This guide will help you set up a CI/CD pipeline in Buildkite to automatically upload your Cerbos policies to a Cerbos Hub store whenever you push changes to the main
branch of your Git repository.
CERBOS_HUB_CLIENT_ID
and CERBOS_HUB_CLIENT_SECRET
values generated in the Client credentials section of the Cerbos Hub store. Make sure to select the Read & Write
option when creating the credentials to allow uploading policies.Buildkite agents pull secrets from their environment. The simplest way is to define them directly on the agent machine.
/etc/environment
. Open it with a text editor (e.g., sudo nano /etc/environment
) and add these lines:CERBOS_HUB_CLIENT_ID="your-client-id-here"
CERBOS_HUB_CLIENT_SECRET="your-client-secret-here"
sudo systemctl restart buildkite-agent
)..buildkite
..buildkite
, create a file named pipeline.yml
.[STORE_ID]
with the ID of your Cerbos Hub store. You can find this in the Cerbos Hub UI under the store settings.# .buildkite/pipeline.yml
steps:
- command: |
docker run --rm \
-e CERBOS_HUB_STORE_ID="[STORE_ID]" \
-e CERBOS_HUB_CLIENT_ID=$CERBOS_HUB_CLIENT_ID \
-e CERBOS_HUB_CLIENT_SECRET=$CERBOS_HUB_CLIENT_SECRET \
-v "$PWD":/app \
ghcr.io/cerbos/cerbosctl:latest \
hub store replace-files /app --message="Policy upload from Buildkite"
if: build.branch == 'main'
label: "Upload Cerbos Policies"
.buildkite/pipeline.yml
file.main
branch.Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team
Join thousands of developers | Features and updates | 1x per month | No spam, just goodies.