• Stars
    star
    1,236
  • Rank 37,991 (Top 0.8 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool for managing secrets on Google Cloud

Berglas

Build Status GoDoc

Berglas Logo

Berglas is a command line tool and library for storing and retrieving secrets on Google Cloud. Secrets are encrypted with Cloud KMS and stored in Cloud Storage. An interoperable layer also exists with Secret Manager.

  • As a CLI, berglas automates the process of encrypting, decrypting, and storing data on Google Cloud.

  • As a library, berglas automates the inclusion of secrets into various Google Cloud runtimes.

Berglas is not an officially supported Google product.

Setup

Prerequisites

  1. Install the Cloud SDK for your operating system. Alternatively, you can run these commands from Cloud Shell, which has the SDK and other popular tools pre-installed.

    If you are running from your local machine, you also need Default Application Credentials:

    gcloud auth application-default login
    

    This will open a web browser and prompt for a login to your Google account. On headless devices, you will need to create a service account. For more information, please see the authentication section.

  2. Install the berglas CLI using one of the following methods:

    • Install a pre-compiled binary for your operating system from the latest releases.

    • Use an official Docker container:

      docker run -it us-docker.pkg.dev/berglas/berglas/berglas
      

      Note: older Docker container images are available on Container Registry and Artifact Registry, but new versions are not published there.

    • Use Homebrew on macOS:

      brew install berglas

      Note: sometimes the Homebrew formula can be several versions behind.

    • Install from source (requires a working Go installation):

      go install github.com/GoogleCloudPlatform/berglas@latest
  3. Export your project ID as an environment variable. The rest of this setup guide assumes this environment variable is set:

    export PROJECT_ID=my-gcp-project-id
    

    Please note, this is the project ID, not the project name or project number. You can find the project ID by running gcloud projects list or in the web UI.

Secret Manager Storage

  1. Enable required services on the project:

    gcloud services enable --project ${PROJECT_ID} \
      secretmanager.googleapis.com
    

Cloud Storage Storage

  1. Export your desired Cloud Storage bucket name. The rest of this setup guide assumes this environment variable is set:

    export BUCKET_ID=my-secrets
    

    Replace my-secrets with the name of your bucket. Set only the name, without the gs:// prefix. This bucket should not exist yet!

  2. Enable required services on the project:

    gcloud services enable --project ${PROJECT_ID} \
      cloudkms.googleapis.com \
      storage-api.googleapis.com \
      storage-component.googleapis.com
    
  3. Bootstrap a Berglas environment. This will create a new Cloud Storage bucket for storing secrets and a Cloud KMS key for encrypting data.

    berglas bootstrap --project $PROJECT_ID --bucket $BUCKET_ID
    

    This command uses the default values. You can customize the storage bucket and KMS key configuration using the optional flags. Run berglas bootstrap -h for more details.

    If you want full control over the creation of the Cloud Storage and Cloud KMS keys, please see the custom setup documentation.

  4. (Optional) Bootstrap a Berglas environment specifying a bucket location. By default the berglas bucket is created in the multi-regional location US. You can specify your location by using the following command. Please see the list of supported locations in the GCP bucket location documentation page

    export BUCKET_LOCATION=europe-west1
    berglas bootstrap \
      --project $PROJECT_ID \
      --bucket $BUCKET_ID \
      --bucket-location $BUCKET_LOCATION
    

    This command uses the default values. You can customize the storage bucket and KMS key configuration using the optional flags. Run berglas bootstrap -h for more details.

    If you want full control over the creation of the Cloud Storage and Cloud KMS keys, please see the custom setup documentation.

  5. (Optional) Enable Cloud Audit logging on the bucket:

    Please note this will enable audit logging on all Cloud KMS keys and all Cloud Storage buckets in the project, which may incur additional costs.

    1. Download the exiting project IAM policy:

      gcloud projects get-iam-policy ${PROJECT_ID} > policy.yaml
      
    2. Add Cloud Audit logging for Cloud KMS and Cloud Storage:

      cat <<EOF >> policy.yaml
      auditConfigs:
      - auditLogConfigs:
        - logType: DATA_READ
        - logType: ADMIN_READ
        - logType: DATA_WRITE
        service: cloudkms.googleapis.com
      - auditLogConfigs:
        - logType: ADMIN_READ
        - logType: DATA_READ
        - logType: DATA_WRITE
        service: storage.googleapis.com
      EOF
      
    3. Submit the new policy:

      gcloud projects set-iam-policy ${PROJECT_ID} policy.yaml
      
    4. Remove the updated policy from local disk:

      rm policy.yaml
      

CLI Usage

  1. Create a secret:

    Using Secret Manager storage:

    berglas create sm://${PROJECT_ID}/foo my-secret-data
    

    Using Cloud Storage storage:

    berglas create ${BUCKET_ID}/foo my-secret-data \
      --key projects/${PROJECT_ID}/locations/global/keyRings/berglas/cryptoKeys/berglas-key
    
  2. Grant access to a secret:

    Using Secret Manager storage:

    berglas grant sm://${PROJECT_ID}/foo --member user:[email protected]
    

    Using Cloud Storage storage:

    berglas grant ${BUCKET_ID}/foo --member user:[email protected]
    
  3. Access a secret's data:

    Using Secret Manager storage:

    berglas access sm://${PROJECT_ID}/foo
    my-secret-data
    

    Using Cloud Storage storage:

    berglas access ${BUCKET_ID}/foo
    my-secret-data
    
  4. Spawn a child process with secrets populated in the child's environment:

    berglas exec -- myapp --flag-a --flag-b
    

    This will spawn myapp with an environment parsed by berglas.

  5. Access data from a specific version/generation of a secret:

    Using Secret Manager storage:

    berglas access sm://${PROJECT_ID}/foo#1
    my-previous-secret-data
    

    Using Cloud Storage storage:

    berglas access ${BUCKET_ID}/foo#1563925940580201
    my-previous-secret-data
    
  6. Revoke access to a secret:

    Using Secret Manager storage:

    berglas revoke sm://${PROJECT_ID}/foo --member user:[email protected]
    my-previous-secret-data
    

    Using Cloud Storage storage:

    berglas revoke ${BUCKET_ID}/foo --member user:[email protected]
    
  7. Delete a secret:

    Using Secret Manager storage:

    berglas delete sm://${PROJECT_ID}/foo
    

    Using Cloud Storage storage:

    berglas delete ${BUCKET_ID}/foo
    

In addition to standard Unix exit codes, if the CLI exits with a known error, Berglas will exit with one of the following:

  • 60 - API error. Berglas got a bad response when communicating with an upstream API.

  • 61 - Misuse error. You gave unexpected input or behavior. Please read the error message. Open an issue if you think this is a mistake.

The only exception is berglas exec, which will exit with the exit status of its child command, if one was provided.

Integrations

  • App Engine (Flex) - When invoked via App Engine Flex, Berglas resolves environment variables to their plaintext values using the `berglas://reference syntax. This integration works with any language runtime because berglas serves as the entrypoint to the Docker container. See examples/appengineflex for examples and invocations.

  • App Engine (Standard) - When invoked via App Engine, Berglas resolves environment variables to their plaintext values using the berglas://reference syntax. This integration only works with the Go language runtime because it requires importing the auto/ package. See examples/appengine for examples and invocations.

  • Cloud Run - When invoked via Cloud Run, Berglas resolves environment variables to their plaintext values using the berglas:// reference syntax. This integration works with any language runtime because berglas serves as the entrypoint to the Docker container. See examples/cloudrun for examples and invocations.

  • Cloud Functions - When invoked via Cloud Functions, Berglas resolves environment variables to their plaintext values using the berglas:// reference syntax. This integration only works with the Go language runtime because it requires importing the auto/ package. See examples/cloudfunctions for examples and invocations.

  • Cloud Build - When invoked via Cloud Build, Berglas resolves environment variables to plaintext values using the berglas:// reference syntax. This integration only works with volume mounts, so all Berglas secrets need to specify the ?destination parameter. See examples/cloudbuild for examples and invocations.

  • Kubernetes - Kubernetes pods can consume Berglas secrets by installing a MutatingWebhook. This webhook mutates incoming pods with the berglas:// reference syntax in environment references to resolve at runtime. This integration works with any container, but all pods requesting berglas secrets must set an command in their Kubernetes manifests. See examples/kubernetes for samples and installation instructions.

  • Anything - Wrap any process with berglas exec -- and Berglas will parse any local environment variables with the berglas:// reference syntax and spawn your app as a subprocess with the plaintext environment replaced.

Logging

Both the berglas CLI and berglas library support debug-style logging. This logging is off by default because it adds additional overhead and logs information that may be security-sensitive.

The default logging behavior for the berglas CLI is "text" (it can be changed with the --log-format flag). The default logging behavior for the berglas library is structured JSON which integrates well with Cloud Logging (it can be changed to any valid formatter and you can even inject your own logger).

