: zQl8kNZjZgSp9LvqWQFAtGwiHrpg97UyAfQrNSiJQBCDH8FQPdDzANUpIe4Bj3CZA2IXgDBaoYZFvMw0E/s4JcECB3/A6jO+...

3. Specify the database URL in the liquibase.properties file (defaults file), along with other properties you want to set a default value for. Liquibase does not parse the URL. You can either specify the full database connection string or specify the URL using your database's standard connection format:

• Cloud: url: https://dynamodb.<region>.amazonaws.com

• Local: url: dynamodb://localhost:8000

Note: For a list of AWS regions and other parameters that you can use in your URL, see AWS service endpoints. For example, url: https://dynamodb.us-west-2.amazonaws.com.

To apply a Liquibase Secure key to your project, add the following property to the Liquibase properties file: licenseKey: <paste code here>

1. Create a text file called changelog (.yaml, .json, or .xml) in your project directory and add a changeset.

2. Navigate to your project folder in the CLI and run the Liquibasestatuscommand to see whether the connection is successful:

liquibase status --changelog-file=<changelog.xml>

Note:You can specify arguments in the CLI or keep them in the Liquibase properties file.

If your connection is successful, you'll see a message like this:

4 changesets have not been applied to <your_connection_url> Liquibase command 'status' was executed successfully.

3. Execute these changes to your database with theupdatecommand:

liquibase update --changelog-file=<changelog.xml>

If yourupdateis successful, Liquibase runs each changeset and displays a summary message ending with:

Liquibase: Update has been successful. Liquibase command 'update' was executed successfully.

4. From a database UI tool, ensure that your database contains theMusic3<format>object you added along with the DATABASECHANGELOG table and DATABASECHANGELOGLOCK table.

Now you're ready to start deploying database changes with Liquibase.