Automate Cerbos policy deployments with Buildkite
Push validated Cerbos policies to Cerbos Hub on every merge using a Buildkite pipeline.
Pipeline-driven
A single YAML file triggers policy uploads on every push to your main branch
Agent environment
Store Cerbos Hub credentials in the agent environment file, injected securely at runtime
Zero-downtime updates
Cerbos Hub distributes updated bundles to connected PDPs with no restarts or redeployments
How Cerbos works with Buildkite
Authorization policies should go through the same review and deployment rigour as application code. Buildkite lets you automate that workflow so every policy change is tested and deployed without manual steps.
Cerbos Hub stores your compiled policy bundles and distributes them to connected PDP instances. A CI/CD pipeline pushes validated policies to Cerbos Hub on every merge, and your PDPs pick up the changes automatically.
With Buildkite handling the pipeline and Cerbos Hub handling distribution, policy updates flow from pull request to production with a full audit trail and zero downtime.
How to deploy Cerbos policies with Buildkite
- Configure agent secrets, Add
CERBOS_HUB_CLIENT_IDandCERBOS_HUB_CLIENT_SECRETto your Buildkite agent's environment file. - Create a pipeline file, Add
.buildkite/pipeline.ymlto your repository with a step that runs the cerbosctl Docker image. - Push to main, Every push to main triggers the pipeline, which uploads your policies to Cerbos Hub using
hub store replace-files. - PDPs update automatically, Connected PDP instances pull the latest policy bundle from Cerbos Hub with zero downtime.
FAQ
How does the Buildkite pipeline deploy policies?
A pipeline step runs the cerbosctl Docker image and executes `hub store replace-files` to upload your policy directory to Cerbos Hub. Connected PDP instances pull the updated bundle automatically.
What credentials do I need?
You need a Cerbos Hub client ID and client secret with Read & Write permissions, configured in your Buildkite agent's environment.
Does the agent need Docker?
Yes. The pipeline step uses Docker to run the cerbosctl image, so your Buildkite agent must have Docker installed and accessible.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Buildkite
- Policies deployed to Cerbos Hub automatically on every merge via Buildkite
- Connected PDP instances pick up changes with zero downtime
- Policy changes go through the same review process as application code
- Full audit trail from commit to production deployment
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.