Examples

Examples are available in the examples/ folder.

Library Usage

Berglas is also a Go library that can be imported in Go projects:

import (
	_ "github.com/GoogleCloudPlatform/berglas/pkg/auto"
)

When imported, the berglas package will:

  1. Download and decrypt any secrets that match the Berglas environment variable reference syntax in the environment.

  2. Replace the value for the environment variable with the decrypted secret.

You can also opt out of auto-parsing and call the library yourself instead:

import (
	"context"
	"log"
	"os"

	"github.com/GoogleCloudPlatform/berglas/pkg/berglas"
)

func main() {
	ctx := context.Background()

	// This higher-level API parses the secret reference at the specified
	// environment variable, downloads and decrypts the secret, and replaces the
	// contents of the given environment variable with the secret result.
	if err := berglas.Replace(ctx, "MY_SECRET"); err != nil {
		log.Fatal(err)
	}

	// This lower-level API parses the secret reference, downloads and decrypts
	// the secret, and returns the result. This is useful if you need to mutate
	// the result.
	if v := os.Getenv("MY_SECRET"); v != "" {
		plaintext, err := berglas.Resolve(ctx, v)
		if err != nil {
			log.Fatal(err)
		}
		os.Unsetenv("MY_SECRET")
		os.Setenv("MY_OTHER_SECRET", string(plaintext))
	}
}

For more examples and documentation, please see the godoc.

Authentication

By default, Berglas uses Google Cloud Default Application Credentials. If you have gcloud installed locally, ensure you have application default credentials:

gcloud auth application-default login

On GCP services (like Cloud Build, Compute, etc), it will use the service account attached to the resource.

To use a specific service account, set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the filepath to the JSON file where your credentials reside on disk:

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/my/credentials.json

To learn more, please see the Google Cloud Service Account documentation.

Authorization

To control who or what has access to a secret, use berglas grant and berglas revoke commands. These methods use Cloud IAM internally. Any service account or entity using Berglas will need to authorize using the cloud-platform scope.

Secret Manager Storage

Creating a secret requires roles/secretmanager.admin on Secret Manager in the project.

Accessing a secret requires roles/secretmanager.secretAccessor on the secret in Secret Manager.

Deleting a secret requires roles/secretmanager.admin on Secret Manager in the project.

Cloud Storage Storage

Creating a secret requires roles/storage.objectCreator on the Cloud Storage bucket and roles/cloudkms.cryptoKeyEncrypter on the Cloud KMS key.

Accessing a secret requires roles/storage.objectViewer on the Cloud Storage bucket and roles/cloudkms.cryptoKeyDecrypter on the Cloud KMS key.

Deleting a secret requires roles/storage.objectAdmin on the Cloud Storage bucket.

Implementation

Secret Manager Storage

This section describes the Secret Manager implementation. This knowledge is not required to use Berglas, but it is included for security-conscious/curious users who want to learn about how Berglas works internally to build a threat model.

  1. Berglas calls the Secret Manager API directly for all operations.

Cloud Storage Storage

This section describes the Cloud Storage implementation. This knowledge is not required to use Berglas, but it is included for security-conscious/curious users who want to learn about how Berglas works internally to build a threat model.

When encrypting a secret:

  1. Berglas generates an AES-256-GCM data encryption key (DEK) using Go's crypto package for each secret. (N.B. each secret has its own, unique DEK).

  2. Berglas encrypts the plaintext data using the locally-generated DEK, producing encrypted ciphertext, prepended with the AES-GCM nonce.

  3. Berglas encrypts the DEK using the specified Cloud KMS key, also known as a key encryption key (KEK). This process is called envelope encryption.

  4. Berglas stores the Cloud KMS key name, encrypted DEK, and encrypted ciphertext as a single blob in Cloud Storage.

When decrypting a secret:

  1. Berglas downloads the blob from Cloud Storage and separates the Cloud KMS key name, encrypted DEK, and ciphertext out of the blob.

  2. Berglas decrypts the DEK using Cloud KMS. This is part of envelope encryption.

  3. Berglas decrypts the ciphertext data locally using the decrypted DEK.

Security & Threat Model

See the security and threat model.

FAQ

Q: Should I use Berglas or Secret Manager?
Berglas is compatible with Secret Manager and offers convenience wrappers around managing secrets regardless of whether they reside in Cloud Storage or Secret Manager. New projects should investigate using Secret Manager directly as it has less operational overhead and complexity, but Berglas will continue to support Cloud Storage + Cloud KMS secrets.

