Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
Workload Identity M...
Azure DevOps policy...
 
Notifications
Clear all

Azure DevOps policy uploads: what IAM teams need to watch

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 5324
Topic starter 12/06/2026 12:35 am  

TL;DR: Pipeline convenience can depend on careful secret handling and variable management, as Cerbos’ Azure DevOps guide shows how to automate policy uploads to Cerbos Hub using stored client credentials, a main-branch trigger, and a containerised upload job according to Cerbos. The governance lesson is broader than policy deployment: CI/CD paths that move privileged credentials can quietly become NHI control points if they are not tightly scoped and reviewed.

NHIMG editorial — based on content published by Cerbos: a guide to setting up an Azure DevOps pipeline for Cerbos policy uploads

Questions worth separating out

Q: How should security teams govern secrets used by CI/CD pipelines?

A: Treat pipeline secrets like any other non-human identity credential.

Q: Why do CI/CD pipelines create NHI governance risk?

A: Because a pipeline can hold delegated access long after the developer who created it has moved on.

Q: What breaks when pipeline secrets are not rotated or revoked?

A: The organisation loses control over who can still publish, deploy, or upload through the pipeline.

Practitioner guidance

  • Classify pipeline secrets as governed NHI credentials Assign an owner, scope, rotation interval, and revocation path to CERBOS_HUB_CLIENT_ID and CERBOS_HUB_CLIENT_SECRET.
  • Harden the main-branch trigger path Require branch protection, code review, and change approval before any pipeline run can publish policy changes to Cerbos Hub.
  • Limit container access to only the policy workspace Restrict mounted paths, environment exposure, and outbound permissions so the upload container cannot read unrelated repository material or reuse credentials outside the intended task.

What's in the full article

Cerbos's full guide covers the operational detail this post intentionally leaves for the source:

  • The exact Azure DevOps YAML structure for triggering uploads from the main branch.
  • The pipeline variable setup needed to map secret values into the container runtime.
  • The step-by-step Cerbos Hub credential creation flow, including read and write access selection.
  • The run validation process shown in Azure DevOps logs after the upload job completes.

👉 Read Cerbos's guide to uploading Cerbos policies from Azure DevOps →

Azure DevOps policy uploads: what IAM teams need to watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
cerbos ci-cd-security secret-management workload-identity non-human-identity
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  cerbos (163) , ci-cd-security (36) , secret-management (62) , workload-identity (180) , non-human-identity (309) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.