Cerbos PDP v0.42 & v0.43: SPIFFE identity support and smarter logging

We're excited to share a pair of updates that bring new capabilities and improvements to Cerbos. With v0.42 and v0.43, we've added support for SPIFFE identities in policies, improved the structure of audit logs, and tightened the reliability of policy updates in live environments.

SPIFFE identity support for service authorization

In v0.42.0, Cerbos introduced native support for working with SPIFFE identities in policy conditions. This enhancement makes it easier to authorize service-to-service interactions based on trusted workload identities.

This is especially powerful for teams adopting SPIRE, Istio, or other identity-aware service infrastructure. We have written about this more with some example policies in this blog.

Audit logs - Now with structured JSON

Audit logs have been upgraded to improve observability and downstream processing. Nested attribute values are now logged as structured JSON objects, rather than stringified JSON blobs.

This change makes it easier for log aggregation tools and observability platforms to:

• Extract and filter on nested fields
• Create metrics and dashboards
• Perform structured searches

If your system relies on parsing stringified JSON in logs, you may need to update your parsing logic - check the release notes for more details.

More reliable policy store updates

Cerbos v0.43 focuses on increasing the reliability of policy propagation in live environments. Two specific improvements help ensure that your Policy Decision Point (PDP) always reflects the latest valid policies:

• Blob store updates to derived role policy files now correctly update the policy cache
• The engine now safely handles invalid policies committed after Cerbos has started

These fixes help reinforce best practices in GitOps workflows and prevent stale or inconsistent policy states from affecting decision outcomes.

For full details, refer to the v0.42.0 and v0.43.0 release notes, or join the Cerbos Slack community for discussions.