Q: Is there a size limit on the data I can encrypt?
Berglas is targeted at application secrets like certificates, passwords, and API keys. While its possible to encrypt larger binary files like PDFs or images, Berglas uses a a GCM cipher mode to encrypt data, meaning the data must fit in memory and is limited to 64GiB.

Q: Why do you use envelope encryption instead of encrypting the data directly with Cloud KMS?
Envelope encryption allows for encrypting the data at the application layer, and it enables encryption of larger payloads, since Cloud KMS has a limit on the size of the payload it can encrypt. By using envelope encryption, Cloud KMS always encrypts a fixed size data (the AES-256-GCM key). This saves bandwidth (since large payloads are encrypted locally) and increases the size of the data which can be encrypted.

Q: Why does Berglas need permission to view my GCP resource?
Berglas communicates with the API to read the environment variables that were set on the resource at deploy time. Otherwise, a package could inject arbitrary environment variables in the Berglas format during application boot.

Q: I renamed a secret in Cloud Storage and now it fails to decrypt - why?
Berglas encrypts secrets with additional authenticated data including the name of the secret. This reduces the chance an attacker can escalate privilege by convincing someone to rename a secret so they can gain access.

Q: Why is it named Berglas?
Berglas is a famous magician who is best known for his secrets.

Contributing

Please see the contributing guidelines.

License

This library is licensed under Apache 2.0. Full license text is available in LICENSE.

More Repositories

1

microservices-demo

Sample cloud-first application with 10 microservices showcasing Kubernetes, Istio, and gRPC.
Go
16,790
star
2

terraformer

CLI tool to generate terraform files from existing infrastructure (reverse Terraform). Infrastructure to Code
Go
12,352
star
3

training-data-analyst

Labs and demos for courses for GCP Training (http://cloud.google.com/training).
Jupyter Notebook
7,867
star
4

python-docs-samples

Code samples used on cloud.google.com
Jupyter Notebook
7,432
star
5

generative-ai

Sample code and notebooks for Generative AI on Google Cloud, with Gemini on Vertex AI
Jupyter Notebook
6,517
star
6

golang-samples

Sample apps and code written for Google Cloud in the Go programming language.
Go
4,284
star
7

professional-services

Common solutions and tools developed by Google Cloud's Professional Services team. This repository and its contents are not an officially supported Google product.
Python
2,825
star
8

nodejs-docs-samples

Node.js samples for Google Cloud Platform products.
JavaScript
2,807
star
9

tensorflow-without-a-phd

A crash course in six episodes for software developers who want to become machine learning practitioners.
Jupyter Notebook
2,772
star
10

gcsfuse

A user-space file system for interacting with Google Cloud Storage
Go
2,046
star
11

community

Java
1,919
star
12

PerfKitBenchmarker

PerfKit Benchmarker (PKB) contains a set of benchmarks to measure and compare cloud offerings. The benchmarks use default settings to reflect what most users will see. PerfKit Benchmarker is licensed under the Apache 2 license terms. Please make sure to read, understand and agree to the terms of the LICENSE and CONTRIBUTING files before proceeding.
Python
1,885
star
13

asl-ml-immersion

This repos contains notebooks for the Advanced Solutions Lab: ML Immersion
Jupyter Notebook
1,799
star
14

vertex-ai-samples

Notebooks, code samples, sample apps, and other resources that demonstrate how to use, develop and manage machine learning and generative AI workflows using Google Cloud Vertex AI.
Jupyter Notebook
1,659
star
15

java-docs-samples

Java and Kotlin Code samples used on cloud.google.com
Java
1,610
star
16

ml-design-patterns

Source code accompanying O'Reilly book: Machine Learning Design Patterns
Jupyter Notebook
1,600
star
17

continuous-deployment-on-kubernetes

Get up and running with Jenkins on Google Kubernetes Engine
Shell
1,582
star
18

cloudml-samples

Cloud ML Engine repo. Please visit the new Vertex AI samples repo at https://github.com/GoogleCloudPlatform/vertex-ai-samples
Python
1,516
star
19

cloud-foundation-fabric

End-to-end modular samples and landing zones toolkit for Terraform on GCP.
HCL
1,509
star
20

localllm

Python
1,505
star
21

cloud-builders

Builder images and examples commonly used for Google Cloud Build
Go
1,374
star
22

cloud-sql-proxy

A utility for connecting securely to your Cloud SQL instances
Go
1,263
star
23

cloud-builders-community

Community-contributed images for Google Cloud Build
Go
1,258
star
24

data-science-on-gcp

Source code accompanying book: Data Science on the Google Cloud Platform, Valliappa Lakshmanan, O'Reilly 2017
Jupyter Notebook
1,230
star
25

kubernetes-engine-samples

Sample applications for Google Kubernetes Engine (GKE)
HCL
1,228
star
26

functions-framework-nodejs

FaaS (Function as a service) framework for writing portable Node.js functions
TypeScript
1,162
star
27

