Bitbucket policy uploads to Cerbos Hub: what IAM teams should watch

TL;DR: Centralising policy delivery by automating policy uploads from Bitbucket Pipelines to Cerbos Hub concentrates trust in pipeline secrets and branch controls, according to Cerbos documentation. For IAM and NHI teams, the issue is not the upload step itself but the access assumptions behind CI/CD variables and write-capable credentials.

NHIMG editorial — based on content published by Cerbos: a guide to uploading Cerbos policies to Cerbos Hub from Bitbucket Pipelines

Questions worth separating out

Q: How should security teams govern CI/CD pipelines that can publish security policy?

A: Treat the pipeline as a privileged non-human identity, not as a neutral automation layer.

Q: When does a policy deployment pipeline become a governance risk?

A: It becomes a governance risk when the pipeline can change enforcement state with credentials that are not tightly scoped, rotated, and reviewed.

Q: What do teams get wrong about secrets used in build pipelines?

A: Teams often treat pipeline secrets as disposable setup values rather than administrative credentials.

Practitioner guidance

• Classify the pipeline as a privileged NHI Document the Bitbucket workflow as a non-human identity with specific write authority over policy content and store access, then assign an owner and review cadence to that identity.
• Separate policy authorship from policy publication Require pull request review for policy changes and keep the upload job restricted to a release branch or approved environment so the publishing step cannot be used as a casual bypass.
• Harden repository variables and credential scope Store the client secret as a secured variable, limit it to the single pipeline job that needs it, and rotate it when repository ownership or pipeline logic changes.

What's in the full article

Cerbos' full documentation covers the operational detail this post intentionally leaves for the source:

• The exact Bitbucket Pipelines YAML needed to upload policies to Cerbos Hub
• The repository variable setup for CERBOS_HUB_CLIENT_ID and CERBOS_HUB_CLIENT_SECRET
• The Cerbos Hub store credential requirement, including Read & Write permissions
• The end-to-end commit, push, and verification flow inside Bitbucket

👉 Read Cerbos' guide to uploading policies from Bitbucket Pipelines →

Bitbucket policy uploads to Cerbos Hub: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →