Subscribe to the Non-Human & AI Identity Journal

Forums
The Non-Human & AI ...
Workload Identity M...
CI/CD policy upload...
 
Notifications
Clear all

CI/CD policy uploads: what IAM teams should watch

 
    Last Post
  RSS

 NHI Mgmt Group
(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 5324
Topic starter 12/06/2026 12:35 am  

TL;DR: A CircleCI workflow that pushes policy files to Cerbos Hub on main-branch changes, using stored client credentials and environment variables to authorise the upload, is described by Cerbos. The pattern is operationally convenient, but it also concentrates trust in CI/CD secrets and access scoping that identity teams must govern as NHI controls, not just build plumbing.

NHIMG editorial — based on content published by Cerbos: a guide to automatically uploading Cerbos policies from CircleCI to Cerbos Hub

Questions worth separating out

Q: How should security teams govern CI/CD jobs that write to policy stores?

A: Treat the job as a privileged non-human identity.

Q: Why do CI/CD environment variables create identity risk?

A: Because they often act as standing credentials inside an execution context that repeats many times.

Q: What breaks when a build job has more access than the policy change itself requires?

A: The pipeline becomes a control-plane shortcut.

Practitioner guidance

  • Classify the pipeline as an NHI Document the CircleCI job as a non-human identity with write authority, then assign an owner, an approval path, and a revocation process for its credentials.
  • Replace long-lived client secrets Move Cerbos Hub access out of static environment variables where possible and reduce the chance that build context can reuse the same write capability indefinitely.
  • Limit the write blast radius Separate policy upload authority from broader repository or deployment permissions so a compromised job cannot move beyond the intended policy store action.

What's in the full article

Cerbos' full guide covers the operational detail this post intentionally leaves for the source:

  • The exact CircleCI config block used to upload policies into Cerbos Hub.
  • The environment variable setup process for storing client ID and client secret values in CircleCI.
  • The branch filter and workflow wiring needed to trigger uploads only from the main branch.
  • The verification steps for checking the upload-policies job status inside CircleCI.

👉 Read Cerbos' guide to uploading policies from CircleCI to Cerbos Hub →

CI/CD policy uploads: what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
Topic Tags
cerbos ci-cd-security secrets-management workload-identity policy-governance
Forum Jump:
  Previous Topic
Next Topic  
Related Topics
Topic Tags:  cerbos (163) , ci-cd-security (36) , secrets-management (142) , workload-identity (180) , policy-governance (8) ,
Share:

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.