Install from binary

This documentation is for an as-yet unreleased version of Cerbos. Choose 0.39.0 from the version picker at the top right or navigate to https://docs.cerbos.dev for the latest version.

Cerbos binaries are available for multiple operating systems and architectures. See the releases page for all available downloads.

OS Arch Bundle

Linux

x86-64

cerbos_0.40.0-prerelease_Linux_x86_64.tar.gz

Linux

arm64

cerbos_0.40.0-prerelease_Linux_arm64.tar.gz

MacOS

universal

cerbos_0.40.0-prerelease_Darwin_all.tar.gz

MacOS

x86-64

cerbos_0.40.0-prerelease_Darwin_x86_64.tar.gz

MacOS

arm64

cerbos_0.40.0-prerelease_Darwin_arm64.tar.gz

You can download the binaries by running the following command. Substitute <BUNDLE> with the appropriate value from the above table.

curl -L -o cerbos.tar.gz "https://github.com/cerbos/cerbos/releases/download/v0.40.0-prerelease/<BUNDLE>"
tar xvf cerbos.tar.gz
chmod +x cerbos

Cerbos binaries are signed using sigstore tools during the automated build process and the verification bundle is published along with the binary as <BUNDLE>.bundle.

The following example demonstrates how to verify the Linux X86_64 bundle archive.

# Download the bundle archive
curl -L \
  -o cerbos_0.40.0-prerelease_Linux_x86_64.tar.gz \
  "https://github.com/cerbos/cerbos/releases/download/v0.40.0-prerelease/cerbos_0.40.0-prerelease_Linux_x86_64.tar.gz"

# Download the verification bundle
curl -L \
  -o cerbos_0.40.0-prerelease_Linux_x86_64.tar.gz.bundle \
  "https://github.com/cerbos/cerbos/releases/download/v0.40.0-prerelease/cerbos_0.40.0-prerelease_Linux_x86_64.tar.gz.bundle"

# Verify the signature
cosign verify-blob \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --certificate-identity="https://github.com/cerbos/cerbos/.github/workflows/release.yaml@refs/tags/v0.40.0-prerelease" \
  --bundle="cerbos_0.40.0-prerelease_Linux_x86_64.tar.gz.bundle" \
  "cerbos_0.40.0-prerelease_Linux_x86_64.tar.gz"

Linux packages

Cerbos DEB and RPM packages can be installed on any Linux distribution that supports one of those package formats. You can download the appropriate package for your system from the releases page.

Cerbos packages are currently only designed to work with systems where systemd is the init system. If you use a different init system, consider installing cerbos from the tarballs instead.

The packages install the cerbos and cerbosctl binaries to /usr/local/bin and create a systemd service to automatically start the Cerbos server. The default configuration is setup to look for policies in /var/cerbos/policies but you can change this by editing /etc/cerbos/yaml and reloading the service with sudo systemctl restart cerbos.

# Show status of the service
sudo systemctl status cerbos

# Restart the service
sudo systemctl restart cerbos

# View logs
sudo journalctl -xeu cerbos.service

Homebrew

You can install Cerbos binaries using Homebrew as well.

brew tap cerbos/tap
brew install cerbos

npm

You can install Cerbos binaries from the npm registry. This removes a separate setup step for JavaScript projects and allows you to lock Cerbos to a specific version to ensure a consistent development environment.

cerbos and cerbosctl are available as separate packages.

npm install --save-dev cerbos cerbosctl

Note that the npm packages rely on platform-specific optional dependencies, so make sure you don’t omit these when installing dependencies (for example, don’t pass the --no-optional flag to npm).

Nix flake

# Launch a Cerbos server
nix run github:cerbos/cerbos-flake#cerbos -- server --set=storage.disk.directory=/path/to/policy_directory

# Launch a REPL
nix run github:cerbos/cerbos-flake#cerbos -- repl

# Launch cerbosctl
nix run github:cerbos/cerbos-flake#cerbosctl

# Start a Nix shell session with cerbos and cerbosctl installed
nix shell github:cerbos/cerbos-flake