DataflowTemplates

Cloud Dataflow Google-provided templates for solving in-Cloud data tasks
Java
1,135
star
28

bigquery-utils

Useful scripts, udfs, views, and other utilities for migration and data warehouse operations in BigQuery.
Java
1,117
star
29

cloud-vision

Sample code for Google Cloud Vision
Python
1,097
star
30

bank-of-anthos

Retail banking sample application showcasing Kubernetes and Google Cloud
Java
994
star
31

buildpacks

Builders and buildpacks designed to run on Google Cloud's container platforms
Go
982
star
32

php-docs-samples

A collection of samples that demonstrate how to call Google Cloud services from PHP.
PHP
961
star
33

cloud-foundation-toolkit

The Cloud Foundation toolkit provides GCP best practices as code.
Go
958
star
34

deploymentmanager-samples

Deployment Manager samples and templates.
Jinja
938
star
35

flask-talisman

HTTP security headers for Flask
Python
896
star
36

k8s-config-connector

GCP Config Connector, a Kubernetes add-on for managing GCP resources
Go
891
star
37

gsutil

A command line tool for interacting with cloud storage services.
Python
874
star
38

DataflowJavaSDK

Google Cloud Dataflow provides a simple, powerful model for building both batch and streaming parallel data processing pipelines.
857
star
39

nodejs-getting-started

A tutorial for creating a complete application using Node.js on Google Cloud Platform
JavaScript
806
star
40

magic-modules

Add Google Cloud Platform support to Terraform
Go
804
star
41

gcr-cleaner

Delete untagged image refs in Google Container Registry or Artifact Registry
Go
802
star
42

keras-idiomatic-programmer

Books, Presentations, Workshops, Notebook Labs, and Model Zoo for Software Engineers and Data Scientists wanting to learn the TF.Keras Machine Learning framework
Jupyter Notebook
797
star
43

metacontroller

Lightweight Kubernetes controllers as a service
Go
790
star
44

awesome-google-cloud

A curated list of awesome stuff for Google Cloud.
777
star
45

mlops-on-gcp

Jupyter Notebook
773
star
46

getting-started-python

Code samples for using Python on Google Cloud Platform
Python
756
star
47

dotnet-docs-samples

.NET code samples used on https://cloud.google.com
C#
736
star
48

click-to-deploy

Source for Google Click to Deploy solutions listed on Google Cloud Marketplace.
Python
729
star
49

iap-desktop

IAP Desktop is a Windows application that provides zero-trust Remote Desktop and SSH access to Linux and Windows VMs on Google Cloud.
C#
708
star
50

cloud-sdk-docker

Google Cloud CLI Docker Image - Docker Image containing the gcloud CLI and its bundled components.
Dockerfile
697
star
51

tf-estimator-tutorials

This repository includes tutorials on how to use the TensorFlow estimator APIs to perform various ML tasks, in a systematic and standardised way
Jupyter Notebook
671
star
52

functions-framework-python

FaaS (Function as a service) framework for writing portable Python functions
Python
670
star
53

flink-on-k8s-operator

[DEPRECATED] Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Go
657
star
54

terraform-google-examples

Collection of examples for using Terraform with Google Cloud Platform.
HCL
573
star
55

functions-framework-dart

FaaS (Function as a service) framework for writing portable Dart functions
Dart
535
star
56

cloud-run-button

Let anyone deploy your GitHub repos to Google Cloud Run with a single click
Go
527
star
57

bigquery-oreilly-book

Source code accompanying: BigQuery: The Definitive Guide by Lakshmanan & Tigani to be published by O'Reilly Media
Jupyter Notebook
523
star
58

govanityurls

Use a custom domain in your Go import path
Go
518
star
59

ml-on-gcp

Machine Learning on Google Cloud Platform
Python
484
star
60

practical-ml-vision-book

Jupyter Notebook
482
star
61

getting-started-java

Java
478
star
62

ipython-soccer-predictions

Sample iPython notebook with soccer predictions
Jupyter Notebook
473
star
63

monitoring-dashboard-samples

Google Cloud Monitoring Dashboard Samples
TypeScript
471
star
64

covid-19-open-data

Datasets of daily time-series data related to COVID-19 for over 20,000 distinct locations around the world.
Python
471
star
65

ai-platform-samples

Official Repo for Google Cloud AI Platform. Find samples for Vertex AI, Google Cloud's new unified ML platform at: https://github.com/GoogleCloudPlatform/vertex-ai-samples
Jupyter Notebook
457
star
66

hackathon-toolkit

GCP Hackathon Toolkit
HTML
440
star
67

gradle-appengine-templates

Freemarker based templates that build with the gradle-appengine-plugin
439
star
68

distributed-load-testing-using-kubernetes

Distributed load testing using Kubernetes on Google Container Engine
Smarty
438
star
69

terraform-validator

Terraform Validator is not an officially supported Google product; it is a library for conversion of Terraform plan data to CAI Assets. If you have been using terraform-validator directly in the past, we recommend migrating to `gcloud beta terraform vet`.
Go
437
star
70

cloud-code-vscode

Cloud Code for Visual Studio Code: Issues, Documentation and more
416
star
71

nodejs-docker

The Node.js Docker image used by Google App Engine Flexible.
TypeScript
407
star
72

cloud-ops-sandbox

Cloud Operations Sandbox is an open source collection of tools that helps practitioners to learn O11y and R9y practices from Google and apply them using Cloud Operations suite of tools.
HCL
405
star
73

professional-services-data-validator

Utility to compare data between homogeneous or heterogeneous environments to ensure source and target tables match
Python
403
star
74

k8s-stackdriver

Go
390
star
75

cloud-code-samples

Code templates to make working with Kubernetes feel like editing and debugging local code.
Java
387
star
76

healthcare

Python
374
star
77

require-so-slow

`require`s taking too much time? Profile 'em.
TypeScript
373
star
78

functions-framework-go

FaaS (Function as a service) framework for writing portable Go functions
Go
373
star
79

k8s-multicluster-ingress

kubemci: Command line tool to configure L7 load balancers using multiple kubernetes clusters
Go
372
star
80

compute-image-packages

Packages for Google Compute Engine Linux images.
Python
370
star
81

android-docs-samples

Java
365
star
82

stackdriver-errors-js

Client-side JavaScript exception reporting library for Cloud Error Reporting
JavaScript
358
star
83

applied-ai-engineering-samples

This repository compiles code samples and notebooks demonstrating how to use Generative AI on Google Cloud Vertex AI.
Jupyter Notebook
344
star
84

mlops-with-vertex-ai

An end-to-end example of MLOps on Google Cloud using TensorFlow, TFX, and Vertex AI
Jupyter Notebook
343
star
85

google-cloud-iot-arduino

Google Cloud IOT Example on ESP8266
C++
340
star
86

istio-samples

Istio demos and sample applications for GCP
Shell
331
star
87

ios-docs-samples

iOS samples that demonstrate APIs and services of Google Cloud Platform.
Swift
325
star
88

cloud-code-intellij

Plugin to support the Google Cloud Platform in IntelliJ IDEA - Docs and Issues Repository
319
star
89

security-analytics

Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud
Python
315
star
90

gke-networking-recipes

Shell
307
star
91

gcping

The source for the CLI and web app at gcping.com
Go
303
star
92

solutions-terraform-cloudbuild-gitops

HCL
301
star
93

spring-cloud-gcp

New home for Spring Cloud GCP development starting with version 2.0.
Java
299
star
94

airflow-operator

Kubernetes custom controller and CRDs to managing Airflow
Go
296
star
95

genai-for-marketing

Showcasing Google Cloud's generative AI for marketing scenarios via application frontend, backend, and detailed, step-by-step guidance for setting up and utilizing generative AI tools, including examples of their use in crafting marketing materials like blog posts and social media content, nl2sql analysis, and campaign personalization.
Jupyter Notebook
296
star
96

elixir-samples

A collection of samples on using Elixir with Google Cloud Platform.
Elixir
291
star
97

gcpdiag

gcpdiag is a command-line diagnostics tool for GCP customers.
Python
288
star
98

kotlin-samples

Kotlin
285
star
99

compute-archlinux-image-builder

A tool to build a Arch Linux Image for GCE
Shell
284
star
100

datalab-samples

Jupyter Notebook
281
star