This guide shows you how to set up an Azure DevOps Pipeline to automatically upload your Cerbos policies to a Cerbos Hub store whenever you push changes to the main
branch of your repository.
CERBOS_HUB_CLIENT_ID
and CERBOS_HUB_CLIENT_SECRET
values generated in the Client credentials section of the Cerbos Hub store. Make sure to select the Read & Write
option when creating the credentials to allow uploading policies.. In the root directory of your repository, create a new file named azure-pipelines.yml
.
. Copy and paste the following code into the file. This code defines the trigger, the agent environment, and the steps to run.
. Replace [STORE_ID]
with the ID of your Cerbos Hub store. You can find this in the Cerbos Hub UI under the store settings.
----
# azure-pipelines.yml
trigger:
branches:
include:
- main # This pipeline runs on pushes to the main branch
pool:
vmImage: 'ubuntu-latest' # Use a Microsoft-hosted Linux agent
jobs:
- job: UploadCerbosPolicies
displayName: 'Upload Cerbos Policies'
steps:
# Step 1: Check out the source code from the repository
- checkout: self
# Step 2: Run the docker command to upload policies
- script: |
docker run --rm \
-e CERBOS_HUB_STORE_ID="[STORE_ID]" \
-e CERBOS_HUB_CLIENT_ID=$CERBOS_HUB_CLIENT_ID \
-e CERBOS_HUB_CLIENT_SECRET=$CERBOS_HUB_CLIENT_SECRET \
-v "$(System.DefaultWorkingDirectory)":/app \
ghcr.io/cerbos/cerbosctl:latest \
hub store replace-files /app --message="Policy upload from Azure DevOps"
displayName: 'Upload Policies to Cerbos Hub'
env:
# Map the secret variables created in the UI to environment variables for this script
CERBOS_HUB_CLIENT_ID: $(CERBOS_HUB_CLIENT_ID)
CERBOS_HUB_CLIENT_SECRET: $(CERBOS_HUB_CLIENT_SECRET)
Key Azure DevOps Concepts Used:
trigger
: Defines when the pipeline runs, equivalent to on:
in GitHub Actions.pool
: Specifies the type of build agent to use, equivalent to runs-on
.job
and steps
: Structure the work to be done.checkout: self
: The task to get your source code.script
: A simple task to run a shell script.$(System.DefaultWorkingDirectory)
: The predefined variable for the checkout directory, like $PWD
or $CI_PROJECT_DIR
.env:
: The section where you map pipeline variables to environment variables for the script, note the $(VariableName)
syntax.azure-pipelines.yml
file.main
and the path, /azure-pipelines.yml
, then click Continue.CERBOS_HUB_CLIENT_ID
-- Value: Paste your client ID.CERBOS_HUB_CLIENT_SECRET
-- Value: Paste your client secret.Upload Cerbos Policies
job to see the live logs.Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team
Join thousands of developers | Features and updates | 1x per month | No spam, just goodies.