CI/CD

Automate Cerbos policy deployments with Azure DevOps Pipelines

Push validated Cerbos policies to Cerbos Hub on every merge using an Azure DevOps Pipeline.

Pipeline-driven

A single YAML pipeline file triggers policy uploads on every push to your main branch

Secret variables

Store Cerbos Hub credentials as secret pipeline variables, injected securely at runtime

Zero-downtime updates

Cerbos Hub distributes updated bundles to connected PDPs with no restarts or redeployments

How Cerbos works with Azure DevOps Pipelines

Authorization policies should go through the same review and deployment rigour as application code. Azure DevOps Pipelines lets you automate that workflow so every policy change is tested and deployed without manual steps.

Cerbos Hub stores your compiled policy bundles and distributes them to connected PDP instances. A CI/CD pipeline pushes validated policies to Cerbos Hub on every merge, and your PDPs pick up the changes automatically.

With Azure DevOps Pipelines handling the pipeline and Cerbos Hub handling distribution, policy updates flow from pull request to production with a full audit trail and zero downtime.

Policy-as-codeHuman-readable YAML policies managed like source code Scalable PDPStateless policy decision point with sub-millisecond latency Centralized managementManage, test, and deploy policies from a single control plane

How to deploy Cerbos policies with Azure DevOps Pipelines

Create a pipeline file, Add azure-pipelines.yml to your repository with a Docker step that runs the cerbosctl image.
Store credentials as secret variables, Add CERBOS_HUB_CLIENT_ID and CERBOS_HUB_CLIENT_SECRET as secret pipeline variables in Azure DevOps.
Push to main, Every push to main triggers the pipeline, which uploads your policies to Cerbos Hub using hub store replace-files.
PDPs update automatically, Connected PDP instances pull the latest policy bundle from Cerbos Hub with zero downtime.

FAQ

How does the Azure DevOps pipeline deploy policies?

A pipeline step runs the cerbosctl Docker image on a Microsoft-hosted Linux agent and executes `hub store replace-files` to upload your policy directory to Cerbos Hub. Connected PDP instances pull the updated bundle automatically.

What credentials do I need?

You need a Cerbos Hub client ID and client secret with Read & Write permissions, stored as secret pipeline variables in Azure DevOps.

Which repository providers are supported?

Azure DevOps Pipelines can connect to Azure Repos, GitHub, and Bitbucket repositories, so your policies can live wherever your team already works.

Learn more about Cerbos

How Cerbos works Cerbos PDP Cerbos Hub Webinars and ebooks Features & use cases Success stories

Related integrations

View all integrations →

Bitbucket PipelinesPush Cerbos policies to Cerbos Hub on every merge via Bitbucket Pipelines

CI/CD

BuildkitePush Cerbos policies to Cerbos Hub on every merge via Buildkite

CI/CD

CircleCIPush Cerbos policies to Cerbos Hub on every merge via CircleCI

CI/CD

GitHub ActionsPush Cerbos policies to Cerbos Hub on every merge via GitHub Actions

CI/CD

GitLab CI/CDPush Cerbos policies to Cerbos Hub on every merge via GitLab CI/CD

CI/CD

Agent2Agent ProtocolPolicy-driven authorization for inter-agent communication via the Agent2Agent protocol

Cerbos + Azure DevOps Pipelines

Policies deployed to Cerbos Hub automatically on every merge via Azure DevOps Pipelines
Connected PDP instances pick up changes with zero downtime
Policy changes go through the same review process as application code
Full audit trail from commit to production deployment

Book a free policy workshop Try the Playground