This guide shows you how to set up a Bitbucket Pipelines workflow to automatically upload your Cerbos policies to a Cerbos Hub store whenever you push changes to the main
branch of your repository.
CERBOS_HUB_CLIENT_ID
and CERBOS_HUB_CLIENT_SECRET
values generated in the Client credentials section of the Cerbos Hub store. Make sure to select the Read & Write
option when creating the credentials to allow uploading policies.bitbucket-pipelines.yml
.[STORE_ID]
with the ID of your Cerbos Hub store. You can find this in the Cerbos Hub UI under the store settings.# bitbucket-pipelines.yml
pipelines:
branches:
main:
- step:
name: Upload Policies to Cerbos Hub
services:
- docker # Enable the Docker service
script:
- >
docker run --rm \
-e CERBOS_HUB_STORE_ID="[STORE_ID]" \
-e CERBOS_HUB_CLIENT_ID=$CERBOS_HUB_CLIENT_ID \
-e CERBOS_HUB_CLIENT_SECRET=$CERBOS_HUB_CLIENT_SECRET \
-v "$BITBUCKET_CLONE_DIR":/app \
ghcr.io/cerbos/cerbosctl:latest \
hub store replace-files /app --message="Policy upload from Bitbucket"
CERBOS_HUB_CLIENT_ID
as the Name, paste your client ID in the Value box, and check the "Secured" checkbox. Click Add.CERBOS_HUB_CLIENT_SECRET
.bitbucket-pipelines.yml
file.main
branch.Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team
Join thousands of developers | Features and updates | 1x per month | No spam, just goodies.