Automic VaultAutomic Vault

brew

Install berglas with Homebrew, Nix

Tool for managing secrets on Google Cloud. Version 2.0.14 via Homebrew; verified 2026-06-25.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install berglas

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#berglas

nixpkgs package indexes · pkgs/by-name/be/berglas/package.nix · source: api.github.com

overview

Package summary

Tool for managing secrets on Google Cloud

Commands and aliases

  • berglas

history

Project history and usage

Berglas is a GoogleCloudPlatform command-line tool and Go library for storing and retrieving secrets on Google Cloud. It predates some common Secret Manager workflows and bridges Cloud KMS, Cloud Storage, and Secret Manager access patterns.

Project history

The Berglas repository was created in April 2019, with a v0.1.3 release published in June 2019. Its README describes it as both a CLI for encrypting, decrypting, and storing data on Google Cloud and a library for injecting secrets into Google Cloud runtimes.

The project is explicit about its support status: it lives under GoogleCloudPlatform but is not an officially supported Google product.

Adoption history

Berglas adoption came from teams that needed secret handling around Cloud KMS and Cloud Storage, then later interoperability with Secret Manager. It fit CI/CD and serverless workflows where environment injection and CLI automation were convenient.

Homebrew packaging made it easy for macOS operators to bootstrap and inspect Google Cloud secret workflows locally while using Application Default Credentials from the Cloud SDK.

How it is used

Common commands create secrets, grant access, read secret data, bootstrap buckets and KMS keys, and run child processes with secrets populated in the environment.

Authentication usually follows Google Cloud Application Default Credentials, which is why the package curation points at the gcloud ADC credentials file rather than a Berglas-specific credentials file.

Why package nerds care

Berglas is package-nerd significant as a small Go security CLI with cloud-side state. Installing the package gives a local executable, but most real behavior depends on enabled Google Cloud services, IAM, KMS keys, buckets, or Secret Manager resources.

It is also a snapshot of a transitional Google Cloud secrets era: the tool supports the older Cloud Storage plus KMS pattern while documenting interoperability with Secret Manager.

Timeline

  • 2019-04: The GoogleCloudPlatform/berglas repository was created.
  • 2019-06: Berglas v0.1.3 was published.
  • 2020s: Berglas documentation continued to emphasize Cloud KMS, Cloud Storage, Secret Manager interoperability, and ADC-based setup.

Related projects

  • Google Cloud KMS supplies encryption keys for the original storage model.
  • Google Cloud Storage stores encrypted secret blobs in the original model.
  • Google Secret Manager is the related managed service with Berglas interoperability.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:cloud

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.config/gcloud/application_default_credentials.json
Windows
%APPDATA%\gcloud\application_default_credentials.json

executables

Installed executables

CommandKindExposureNote
berglascliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.0.14
manager updated2026-06-25
local dataok
upstreamcurrent
latest detectedv2.0.14

https://github.com/GoogleCloudPlatform/berglas

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:berglas
Version2.0.14
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/berglas
Homepagehttps://github.com/GoogleCloudPlatform/berglas
Repositoryhttps://github.com/GoogleCloudPlatform/berglas
Upstream docshttps://github.com/GoogleCloudPlatform/berglas#readme
LicenseApache-2.0
Source archivehttps://github.com/GoogleCloudPlatform/berglas/archive/refs/tags/v2.0.14.tar.gz
Last updated2026-06-25T08:16:09Z
Pulseupdated
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Nameberglas
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

berglas

nix profile install nixpkgs#berglas
  • normalized package name match
  • Matched by: Berglas
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/be/berglas/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment