Automic VaultAutomic Vault

brew

Install credstash with Homebrew, Nix

Little utility for managing credentials in the cloud. Version 1.17.1 via Homebrew; verified 2026-05-12.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install credstash

local Homebrew formula metadata

overview

Package summary

Little utility for managing credentials in the cloud

Commands and aliases

  • credstash
  • credstash.py

history

Project history and usage

CredStash is a small command-line and Python-library tool for storing secrets with AWS KMS and DynamoDB. It targets teams that want a simple credential store without operating a larger dedicated secrets-management service.

Project history

The README frames CredStash as a response to common ad hoc secret-handling practices such as copying secrets files around a fleet or committing secrets to source control. Its design uses KMS for key wrapping and master-key storage, DynamoDB for encrypted credential records, and AWS IAM for access control.

Adoption history

The project grew beyond a single Python command-line tool through compatible implementations in Java, Ruby, Scala, PHP, Node.js, Go, C#, Erlang, Rust, and Kubernetes-related tooling listed by the upstream README. Later changelog entries also added operational features such as tags, putall, keys, session handling, YAML and dotenv-style output, and multiple-region KMS/DynamoDB support.

How it is used

The standard setup is to install credstash, create or choose a KMS key, ensure AWS credentials are available to boto or botocore, and run credstash setup to create the DynamoDB table. Users then put, get, list, delete, and bulk-fetch versioned secrets from shell scripts or deployment workflows.

Why package nerds care

For package maintainers, CredStash is notable as an AWS-backed secrets CLI that keeps its runtime footprint small but relies on cloud-side primitives. Its Homebrew formula exposes a Python security tool to macOS operators who may otherwise install it from pip.

Timeline

  • 2015-12: README documents an auto-versioning behavior change and migration path for older unpadded integer versions
  • 1.14.0: Added wildcard get, keys, putall, and pagination fixes
  • 1.15.0: Improved packaging and added credential comments
  • 1.16.0: Added autoversion API support, DynamoDB table tagging, environment-variable table selection, and custom DynamoDB/KMS sessions
  • 1.17.0: Added independent KMS-region selection for DynamoDB Global Tables-style deployments

Related projects

  • The README lists compatible CredStash implementations for Java, Ruby, Scala, PHP, Node.js, Go, C#, Erlang, Rust, and Kubernetes.

security posture

Risk level: orange

infrastructure mutation or orchestration signal.

Risk classifier

orange risk · medium confidence · infrastructure

Why

  • infrastructure mutation or orchestration signal

Signals

  • text:cloud

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Installs with 2 runtime dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
~/.aws/config

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.aws/credentials

executables

Installed executables

CommandKindExposureNote
credstashcliglobal executable
credstash.pycliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.17.1
manager updated2026-05-12
local dataok
upstreamnot checked
latest detectednot detected

https://github.com/fugue/credstash

install metadata

Package metadata

Package keybrew:credstash
Version1.17.1
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/credstash
Homepagehttps://github.com/fugue/credstash
Repositoryhttps://github.com/fugue/credstash
Upstream docshttps://github.com/fugue/credstash#readme
LicenseApache-2.0
Source archivehttps://files.pythonhosted.org/packages/b4/89/f929fda5fec87046873be2420a4c0cb40a82ab5e30c6d9cb22ddec41450b/credstash-1.17.1.tar.gz
Last updated2026-05-12T19:39:56Z
Pulseupdated
Dependenciescryptography, python@3.14
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecredstash
Version Scheme0
Revision15
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

credstash

nix profile install nixpkgs#credstash
  • normalized package name match
  • Matched by: Credstash
nixpkgs package indexes · raw.githubusercontent.com · nixpkgs package indexes: credstash from https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/all-packages.nix

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment