Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD
By: Surya Teja Avirneni
Potential Business Impact:
Lets computers get temporary keys safely.
Credential brokers offer a way to separate identity from access in CI/CD systems. This paper shows how verifiable identities issued at runtime, such as those from SPIFFE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads. We walk through practical design patterns, including brokers that issue tokens just in time, apply access policies, and operate across trust domains. These ideas help reduce static permissions, improve auditability, and support Zero Trust goals in deployment workflows. This is the second paper in a three-part series on secure CI/CD identity architecture.
Similar Papers
Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication
Cryptography and Security
Secures computer programs from hackers.
Intent-Aware Authorization for Zero Trust CI/CD
Cryptography and Security
Makes computer code safe by checking who and why.
Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure
Cryptography and Security
Secures computer access for people and programs.