Hm not sure I understand how google secret manager relates to berglas to be honest, thought those two were separate apis...
As for berglas itself, we also use it and have been very happy with it. Since you put just the names of your secrets into the ENV files, not the secrets themselves, they can be easily stored in version control, passed around in chat and you can just do whatever you want with them. Instead of:
ENV_PASS=my-secret-pass
You do:
ENV_PASS=berglas://bucket/secret-id
And it will be decrypted at the last possible moment - e.g. when the system starts. Or even later if you need to, if you use the apis provided.
Funny enough we had implemented the almost the same approach with AWS SSM apis ourselves (https://github.com/ovotech/ssm-env-secrets). But I think it should be possible to use berglas in AWS directly without issue.
As for berglas itself, we also use it and have been very happy with it. Since you put just the names of your secrets into the ENV files, not the secrets themselves, they can be easily stored in version control, passed around in chat and you can just do whatever you want with them. Instead of:
You do: And it will be decrypted at the last possible moment - e.g. when the system starts. Or even later if you need to, if you use the apis provided.Funny enough we had implemented the almost the same approach with AWS SSM apis ourselves (https://github.com/ovotech/ssm-env-secrets). But I think it should be possible to use berglas in AWS directly without issue.